Many companies, especially small ones, don’t use specialized systems like Slack or Microsoft Teams for communication among employees, and instead use ordinary messengers such as WhatsApp, Telegram, and Signal. And whereas people mainly prefer the mobile versions for personal use, when it comes to work needs, many install desktop applications without giving much thought to how secure they are.
In our recent post on vulnerabilities in the desktop version of Signal, we wrote that “the best advice would be not to use the desktop version of Signal (and desktop versions of messengers in general)”. But since it’s not immediately obvious why, here we explain in some detail the flaws of desktop messengers in terms of cybersecurity.
Note that we’re talking about desktop versions of “civilian” messaging apps (such as Telegram, WhatsApp, and Signal) — not corporate platforms like Slack and Microsoft Teams, which are specially adapted for work processes (and as such they operate a little differently and so are not covered in this post).
1. App on the outside, browser on the inside
One of the important things to understand about desktop versions of messengers is that the vast majority of them are built on the Electron framework. What this basically means is that such a program, on the inside, is a web application that opens in an embedded Chromium browser.
This is actually the main reason why Electron is so popular with developers of desktop versions of messengers: the framework makes it quick and easy to create applications that run on all operating systems. However, it also means that programs built on Electron automatically inherit the full range of its vulnerabilities.
At the same time, one must understand that, due to their incredible popularity, Chrome and Chromium are always under the spotlight. Cybercriminals regularly discover vulnerabilities in them, and promptly create exploits with detailed descriptions of how to use them. In the case of the normal, standalone Chrome browser, this isn’t such a big problem: Google is very responsive to information about vulnerabilities and releases patches on a regular basis. To stay safe, you just need to install updates without delay. But when it comes to programs based on Electron, the embedded browser gets an update only when the developers release a new version of the application.
So what do we end up with? If your employees use applications built on Electron, this means they have several browsers running in their systems for which exploits appear regularly. Furthermore, neither you nor they can control the updates for these browsers. The more applications like this there are, the higher the associated risks. So it would be wise to at least limit the number of “civilian” messengers used for work purposes in the company.
2. Key question
One of the biggest draws of modern messengers is the use of end-to-end encryption; that is — message decryption needs the chat participants’ private keys, which never leave their devices. And as long as no one else knows the encryption keys, your correspondence is securely protected. But if an attacker does get hold of the private key, they’ll be able not only to read your correspondence, but also to impersonate one of the chat participants.
And it’s here where the problem with desktop versions of messengers appears: they store the encryption keys on the hard drive, which means it can easily be stolen. Sure, an attacker must somehow gain access to the system, say — through malware, but this is perfectly doable in the case of desktop operating systems. As for mobile ones, their architectural features make stealing encryption keys much harder — especially doing so remotely.
In other words, using the desktop version of a messenger automatically and significantly raises the risk that the encryption key, and hence work correspondence, will fall into the wrong hands.
3. RAT in the chat
Let’s assume things go smoothly, and no one (yet) has possession of the encryption key of any of your employees: this means that all work correspondence is safe and sound, right? Not quite. Cybercriminals could potentially use remote administration tools as well as remote access Trojans (both of which share the same acronym — RAT) to lay their hands on work correspondence. The difference between them is rather symbolic: both legitimate tools and illegal Trojans can be used to do lots of interesting things with your computer.
RATs represent threats against which desktop messenger clients, unlike their mobile counterparts, are practically defenseless. Such programs allow even inexperienced attackers to get the content of secret correspondence. In a messenger running on a desktop, all chats are already automatically decrypted, so there’s no need to steal the private keys. Anyone in remote desktop mode can read your correspondence, even if it’s conducted in the most secure messenger in the world. And not only read, but also write messages in work chat posing as a company employee.
Moreover, remote administration tools are entirely legitimate programs, with all the ensuing consequences. First, unlike malware, which has to be obtained from some dark corner of the internet, they can be found and downloaded online without any problems at all. Second, not every security solution warns the user if remote access tools are found on their computer.
4. What’s in the box?
Another reason to avoid using the desktop clients of popular messengers is the risk that they may be used as an additional uncontrolled channel to deliver malicious files to your employee’s computers. Sure, you can pick up one from anywhere. But in the case of e-mail attachments and, even more so, files downloaded from the internet, most folks are aware of the potential danger. But files received in a messenger, especially one positioned as secure, are viewed differently: “what can go wrong here?” This is especially the case if a file came from a colleague: “there can’t possibly be anything to worry about” is the common view.
The vulnerabilities found in the desktop version of Signal related to how the messenger handles files (described in our recent post) serve as an example. Exploitation of these vulnerabilities allows an attacker to quietly distribute infected documents to chat participants pretending to be one of those participants.
This is just one hypothetical scenario suggesting advanced technical capabilities of the attacker. Others cannot be ruled out either: from mass mailings based on stolen databases to targeted attacks using social engineering.
Again, mobile operating systems are better protected against malware, so this problem is less acute for users of mobile messenger clients. Their desktop counterparts carry a far greater risk of attracting some kind of malware to said desktop computer.
5. We should have shotguns for this kind of thing
Traditional threats shouldn’t be forgotten about. The specialized security solutions on the corporate mail gateway level enforce protection against malicious attachments and phishing. But in the case of desktop messenger clients, things are a little more complicated. There’s no solution that can break into the end-to-end encrypted message exchange using the servers of the messenger itself; dangerous objects can be caught only at the exit, which reduces the level of protection.
Once again, this is far less of a problem on mobile devices. They’re harder to infect with malware, and fewer important files are stored there. Plus, lateral movement in the corporate network following a successful attack on a mobile device is unlikely to have the same devastating consequences.
A desktop messenger on a work computer provides a communication channel that’s not only uncontrollable by the network administrator, but fully secured against their actions; and from this state of affairs something very nasty could emerge.
Prevention is better than cure and blame
We end basically where we began: as mentioned in the introduction, the best tip is not to use desktop versions of messengers. If for some reason that’s not an option, then at least take basic precautions:
- Be sure to install security software on work devices. This, in fact, is the only way to protect against the unpleasant things that can crawl through messengers into your company network.
- If your employees use more than one messenger for work purposes, try to stop this practice. Decide on one and ban the rest.
- In addition, keep track of remote access tools installed and used on work devices.
- Speaking of which, our Kaspersky Endpoint Security Cloud has a Cloud Discovery feature, which tracks employees’ attempts to use unapproved cloud services.
- And to make all these measures more effective and at the same time to demonstrate their absolute necessity, providing information security training for employees would be helpful.