40 with 0 posters participating
Academic researchers have discovered serious vulnerabilities in the core of Threema, an instant messenger that its Switzerland-based developer says provides a level of security and privacy “no other chat service” can offer. Despite the unusually strong claims and two independent security audits Threema has received, the researchers said the flaws completely undermine assurances of confidentiality and authentication that are the cornerstone of any program sold as providing end-to-end encryption, typically abbreviated as E2EE.
Threema has more than 10 million users, which include the Swiss government, the Swiss army, German Chancellor Olaf Scholz, and other politicians in that country. Threema developers advertise it as a more secure alternative to Meta’s WhatsApp messenger. It’s among the top Android apps for a fee-based category in Switzerland, Germany, Austria, Canada, and Australia. The app uses a custom-designed encryption protocol in contravention of established cryptographic norms.
The seven deadly flaws
Researchers from the Zurich-based ETH research university reported on Monday that they found seven vulnerabilities in Threema that seriously call into question the true level of security the app has offered over the years. Two of the vulnerabilities require no special access to a Threema server or app to cryptographically impersonate a user. Three vulnerabilities require an attacker to gain access to a Threema server. The remaining two can be exploited when an attacker gains access to an unlocked phone, such as at a border crossing.
“In totality, our attacks seriously undermine Threema’s security claims,” the researchers wrote. “All the attacks can be mitigated, but in some cases, a major redesign is needed.”
- A lack of integrity protection on the message metadata. As a result, an attacker can surreptitiously reorder and/or delete messages sent from one client to another.
- Faulty usage nonce handling allows for “replay and reflection” attacks, in which the threat actor resends old messages and sends a user a message that user previously sent to someone else.
- A bug in the challenge-and-response protocol used for a client to authenticate itself to the server during registration. During the process, the client proves possession of its private key by encrypting a server-chosen message that’s encrypted with a server-chosen public key. A compromised server can exploit this design to create “kompromat,” or potentially incriminating messages that can be delivered at any later time to a targeted user. Threema patched this vulnerability in December 2021, when a separate researcher spotted it.
- A feature that allows users to export their private key from one device to another. Poor design decisions make it trivial for an attacker to use the key to clone a Threema account and go on to access all future messages. Combined with a compromised Threema server, the adversary can also obtain all previously sent messages.
- Message compression that occurs before encryption when Threema creates a backup, combined with the ability for an attacker to use a nickname feature to inject chosen strings into the backup. This allows a more sophisticated attacker to observe the size of the backup file over multiple iterations and eventually recover the user’s private key.