Encrypted communication tools and software have seen a steady rise since the many surveillance revelations that were exposed by whistleblowers, such as Edward Snowdon. The notion of encrypting your emails, web browsing history and even phone calls have led to a battle over security vs state monitoring, but, what are the weaknesses within these various encrypted apps? A new study has found that we humans often compromised our own anonymity.
The observation in question was discovered by researchers at the University of Alabama who performed a study that “Mimicked a cryptophone app”. These apps including Signal may ask both parties who are either texting or calling to “verbally compare a short string of words they see on their screens which is often referred to as a checksum or short authentication string” This is with the aim of ensuring that a new communication session has not been intercepted by a third-party, if it has, the words will not match up and thus it is not secure.
Sounds secure, the study has found that the flaw lies in many cases with human error itself, let me explain. Researchers designed the aforementioned mimicking of a cryptophone app before asking participants within the control group to use a web browser to make a call to an online server. They were then asked to listen to a random two or four word sequence before determining if it matched the words they saw on the computer screen in front of them. The control group were also asked to determine if the voice they heard was the same as one they’d heard previously reading a short story.
Researchers found that the study control group would more often than not accept calls when hearing the wrong sequence of words and reject calls when the sequence was transmitted correctly. It was also found that a four word checksum decreased the overall level of security when it should in theory increase it. To put it into perspective, out of 128 participants, an incorrect two-word string was accepted 30% of the time, while the same level two-word string that was spoken correctly was rejected 22% of the time. Four word strings had even worse results with incorrect strings being accepted 40% of the time while rejecting ones that were in fact correct 25% of the time.
A possible cause could lie in the fact that these words are random and not easily placed in a sentence, therefore, we humans tend to zone out and therefore lose concentration, the result could be that we think we hear something which is in fact incorrect or vice versa.
It’s an interesting experiment which could lead to better development of apps that aim to keep conversations secure.