Crypto audit of Threema revealed many vulnerabilities
Researchers have discovered cryptographic vulnerabilities in Swiss-based secure messaging application Threema that may have allowed attackers to do things like break authentication or recover users’ long-term private keys.
The vulnerabilities have been fixed and Threema has since switched to a new communication protocol they designed with the help of external cryptographers.
Threema is a paid and proprietary end-to-end (E2E) encrypted instant messaging service that can be used via iOS and Android applications, as well as from a desktop (with some limitations).
The company that develops and markets it – Threema GmbH – is based in Switzerland. Its servers are also located in the country, which is why the Swiss army is urging military personnel to use Threema instead of WhatsApp, Signal or Telegram.
The company also offers a business version of the app, called Threema Work.
Threema cryptographic vulnerabilities
PhD students Matteo Scarlata and Kien Tuong Truong and Prof. Kenneth G. Paterson – all with the Applied Cryptography Group at ETH Zurich – have analyzed Threema’s cryptographic communication protocol and discovered vulnerabilites allowing:
- Network attackers with control of the communication channels between parties to impersonate the target client
- Attackers who have compromised a company server to reorder and delete sent messages, replay and reflect old messages, and deliver bogus and potentially compromising messages (that the user did not actually send)
- Attackers who have physical access to the device of the victim (e.g., when the police confiscates the phone of a protester, or in domestic violence cases) to clone the account of a victim user and use it on a separate device. Also, to extract the victim user’s private encryption key and impersonate them
“All the attacks are accompanied by proof-of-concept implementations that demonstrate their feasibility in practice,” the researchers noted.
“In one attack, users could compromise their accounts by sending [a specially crafted string of characters] as a text message to a specially prepared account. In another attack, an attacker could exploit a CRIME-style compression side-channel to fully recover the private key from backups.”
The problem with “rolling” new cryptographic protocols
The researchers have shared their findings to the Threema development team in early October 2022, and have now shared more details after mitigations have been implemented.
Threema has accompanied the release with its own blog post, acknowledging the flaws but downplaying their severity. They also stressed that the vulnerabilities are in a protocol that Threema no longer uses.
“We believe that all of the vulnerabilities we discovered have been mitigated by Threema’s recent patches. This means that, at this time, the security issues we found no longer pose any threat to Threema customers, including OnPrem instances that have been kept up-to-date. On the other hand, some of the vulnerabilities we discovered may have been present in Threema for a long time,” the researchers commented.
Their research points to a broader problem, they say: the difficulty for users to assess the security claims made by developers of applications that rely on bespoke cryptographic protocols.
“Previous independent audits of Threema did not review the cryptographic core of the application. Such an analysis should be a minimum requirement for any secure messenger, especially one being used in sensitive environments,” they explained.
“Ideally, any application using novel cryptographic protocols should come with its own formal security analyses (in the form of security proofs) in order to provide strong security assurances. Such an analysis can help to reduce uncertainty about whether further serious cryptographic vulnerabilities still exist in Threema.”
Ibex, the new communication protocol in Threema offers some security features that the previous one did not – namely, forward secrecy – but its security should be independently and thoroughly tested. “We have not audited this new protocol,” the researchers added.