Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

Expert Analysis Reveals Cryptographic Weaknesses in Threema Messaging App

Jan 10, 2023Ravie LakshmananPrivacy / Encryption

Threema Messaging App

A comprehensive analysis of the cryptographic protocols used in
the Swiss encrypted messaging application Threema has revealed a
number of loopholes that could be exploited to break authentication
protections and even recover users’ private keys.

The seven attacks span three different threat models, according[1] to ETH Zurich
researchers Kenneth G. Paterson, Matteo Scarlata, and Kien Tuong
Truong, who reported the issues to Threema on October 3, 2022. The
weaknesses have since been addressed as part of updates[2] released by the company
on November 29, 2022.

Threema is an encrypted messaging app that’s used by more than
11 million users as of October 2022. “Security and privacy are
deeply ingrained in Threema’s DNA,” the company claims[3] on its website.

Officially used by the Swiss Government and the Swiss Army, it’s
also advertised as a secure alternative alongside other services
such as Signal, Meta-owned WhatsApp, and Telegram.

While Threema has been subjected to third-party code
audits[4] at least twice – once in
2019 and a second time in 2020 – the latest findings show that they
weren’t thorough enough to uncover the problems present in the
“cryptographic core of the application.”

“Ideally, any application using novel cryptographic protocols
should come with its own formal security analyses (in the form of
security proofs) in order to provide strong security assurances,”
the researchers said.

In a nutshell, the attacks could pave the way for a wide range
of exploitation scenarios, namely allowing an attacker to
impersonate a client, reorder the sequence of messages exchanged
between two parties, clone the account of a victim user, and even
leverage the backup mechanism to recover the user’s private
key.

The latter two attack pathways, which require direct access to a
victim’s device, could have severe consequences, as it enables the
adversary to stealthily access the users’ future messages without
their knowledge.

Also uncovered is a case of replay[5]
and reflection attack related to its Android app that occurs when
users reinstall the app or change devices, granting a bad actor
with access to Threema servers to replay old messages. A similar replay attack[6]
was identified in January 2018.

Last but not least, an adversary could also stage what’s called
a Kompromat attack wherein a malicious server tricks a client “into
unwittingly encrypting a message of the server’s choosing that can
be delivered to a different user.”

It’s worth noting that this attack was previously reported to
Threema by University of Erlangen-Nuremberg researcher Jonathan
Krebs, prompting the company to ship
fixes[7] in December 2021
(version 4.62 for Android and version 4.6.14 for iOS).

“Using modern, secure libraries for cryptographic primitives
does not, on its own, lead to a secure protocol design,” the
researchers said. “Libraries such as NaCl[8] or libsignal[9]
can be misused while building more complex protocols and developers
must be wary not to be lulled into a false sense of security.”

“While the mantra ‘don’t roll your own crypto’ is now widely
known, it should be extended to ‘don’t roll your own cryptographic
protocol’ (assuming one already exists that meets the developer’s
requirements),” they added. “In the case of Threema, the bespoke
C2S protocol could be replaced by TLS[10].”

When reached for comment, Threema told The Hacker News that it
has released a new communication protocol called Ibex that
renders “some of the issues obsolete,” adding it “acted instantly
to implement fixes for all findings within weeks.”

“While some of the findings […] may be interesting from a
theoretical standpoint, none of them ever had any considerable
real-world impact,” the company further noted[11]. “Most assume extensive
and unrealistic prerequisites that would have far greater
consequences than the respective finding itself.”

It also pointed out that some of the attacks bank on having
physical access to an unlocked mobile device over an extended time
period, at which point the “entire device must be considered
compromised.”

The study arrives almost six months after ETH Zurich researchers
detailed[12] critical shortcomings
in the MEGA cloud storage service that could be weaponized to crack
the private keys and fully compromise the privacy of the uploaded
files.

Then in September 2022, another group of researchers disclosed[13] a host of security flaws[14] in the Matrix[15] decentralized,
real-time communication protocol that grant a malicious server
operator the ability to read messages and impersonate users,
effectively undermining the confidentiality and authenticity of the
service.

Found this article interesting? Follow us on Twitter [16] and LinkedIn[17] to read more exclusive
content we post.

References

  1. ^
    according
    (breakingthe3ma.app)
  2. ^
    updates
    (threema.ch)
  3. ^
    claims
    (threema.ch)
  4. ^
    third-party code audits
    (threema.ch)
  5. ^
    replay
    (en.wikipedia.org)
  6. ^
    similar
    replay attack     (www.computer.org)
  7. ^
    ship
    fixes     (threema.ch)
  8. ^
    NaCl
    (nacl.cr.yp.to)
  9. ^
    libsignal
    (en.wikipedia.org)
  10. ^
    TLS
    (en.wikipedia.org)
  11. ^
    noted
    (threema.ch)
  12. ^
    detailed
    (thehackernews.com)
  13. ^
    disclosed
    (nebuchadnezzar-megolm.github.io)
  14. ^
    security flaws
    (arstechnica.com)
  15. ^
    Matrix
    (matrix.org)
  16. ^
    Twitter 
    (twitter.com)
  17. ^
    LinkedIn
    (www.linkedin.com)

Read more