Threema app on blue and green background

A team of researchers from ETH Zurich published an article describing several security flaws in Threema, an end-to-end secure encrypted communication application.

Threema is a Swiss-made communication application focused on privacy and security, used by the country’s government, army servicesand over 10 million users and 7,000 organizations worldwide.

The ETH Zurich team has designed seven attacks against Threema’s protocol that could have implications for the privacy of communications through the app, including stealing private keys, deleting messages, breaking authentication , server spoofing, etc.

The findings were reported to Threema in October 2022, and soon after the software company released a new, more powerful protocol codenamed “Ibex”, which they claim fixed the issues.

Ultimately, Threema dismissed the significance of the ETH Zurich research, saying the issues disclosed are no longer relevant to the protocol used by the software and never had a significant real impact.

Breaking Threema

The ETH Zurich team decided to review Threema’s security and assess the software vendor’s claims because it did not feature pre- or post-compromised security.

The researchers published a detailed technical sheet on their findings, but the main problems they found can be summary in the following points:

  • Ephemeral Key Compromise Spoofing – An attacker can forever impersonate a client from the server by stealing their ephemeral key. Also, instead of using the ephemeral keys once, Threema seemed to reuse them.
  • Tampering with the warranty box – An attacker can trick a user into sending them a valid warranty box and then use it to impersonate the client to the server forever.
  • Rearranging and Deleting Messages – A malicious server can transfer messages from one user to another in an arbitrary order, or suspend delivery of specific messages, which is tantamount to deletion.
  • Replay and reflection attacks – The nonce message database on the Android version of Threema is not transferable, opening the way for message replay and reflection attacks.
  • Kompromat Attack – A malicious server can trick the client into using the same key while talking to the server during the initial registration protocol and talking to other users in the E2E protocol.
  • Cloning via Threema ID export – An attacker can clone other people’s accounts on their device during windows of opportunity, such as the victim leaving their device unlocked and unattended.
  • Compression side channel – A vulnerability in Threema’s encryption allows attackers to extract a user’s private key by controlling their own username and forcing multiple backups on Android devices. The attack may take a few hours to execute.

ETH Zurich analysts disclosed the above to Threema on October 3, 2022, while providing mitigation recommendations, and agreed to publish the issues by January 9, 2023.

Meanwhile, on November 29, 2022, Threema released its new communication protocol, Ibex, which implements advanced security for Threema’s e2ee layer. However, this protocol has not yet been audited.

Threema’s response

Threema released a statement on disclosing the issues, saying the discovery’s current applicability and overall historical significance does not have a significant “real-world” impact.

“While some of the findings presented in the paper may be interesting from a theoretical perspective, none of them have ever had a huge impact in the real world. Most assume extensive and unrealistic preconditions which would have far greater consequences than the respective discovery itself.” – Threema.

Specifically, Threema says:

  • The ‘Cloning via Threema ID export’ the attack was known and treated in 2021.
  • The “ephemeral key impersonation” attack was purely of technical interest and has “no practical applicability”.
  • The “voucher box tampering” attacks rely on “social engineering, could not have been applied in practice and would have required deliberate, extensive and unusual cooperation from the targeted user”.
  • Other attacks require physical access to an unlocked mobile device for an extended period of time or direct access to an unlocked Threema device.

Threema also rejects the complaints on the “Ibex” protocol being designed around the findings of the ETH Zurich team, because the protocol has been in development for already 1.5 years.

Additionally, Threema claims that its release coincided with the researchers’ disclosure.


Source link