Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Connectivity

User Error Compromises Many Encrypted Communication Apps

Apps that aim to let you talk securely may be made less secure by users who screw up the authentication process.

Smartphone apps and special phones that aim to ensure secure communication may often find their security compromised by the users themselves, according to recent research.

The apps, which include RedPhone and Signal, may ask people calling or texting each other to verbally compare a short string of words they see on their screens (often referred to as a checksum or short authentication string) to make sure a new communication session hasn’t been breached by an intruder. The idea is that if a call’s security is compromised, these words won’t match up.

To test out how well this works, researchers the University of Alabama at Birmingham set up a study that mimicked a cryptophone app. Researchers had participants use a Web browser to make a call to an online server. Then they listened to a random two- or four-word sequence and determined if it matched the words they saw on the computer screen in front of them. The participants were also asked to verify whether the voice they heard was the same as one they’d heard previously reading a short story.

The researchers found that study participants frequently accepted calls even if they heard the wrong sequence of words, and often denied calls when the sequence was spoken correctly. Beyond that, researchers say that using a four-word checksum instead of a two-word checksum seemed to decrease security, even though a longer checksum should increase security exponentially.

The researchers presented their work in a paper this month at a computer security conference in Los Angeles.  

The study included 128 people, and Maliheh Shirvanian, the paper’s lead author and a graduate student at the University of Alabama at Birmingham, says that participants accepted an incorrect two-word string 30 percent of the time if it came from a voice properly verified as being one they’d heard previously. They also rejected two-word strings that were spoken correctly about 22 percent of the time.

In addition, the researchers noticed that participants accepted four-word strings that were incorrect about 40 percent of the time, and rejected ones that were correct 25 percent of the time.

Justin Troutman, a cryptographer who works at the encrypted-search startup Kryptnostic and has focused his work on the intersection of cryptography and user experience, says one reason people might accept incorrect checksums is that they consist of random words, rather than a sequence you’d see in a sentence. Users might tune out a bit when hearing them, especially if they recognize the speaker’s voice on the other end. With a higher number of words, they might tune out those in the middle, he adds.

In hopes of improving security, the researchers say they’re now working on a new study that considers how to use software to compare checksums, particularly longer ones, at the start of a secure call. As the researchers envision it, the participants in a call would speak their words aloud. Then software would transcribe the words and compare the two transcriptions. This way, the users would simply be validating that the voice on the other end sounds familiar, assuming they already know what the person they are talking to sounds like (which is, of course, not always going to be the case).

Get stories like this before anyone else with First Look.

Subscribe today
Already a Premium subscriber? Log in.
More from Connectivity

What it means to be constantly connected with each other and vast sources of information.

Want more award-winning journalism? Subscribe to Insider Basic.
  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.