Cyberattack on Politicians: Security Is More Than Encryption
The wave of attacks targeting Signal and WhatsApp users has not only reached top-level politicians in Germany but also sparked confusion: while some speak of a “hack,” others blame the victims. Here’s why both takes fall short.
As reported by various media outlets last month, Signal and WhatsApp accounts belonging to high-ranking government officials were taken over in a large-scale phishing campaign.
It has now become clear that the scope of the attack is broader than initially assumed and that also senior German politicians are among the victims – most notably Bundestag President Julia Klöckner. The situation is considered serious enough that the Federal Office for Information Security (BSI) has published an official guidance document for Signal users this week.
Some news reports refer to the incident as “Signal hack.” However, this characterization is not just misleading, it is incorrect. The attackers – allegedly Russian state actors – didn’t hack Signal. Instead, they impersonate Signal support and, under false pretenses, trick victims into disclosing a verification code.
Because no hacking is involved and Signal’s encryption remains intact, some commentators conclude that the responsibility ultimately lies with the victims.
However, this view is one-dimensional. The current incident shows that the security of a system cannot be reduced to the strength of its encryption, but also depends on other factors, in particular its architecture.
Core Issue: Phone Numbers Are Not a Solid Foundation
Systems that use phone numbers as unique identifiers offer the advantage that users can easily find each other on the platform. However, this approach not only rules out anonymous use from the outset but also comes with an indirect security weakness.
To verify that a user is registering their own phone number rather than someone else’s, they have to enter a verification code sent to that number.
Even if a user doesn’t share this code with anyone, the communication channel through which it is delivered cannot be considered secure. SMS messages are not end-to-end encrypted, and it’s not unheard of that hackers, let alone state actors, gain access to the mobile network (for example, by exploiting weaknesses in protocols such as SS7).
For this reason, relying on SMS to establish account identities is not well suited – especially for individuals who are likely to be targeted by cyberattacks.
In Threema, a random eight-character string without any link to its owner serves as the unique identifier. This so-called “Threema ID” is anonymous and can optionally be linked to a phone number. However, even in this case, it’s not possible to restore, or take over, a Threema ID via phone number.
Mitigating Measures
Even if a system relies on phone numbers as unique identifiers, there are mechanisms that can mitigate, if not prevent, phishing attacks of this kind.
For example, in Threema, so-called “verification levels” indicate what type of contact a user is dealing with: unknown, known, or verified. If an unknown contact attempts to impersonate Threema Support, the incorrect verification level (one red dot) will make the impersonation apparent. Threema’s official support ID (*SUPPORT) is a verified contact marked with three green dots.
Another effective measure is to provide an option to block unknown contacts. If attackers are unable to contact potential targets in the first place, the attack vector is effectively eliminated.
Beyond that, it is worth considering whether services designed for personal use are the right choice for highly sensitive communication in institutional contexts. Instead, it may be more appropriate to use a dedicated enterprise tool that offers governance, policy enforcement, and user management. In government settings, a self-hosted solution that provides full control and complete data sovereignty may be even more fitting, as it can address a very wide range of security risks beyond phishing attacks.
