The rise of mass protests over the past year—in Hong Kong, India, Iran, Lebanon, Zimbabwe, and the US—has presented activists with a major challenge. How do you communicate with one another when Internet connections are severely congested or completely shut down and at the same time keep your identity and conversations private?
One heavily promoted solution has been Bridgefy, a messaging app that has the financial and marketing backing of Twitter cofounder Biz Stone and boasts having more than 1.7 million installations. By using Bluetooth and mesh network routing, Bridgefy lets users within a few hundred meters—and much further as long as there are intermediary nodes—to send and receive both direct and group texts with no reliance on the Internet at all.
Bridgefy cofounder and CEO Jorge Ríos has said he originally envisioned the app as a way for people to communicate in rural areas or other places where Internet connections were scarce. And with the past year’s upswell of large protests around the world—often in places with hostile or authoritarian governments—company representatives began telling journalists that the app’s use of end-to-end encryption (reiterated here, here, and here) protected activists against governments and counter protesters trying to intercept texts or shut down communications.
Over the past few months, the company has continued to hold out the app as a safe and reliable way for activists to communicate in large gatherings. Bridgefy’s tweets embrace protestors in Belarus, India, and Zimbabwe, not to mention the Black Lives Matter protests throughout the US. The company has also said its software developer kit can be used to build COVID-19 contact tracing apps.
Just this month, on August 10, this article quoted Bridgefy cofounder and CEO Jorge Ríos saying: “Last year, we became the protest app.” Up until last week, Bridgefy told Android users via the Google Play Store, “Don’t worry! Your messages are safe and can’t be read by those people in the middle.” The company continues to encourage iOS users to “have secure and private conversations” using the app.
But now, researchers are revealing a litany of recently uncovered flaws and weaknesses that show that just about every claim of anonymity, privacy, and reliability is outright false.
Unsafe at any speed
In a paper published on Monday, researchers said that the app’s design for use at concerts, sports events, or during natural disasters makes it woefully unsuitable for more threatening settings such as mass protests. They wrote:
Though it is advertised as “safe” and “private” and its creators claimed it was secured by end-to-end encryption, none of aforementioned use cases can be considered as taking place in adversarial environments such as situations of civil unrest where attempts to subvert the application’s security are not merely possible, but to be expected, and where such attacks can have harsh consequences for its users. Despite this, the Bridgefy developers advertise the app for such scenarios and media reports suggest the application is indeed relied upon.
The researchers are: Martin R. Albrecht, Jorge Blasco, Rikke Bjerg Jensen, and Lenka Marekova from Royal Holloway, University of London. After reverse engineering the app, they devised a series of devastating attacks that allow hackers—in many cases with only modest resources and moderate skill levels—to take a host of nefarious actions against users. The attacks allow for:
- deanonymizing users
- building social graphs of users’ interactions, both in real time and after the fact
- decrypting and reading direct messages
- impersonating users to anyone else on the network
- completely shutting down the network
- performing active man-in-the-middle attacks, which allow an adversary not only to read messages, but to tamper with them as well
Impersonation, MitMs, and more
A key shortcoming that makes many of these attacks possible is that Bridgefy offers no means of cryptographic authentication, which one person uses to prove she’s who she claims to be. Instead, the app relies on a user ID that’s transmitted in plaintext to identify each person. Attackers can exploit this by sniffing the ID over the air and using it to spoof another user.
With no effective way to authenticate, any user can impersonate any other user, as long as an attacker has come into contact with that user (either one-on-one or in network-wide broadcast messages) at least once. With that, the attacker can pose as a trusted contact and trick a person into revealing personal names or other confidential information, or take harmful actions. The lack of authentication can also give rise to eavesdropping or tampering of messages.
Here’s how: When hypothetical Bridgefy user Ursula messages Ivan, she uses Ivan’s public key to encrypt the message. Ivan then uses his private key to decrypt the message. With no cryptographic means to verify a user’s identity, an attacker—say, one named Eve—can impersonate Ivan and present her own public key to Ursula. From then on, Eve can intercept and read all messages Ursula sends to Ivan. To tamper with the messages Ursula or Ivan send, Eve impersonates both parties to the other. With that, Eve can intercept the messages each sends and change the contents or add malicious attachments before sending it on to the other party.
There’s a separate way to read encrypted messages, thanks to another major Bridgefy flaw: its use of PKCS #1, an outdated way of encoding and formatting messages so that they can be encrypted with the RSA cryptographic algorithm. This encoding method, which was deprecated in 1998, allows attackers to perform what’s known as a padding oracle attack to derive contents of an encrypted message.