You might think that because you use an expensive secure phone or encrypted messaging app like Signal your privacy is guaranteed. Sadly, you may have overestimated the abilities of the humans at each end, whose screw-ups when using the schemes can render them redundant.
Technology Review reports that experiments performed at the University of Alabama at Birmingham, which mimic the use of a cryptophone apps, show that humans can be the weak link in the encryption chain. A lot of secure apps, including Signal itself, can ask the users at either end to verbally compare a short string of words shown on-screen — which is known as a checksum — in order to check a line isn't tapped. In theory, if the channel of communication is compromised, the words don't match up.
The research team recreated that set-up, getting volunteers to take part in phone calls via a web browser. Its security was ensured by either a two or four-word checksum, which the user had to listen to and ensure it matched what they saw on screen.
Sadly, the results don't say much for human skills. The team found that the participants often carried on with calls when the sequence of words was wrong, accepting incorrect two-word checksums 30 per cent of the time and four-word checksums 40 per cent of the time. The participants also regularly hung up on calls when the checksum was correct, but that's clearly far less damaging. The work was presented earlier this month at the Annual Computer Security Applications Conference.
The reason for human ineptitude is unclear, though it's likely to do with the fact that the strings of words that get used are random. It's easy enough to tune out when hearing a string of text such as "dog, waffle, boat, hat", and perhaps just as easy enough to confuse it with "dog, waffle, hat, boat". That may well account for the reason why four-word checksums — which should in theory be far more secure than their two-word counterpart — seems to make things even worse.
At any rate, the moral of the story is: your app or phone may be secure, but don't necessarily assume that you or the human at the other end are.