Skip to main content

Royal Holloway cryptographers urge caution over use of secure messaging app

Royal Holloway cryptographers urge caution over use of secure messaging app

  • Date17 August 2021

Updates to the offline messaging app Bridgefy left users facing significant security vulnerabilities.

Cyber security - ISG

This new research from the Information Security Group at Royal Holloway, University of London and the Applied Cryptography Group at ETH Zurich suggests that users could still be tracked, or fall victim to snooping despite the application using an industry standard encryption library.

Bridgefy is a messaging app that has been advertised for use by people across the world during large-scale protests when normal forms of communication are down. The developers of the app reported increased uptake during sites of protest or government mandated Internet shutdowns. Bridgefy has cited high usage during protests in Hong Kong, India, Iran, Lebanon, Zimbabwe, the United States, and the company reported over a million downloads in Myanmar following a coup in February 2021.

In August 2020, researchers from Royal Holloway found serious vulnerabilities in the messaging app, warning that it could have significant consequences for its users. Following this, the developers updated their application to use the industry-standard Signal protocol to address these vulnerabilities, and resumed advertising their application for highly adversarial situations.

However, now a joint team of researchers – Raphael Eikenberg and Professor Kenny Paterson from the Applied Cryptography Group at ETH Zurich, and Professor Martin Albrecht from the Information Security Group at Royal Holloway demonstrated that these fixes were insufficient. In particular, they show that:

  1. Bridgefy users could still be tracked.
  2. Broadcast messages remained unauthenticated; an attacker can exploit this to impersonate other users on the network.
  3. The protocol remained susceptible to an attacker in the middle which can break confidentiality of messages. While such an attack was now limited to the first exchange between a pair of users, the research team notes that Bridgefy offers users no option to verify the public keys of their contacts.
  4. Any nodes in the network that receive a single carefully crafted message became unable to participate in further network communication. Given that Bridgefy is predominantly adopted to provide resilience against Internet outages this denial of service attack threatens its central application.

Most critical, however, is that the team managed to mount a practical attack against Signal-protected one-on-one messages that allows an attacker to read about half of all encrypted messages.

Professor Martin Albrecht, Director of the Cryptography Group at Royal Holloway, said: “We recommend that users avoid Bridgefy until its developers have committed to regular public security audits by respected third party auditors.”

The research team informed the Bridgefy developers on 21 May 2021 and the main vulnerability allowing an attacker to read encrypted messages was fixed on 14 August 2021.

Details about the research team’s finding can be found at https://eikendev.github.io/breaking-bridgefy-again.

Explore Royal Holloway

Get help paying for your studies at Royal Holloway through a range of scholarships and bursaries.

There are lots of exciting ways to get involved at Royal Holloway. Discover new interests and enjoy existing ones.

Heading to university is exciting. Finding the right place to live will get you off to a good start.

Whether you need support with your health or practical advice on budgeting or finding part-time work, we can help.

Discover more about our academic departments and schools.

Find out why Royal Holloway is in the top 25% of UK universities for research rated ‘world-leading’ or ‘internationally excellent’.

Royal Holloway is a research intensive university and our academics collaborate across disciplines to achieve excellence.

Discover world-class research at Royal Holloway.

Discover more about who we are today, and our vision for the future.

Royal Holloway began as two pioneering colleges for the education of women in the 19th century, and their spirit lives on today.

We’ve played a role in thousands of careers, some of them particularly remarkable.

Find about our decision-making processes and the people who lead and manage Royal Holloway today.