Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
The "mess" in mobile instant messengersMarkus Vogl
Whoami
● Network & Security master student @ JKU– Not: Lawyer, cryptographer, sponsored
● Bachelor thesis “Evaluation of the IM Landscape”: öä.eu/bac.pdf– Overview table: öä.eu/bac.html
● Email: [email protected]– PGP: 6C48 29CD 43A3 7606 0FB2 5343 1F95 14F6 5C11 7E62
● Questions:– +43 681 81 723 115– Wire, Signal, WA; LIFO
Instant Messaging
● In use for 20 years● New hype with social media● Rapidly changing, updates since late Sept.:
– Facebook got E2EE + self destroying messages– Facebook lite– WhatsApp got VideoChat– Signal and Wire got self destroying messages– Google Allo updated to 2.0, keychange notif.
History
● 2000: Early messengers: ICQ, MSN, Skype● 2005: Rise of social networks● 2011: NSA leaks by Manning● 2013: Snowden leaks, Merkelphone affair● 2014: WhatsApp sold: $19B● 2014: We kill people based on Metadata
– General Hayden, Director of NSA & CIA 2014
Security 101● Basic IM/Crypto knowledge assumed● Information Security:
– Confidentiality - Encryption– Integrity - Signatures– Availability – Proxy, DOS-Prevention– Non-Repudiation | Plausible Deniability
● Pseudonymity: N-Anonymity, Tor● PFS (Perfect Forward Secrecy)
– Session keys, not long term key
● E2EE (End2End Encryption)
Data in IM● Transferred messages● Presence and status data – logging● Message history – seperately stored
– Conflicting to E2EE / PFS, often in cloud
● Login and profile data● Contact lists
Metadata in IM● Unintentionally/unavoidably produced● Low level: IPs, port, packet size● Received / read / now typing notification● Server-connection-times● Multimedia metadata● Text/Language metadata: keystroke
dynamics, spelling mistakes
Metadata protection● Protection:
– Xprivacy (Xposed Module)– AppOps (<4.3)– Privacy Guard (Cyanogen)– Permission Manager (>5)
● Don’t link accounts● Disabling IM features like location● Sleeping, turning off, killing● Tor, Proxy, GnuNet, I2P
Attackers and attacks● Alice: Bad user configuration/defaults
– Telegram: No default encryption
● Bob: Conversation partner leaks– Snapchat save module, photo of screen
● Cain: Physical attacker– Theft, borrowing, shoulder surfing, ADB
backup over OTG-USB
● Developer, vendor:– Closed source, auto update, backdoors,
shipped software, third party apps
Attackers and attacks● Eavesdropper: Classic MITM with
technical vulnerabilities– ARP/DHCP/DNS spoofing, TLS exploits, GSM
● Future: Exponential growth(?), unknown algorithms, quantum computing
● Government: Block specific services– Chinese firewall, Twitter during protests
● Host: Cloud hosting, ISPs– Legal and technical access
Risks and mitigation● Weak number verification and login
– Guess 4/6-digit-code, MITM link– Oauth/OpenID, multimodal login, biometrics
● Mobile network– SS7 backbone network, GSM issues, LTE
● Chat history– Self destorying, do not save to cloud
● Presence and contact lists– DP5: Dagstuhl privacy preservering presence proto
– Local storage or decentralized
Analyzed messengers and protocols● Order:
– Open to closed; Big to small userbase– Open protocol and open source
● XMPP, Telegram, Signal/Wire, Ricochet, Ring/Tox
– Open protocol and closed source● FB Messenger, WhatsApp, Snapchat, Threema
– Closed protocol and closed source● Skype, iMessage, Google *, Viber, Wickr
– “Honorable” mentions
Open sourceOpen protocol
XMPP: eXtensible Message & Presence Protocol
● Mobile clients: ChatSecure, Conversations● Federated: Host your server, like Email● Mess #1: 10 RFCs: 3920-3923, 4622, 4854,
5122, 6120-6122, 669 pages● Mess #2: 380 XEPs (XMPP Extension Protocols),
fragmentation, incompatiblity– PGP, OTR, OMEMO (multidevice OTR), no e2ee-MUC– Multiple for mobile optimizations– Multiple for live audio/video and file sharing
● Bare XMPP has minimal features and only TLS– Security is not a “feature” you tack on
Telegram
● Bound to phone number● Mess #1: Insecure by default● Mess #2: No encrypted group chats● Mess #3: Weird selfmade MTProto
