Dumb Human Errors Can Undermine the Security of Encrypted Communication Apps

[h2]Dumb Human Errors Can Undermine the Security of Encrypted Communication Apps[/h2]

You might think that because you use an expensive secure phone or encrypted messaging app like Signal your privacy is guaranteed. Sadly, you may have overestimated the abilities of the humans at each end, whose screw-ups when using the schemes can render them redundant.

Technology Review reports that experiments performed at the University of Alabama at Birmingham, which mimic the use of a cryptophone apps, show that humans can be the weak link in the encryption chain. A lot of secure apps, including Signal itself, can ask the users at either end to verbally compare a short string of words shown on-screen—which is known as a checksum—in order to check a line isn’t tapped. In theory, if the channel of communication is compromized, the words don’t match up.

The research team recreated that set-up, getting volunteers to take part in phone calls via a web browser. Its security was ensured by either a 2- or 4-word checksum, which the user had to listen to and ensure it matched what they saw on screen.

Sadly, the results don’t say much for human skills. The team found that the participants often carried on with calls when the sequence of words was wrong, accepting incorrect 2-word checksums 30 percent of the time and 4-word checksums 40 percent of the time. The participants also regularly hung up on calls when the checksum was correct, but that’s clearly far less damaging. The work was presented earlier this month at the Annual Computer Security Applications Conference.

The reason for human ineptitude is unclear, though it’s likely to do with the fact that the strings of words that get used are random. It’s easy enough to tune out when hearing a string of text such as