The ‘Linked Devices’ Vulnerability: Signal Isn’t Alone.
But we can address it today, with passkeys.
In recent news, following a minor scandal involving U.S. presidential staff allegedly using Signal to plan military actions, the Department of Defense has issued a memo warning about vulnerabilities related to Signal-linked devices. Setting aside the politics — and the unfounded criticism blaming Signal for someone inviting an Atlantic journalist into a chat — what I want to focus on is the DoD memo itself and its specific concern about phishing risks targeting Signal.
Last week, DoD release special bulletin “F9T53 OPSEC SPECIAL BULLETIN” that states above all
“Russian professional hacking groups are employing the “linked devices” feature to spy on encrypted conversations.”
The “linked devices” vulnerability affecting all major messaging apps, not just Signal, but Whatsapp, Telegram, Viber, Line, WeChat, and others. If a messaging app supports QR based device linking, it is vulnerable to phishing.
Current state of affairs
The “linked devices” vulnerability poses a growing threat to civilians, activists, journalists, and government officials alike. A successful attack can grant adversaries access to both past and future messages, allow them to impersonate the victim, and monitor their activity in real time. In many countries, it’s common to share sensitive documents — such as passports, IDs, or health records — via messaging apps, further compounding the risks.
The fundamental vulnerability in linked devices is simply that users can not distinguish between real, and fake setup page, so “linked devices” are vulnerable to traditional phishing.
The good news is that this means that this can be addressed by using passkeys, and digital credentials API.
Passkeys and the Digital Credentials API
The good news is that this challenge can be addressed using passkeys and the Digital Credentials API.
Passkeys are a phishing-resistant authentication method based on digital signatures. They’re supported across all major ecosystems and provide a seamless user experience.
By layering passkeys on top of existing linked devices flow, we can strengthen the existing linked device flow. This adds a robust authentication layer that’s resistant to phishing.
Because the user must verify their identity directly on the website, we can trust the session is secure and that the user is physically near the device.
Whats next?
First, is have a good digital hygine, and avoid any temptations on scanning untrusted QR codes, or “linking devices”. Learn more about this vulnerability at our mini project DaryScam.
If you know someone who would wanna chat about linked devices and passkeys, give them my email.
ackermann.yuriy (at) gmail(dot)com
Stay safe, and vigilant.
Sources:
- https://www.wired.com/story/signalgate-isnt-about-signal/
- F9T53 OPSEC SPECIAL BULLETIN” — https://www.scribd.com/document/843124910/NSA-full
- https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/
- https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger
- https://herrjemand.medium.com/announcing-daryascam-messaging-apps-need-passkeys-asap-893cbfb03482
- https://github.com/WICG/digital-credentials/blob/main/explainer.md
- https://www.daryascam.info/White-Paper-Killing-messenger-phishing-with-passkeys-blackjack-and-hybrid-141cf1aba98e80ea9bcfee7353a22623
