Developed by Open Whisper Systems, Signal is a free, open-source encrypted mobile and desktop device communications application that enables users to make voice calls, send instant messages, and even make video calls securely. Recently, however, a security vulnerability has been discovered for the desktop version that can be converted to a USB Rubber Ducky payload to steal single-click signaling messages.
Signal Messenger is extremely popular with privacy-conscious users because of its blend of privacy and convenience, but this compromise has consequences. Security researchers Alec Muffett and Patrick Wardle have discovered a vulnerability that allows sound messages that have been "deleted" by the desktop application to be retrieved in plain text and without a password from a MacOS computer. This is possible because of the way macOS stores signal messages that are displayed in plain text in pop-up alerts.
While Signal has patched this vulnerability in the future, all messages already in the messaging system are still there and have a fair game. Today we demonstrate how to use AuRevoir to create a one-click Ducky script to steal all signal messages on a MacBook or other Mac computer in about 45 seconds.
The Exploit with a Rubber Ducky Weapon
Take this exploit to the next level, we can pack it into a USB Rubber Ducky Exploit to quickly clear signal conversations on any macOS device we have physical access to. The USB Rubber Ducky is a versatile attack platform that can do this in a variety of ways, but instead of using a wget request to download and run the application, we can use the "Twin Duck" firmware. Allow us in that both the application and the stolen signal messages are hosted on the Rubber Ducky. This prevents us from having to download and run the app ourselves or exfiltrate data by email.
We use the Twin Duck firmware for our USB Rubber Ducky can be recognized both as a keyboard and as a USB mass storage device. We can use this setup to automate most parts of this hack, with one manual part needed being a single click on the "Show messages" button. This is because the USB Rubber Ducky can not simulate mouse clicks, but in a future iteration, some Python code might cause it.
As a disclaimer, it is illegal to copy a user's messages without their permission, so this should only be done on a system that you have access to. While the messages are not stored encrypted, obtaining private messages without permission may be illegal, depending on your jurisdiction.
You can flash Twin Duck firmware by downloading Ducky Flasher, which is included in the Hak5 GitHub repository. The Ducky Flasher can flash a variety of firmware, each of which changes the behavior of the USB Rubber Ducky.
To write Ducky Script and encode a payload, you can use the Use the Duck Encoder included in the GitHub link above, or simply use a web interface such as the Duck Toolkit.
We also have to do this. This includes the AuRevoir application from Patrick Wardle, with which we can find all the news on the system. You can download this from the ObjectiveSee GitHub.
The AuRevoir Application
Patrick Wardle's AuRevoir application is an excellent tool for retrieving signal messages stored in the macOS notification system, and it is very user friendly and straightforward way. With a helpful graphical user interface, the tool is the best solution for the average user in detecting and clearing signal notifications stored on their computer.