Researchers find vulnerabilities in Threema’s homemade encryption protocol
Researchers say they have found a few serious vulnerabilities in the encrypted chat app Threema. In a paper they describe seven options for breaking the encryption, although in practice abuse is negligible. Threema now uses different encryption.
Researchers from the ETH Technical University of Zurich have published their findings in a paper. They also have set up a website which is called Breaking The 3ma in which they describe their most important findings. Threema is a secure chat app that uses end-to-end encryption on all messages. It uses a home-made cryptographic protocol for this, but Threema has been using a different protocol for a few weeks now, making the discoveries less relevant.
According to the researchers, there are several vulnerabilities in the older encryption protocol, but the actual danger is small. The researchers divide the vulnerabilities into three threat models. All three models require access to a server or victims’ communications channel, even with an unlocked device. Attackers with such access can capture a lot of information even without the new encryption vulnerabilities.
Two vulnerabilities can occur when an attacker targets a network. In that case, it is possible to maintain permanent access to a server if an attacker obtains an ephemeral key. Threema uses constantly changing keys, but the researchers show that if an attacker on a client manages to obtain such a key, the attacker can always maintain access to the server. Another vulnerability revolves around the vouch box, a kind of container in which an ephemeral key is linked to another key. The attackers demonstrate that they can get a user to create a valid vouch box key, allowing them to pose as a legitimate client on the server.
Three other attacks require an attacker to already have access to a Threema server. In that case, one of the vulnerabilities makes it possible to manipulate the timestamp of sent messages or have messages delivered in a different order, even though the content of messages cannot be read. Another vulnerability allows old messages to be returned to a user when they install the app on a new device. That makes replay attacks possible, say the attackers. A third vulnerability makes it possible to forward an encrypted message to another user, although in the latter two attacks there are no options to read the content of the message.
The researchers also describe two attacks that require access to a user’s Android device. If an attacker has one, he can copy an account to a second device with a password chosen on the spot. The researchers can also copy a long-term key if a user uses the Threema Safe cloud backup function. This is an attack comparable to Crime, which can be applied to TLS connections.
The researchers presented their findings to Threema in October last year. That fixed all vulnerabilities. Threema now also has a new encryption protocol, called Ibex, in which the vulnerabilities no longer exist. Nevertheless, Threema not to mention the research. The company says the information is no longer relevant since November last year, when Ibex was introduced, and the actual impact is virtually non-existent. The company refutes all the individual vulnerabilities, saying that many of them also require social engineering or other physical access to a device.
The researchers themselves say that their research is indeed useful, especially when it comes to security audits. Threema has independent audits carried out, but according to the researchers, the nature of the cryptographic protocol itself was not taken into account. One of the researchers warns against the use of homemade protocols.