Bridgefy FAIL: Insecure for Use in Protests
Tale as old as time: Bridgefy, a young naïve startup, builds quick and dirty app for use case A. Then many people use it for use case B, so the startup pivots to follow the market.
True as it can be: But use case B—private messaging for activists—requires a far stronger security posture. But that didn’t stop Bridgefy from promoting its weak-as-kittens app for this adversary-rich environment.
Ever as before and ever just as sure, as the sun will rise. In today’s SB Blogwatch, we’re beastly to beautiful CEO Jorge Ríos.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Orchestra of Samples.
Feds Scoff At Your BT Mesh
What’s the craic? Dan Goodin reports—“Messenger promoted for mass protests is a privacy disaster”:
How do you communicate with one another when Internet connections are severely congested or completely shut down [yet] keep your identity and conversations private? One heavily promoted solution has been Bridgefy, [which] has the financial and marketing backing of Twitter cofounder Biz Stone and boasts … more than 1.7 million installations.
…
Bridgefy lets users within a few hundred meters—and much further [via] intermediary nodes—to send and receive both direct and group texts with no reliance on the Internet. … With the past year’s upswell of large protests around the world … company representatives began telling journalists that the app’s use of end-to-end encryption … protected activists. [And] the company has continued to hold out the app as a safe and reliable way for activists to communicate.
…
But now, researchers are revealing a litany of recently uncovered flaws and weaknesses that show that just about every claim of anonymity, privacy, and reliability is outright false. … Back to the drawing board. …
- With no effective way to authenticate, any user can impersonate any other user. …
- PKCS #1 … was deprecated in 1998. [It] allows attackers to perform … a “padding oracle” attack to [decrypt] an encrypted message. …
- Anyone with physical presence can build a social graph of which IDs are communicating with every other ID. …
- The adversary can then use publicly available programming interfaces … to obtain the phone number of any verified user. …
- An adversary can also track individual users’ movements in a crowd by building a rough topology of the network as it evolves … because users who are further away from each other will experience a longer delay between a message and its receipts. …
- A “zip bomb” … works by sending a compressed zip file in a broadcast message that’s … about 10 kilobytes when decrypted, but it balloons into more than 10 megabytes [and] all apps connected to the network repeatedly [crash, so] the network completely shuts down.
So Brendan Hesse draws the obvious conclusion—“Don’t Use Bridgefy for Messaging at Protests”:
The app was initially envisioned as an “offline” communication network for use in rural communities, at times of high network congestion (like sporting events), or even amid natural disasters. … But after Bridgefy’s CEO started claiming the app is a safe, fully-encrypted messaging tool that can’t be disrupted … it quickly became a go-to communication resource for many activists.
…
A cybersecurity research team from the Royal Holloway University of London … disclosed the bugs to Bridgefy and demonstrated their severity … in April. The vulnerabilities still exist in the app.
…
There’s no evidence that such attacks have occurred, but … they’re not difficult to pull off.
Yikes. Martin R. Albrecht, Jorge Blasco, Rikke Bjerg Jensen and Lenka Marekova try “Breaking Bridgefy” (and succeed):
The most viable offering in [the] mesh messaging … space, Bridgefy, has recently seen increased uptake in areas experiencing large-scale protests (Hong Kong, India, Iran, US, Zimbabwe, Belarus, Thailand), suggesting its use in these protests. … It is also being promoted as a communication tool for use in such situations.
…
Our results show that Bridgefy permits its users to be tracked, offers no authenticity, no effective confidentiality protections and lacks resilience against adversarially crafted messages. We verify these vulnerabilities by demonstrating a series of practical attacks.
…
An adversary can produce social graphs about [users], read their messages, impersonate anyone to anyone and shut down the entire network. … We conclude that participants of protests should avoid relying on Bridgefy.
…
We disclosed the vulnerabilities described in this work to the Bridgefy developers on 27 April 2020. … On 8 July 2020, the developers informed us that they were implementing a switch to the Signal protocol to provide cryptographic assurances. … We recommend an independent security audit when … complete.
Emergency! Bridgefy’s PR gnomes spin a tangled web—“Bridgefy’s commitment to privacy and security”:
As the app grows, our company must grow to meet new challenges. … We’ve learned a very valuable lesson. [Go on …]
…
While we never expected to become the default “protest app,” our user base did. [They] asked if Bridgefy was completely safe and private, and we ultimately found the answer did not satisfy our vision. [English, melonfarmers: Do you speak it?]
…
We realized that Bridgefy’s security model was appropriate for a small startup, but not for the scale it has achieved today. [Uh, no: It’s nothing to do with how big your business is.]
…
We would like to thank our users. … Without your feedback and support, we wouldn’t exist. We’d also like to thank the research team at Royal Holloway University of London. [Did you forget the <SARCASM> tag?]
…
We can’t wait to hear about the creative ways that people will use Bridgefy! [Or not use it, amirite?]
Does your humble blogwatcher sound deeply unimpressed? DrYak sounds deeply unimpressed, too:
Initially, Bridgefy was designed to be used in music festivals and concerts. … You have a giant crowd of people [and] nobody can contact anyone else.
…
[But] being a typical start-up [they] did what all startups would do: They asked EFF to review their code. … Just kidding.
…
They just decided to “pivot” and to massively advertise and try to gain share in this new discovered market [of] public demonstrations. … No matter if their app isn’t suited.
…
There’s a whole other dimension of security, privacy, etc. which was never planned. … The fact that it’s transmitted along a mesh, means that some effort needs to be put into the app, otherwise it becomes massively easy to spy.
It’s not just Bridgefy, warns eindiran:
I’m glad folks are starting to take privacy in their messengers more seriously, but a lot of the privacy-focused messengers are pretty bad—with Bridgefy being a particularly egregious case. Unfortunately there seems to be a trade off continuum between user friendliness and privacy in all currently available offerings.
…
For most people I think Signal hits the sweet spot.
Ah but c’mon. Encryption is hard, yo? Bert64 doesn’t miss the point:
Yes, encryption is … very easy to screw up. But using a standard that was deprecated over 20 years ago is just ridiculous.
One of these things is not like the other? Then sig’s absolutely right:
This app basically allows for the exact opposite of what people are expecting from the app. Doesn’t that qualify as some sort of fraud or false advertising?
So how are genuine, peaceful protesters supposed to exercise their democratic right? telbere has real-world advice:
Stick to the edges of the crowd and leave immediately if the crowd starts growing exponentially or people start throwing or hitting. You don’t want to get sucked into the mob mentality.
…
If you get separated from your group turn around and go back to your car. Text or call them, but … just face it that you’re done for the night.
And Powercntrl would go further:
Better yet, don’t go to protests. Instead, get involved in the political change you want to see happen. Volunteer, canvass, make calls, donate if you can. Don’t whine like a baby that someone else needs to do something.
Meanwhile, TheThirdDictor is banished to Planet Aarth with a busted TURDIS: [You’re fired—Ed.]
[I] just wanted to give a shout-out to the developers of this app. I’m teaching an undergraduate … security class this semester, and you guys gave me a fantastic case study to roll up scads of stunningly bad security decisions … into a single case. Saves a lot of time compared to having to pull really sketchy security screwups from less ambitious implementations where they only make a few terrible decisions per application. … Thanks!
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: Spenser Withans (via Unsplash)