Dumb Human Errors Can Undermine the Security of Encrypted Communication Apps

By Jamie Condliffe on at

You might think that because you use an secure phone or encrypted messaging app like Signal your privacy is guaranteed. Sadly, you may have overestimated the abilities of the humans at each end, whose screw-ups when using the schemes can render them redundant.

Technology Review reports that experiments performed at the University of Alabama at Birmingham, US, which mimic the use of a cryptophone apps, show that humans can be the weak link in the encryption chain. A lot of secure apps, including Signal itself, can ask the users at either end to verbally compare a short string of words shown on-screen — which is known as a checksum — in order to check a line isn’t tapped. In theory, if the channel of communication is compromised, the words don’t match up.

The research team recreated that set-up, getting volunteers to take part in phone calls via a web browser. Its security was ensured by either a 2- or 4-word checksum, which the user had to listen to and ensure it matched what they saw on screen.

Sadly, the results don’t say much for human skills. The team found that the participants often carried on with calls when the sequence of words was wrong, accepting incorrect 2-word checksums 30 per cent of the time and 4-word checksums 40 per cent of the time. The participants also regularly hung up on calls when the checksum was correct, but that’s clearly far less damaging. The work was presented earlier this month at the Annual Computer Security Applications Conference.

The reason for human ineptitude is unclear, though it’s likely to do with the fact that the strings of words that get used are random. It’s easy enough to tune out when hearing a string of text such as “dog, waffle, boat, hat,” and perhaps just as easy enough to confuse it with “dog, waffle, hat, boat.” That may well account for the reason why 4-word checksums (which should in theory be far more secure than their 2-word counterpart) seems to make things even worse.

At any rate, the moral of the story is: your app or phone may be secure, but don’t necessarily assume that you or the human at the other end are. [Technology Review]

Image by Gajus/Shutterstock


Want more updates from Gizmodo UK? Make sure to check out our @GizmodoUK Twitter feed, and our Facebook page.