– No TLS/HTTPS, no Axelotl– “Cert-pin” by hardcoded RSA signature key– Documentation != Implementation– Paper (2015) showed minor integrity flaws– Seperate long term key per partner
Signal / Wire● Axelotl/TextSecure/Signal protocol:
– First half of a DH-like key exchange (prekey for OTR) stored on server, PGP-like signed → PGP like fingerprints
– Allows OTR with offline messages
● Signal / Signal protocol:– Phone number, Multiparty-chat, 1:1 voice…– Legally: USA, Hosted: AmazonWS, using GCM– Open source servers
● Wire / Proteus protocol:– Phone number and/or email + password– Multiparty-voice, 1:1 video, multimedia features– Legally in CH, Hosted in CH / EU, closed servers
Tox / Ring
● Decentralized protocol– Every client is a server with an ID– Blocking impossible, monitoring hard– Storing data in Distributed Hash Table
● Difference: Cryptographic primitives● Full multimedia capabilities● Mess #1: No offline capabilites● Mess #2: Bad mobile capabilites● Mess #3: Accountfiles lost – account lost
Ricochet
● Using TOR hidden services as username● Nearly impossible to monitor● Same flaws as TOX/Ring● Only PC-client● Only 1:1 chat, no multimedia, no voice
Closed sourceOpen protocol
FB Messenger● MQTT (Message Query Telemetry Transport
Protocol)– Designed for Machine2Machine / IoT– Energy saving, modern, binary– Subscriber-publisher based
● Bound to Facebook account● Most features of all IMs● Mess #1: Insecure by default● Mess #2: New feature: Optional Signal E2EE
– Unaudited– Only 1:1 text with app
● Worldwide most used pure IM● Since 2016: Signal encrypted● Basically a closed source Signal
– Also using GCM– Hosted and owned by Facebook
● Mess: Backups all conversations to iCloud / Google Cloud by default
Snapchat● Over 100 million users● Focus: Spontaneous sharing
– Deletes history on app-close
● Early adopter of self-destroying messages:– Notifies other if screenshot taken– Mess #1: Client-sided feature: Can be disabled
with XPosed Module SnapPrefs
● Mess #2: Reverse engineered protocol:– Not E2EE– Using a REST API over HTTPS– Showed various horrible flaws
Threema
● Mess #1: 3.5 Million users● Mess #2: Costs money (~3€)● Audited well-documented E2EE protocol● Also uploads backups to Google Clouds
– Encrypts with a password
● Bound to 8-alphanum-ID– Also adds by phone number
● No live video, no self destroying messages● Hosted and legally in CH
Closed sourceClosed protocolMess #1: Unknown code ...Mess #2: … sending unknown data ...Mess #3: … to USA-based companies …Mess #4: … monetizing your data
Skype
● 300 Million users● Internally using Windows Live Protocol● Early adopter of live audio/video● Mess #1: No E2EE● Mess #2: Involved in PRISM
iMessage
● Shipped with Apple devices● Self-made E2EE crypto like Telegram
– Mess #1: Undocumented
● Mess #2: Limited to Apple devices
Google Allo
● Previous attempts:– Google Plus Chat– Google Talk (XMPP based!)– Google Hangouts (partially replaced by Duo)
● Mess #1: Just optional E2EE– Undocumented– Unaudited
● Can talk to Google Assistant Chatbot● Based on phone number
Viber
● Claims to have 700m registered users● Same concept as Skype● Based on phone number● Self-made weird closed E2EE protocol● Mess #1: Key not verifiable● Mess #2: Previously analyzed users calls
Blackberry Messenger
● Early adopter of secure mobile IM in 2005● Previously only for Blackberry devices● Mess #1: No special features or E2EE● Mess #2: Shared data with canadian
mounted police
Wickr
● Basically free Threema● Mess #1: Closed protocol● Mess #2: Based in USA● Early adopter of self destroying messages● Featured in Mr. Robot● At least better than Snapchat
Honorable Mentions
● Franz: – Desktop based multimessenger – Using web-interfaces → basically a browser– Made in Austria
● Slack and Slack-Clones:– Focus on cooperative working– Basically IRC with a webinterface– Some allow self-hosting, nearly all HTTPS
“Honorable” Mentions
● Various locally popular messengers like Line, WeChat, Tencent QQ, KIK, RenRen, KakaoTalk with 200M-800M users– No or bad E2EE, often not even TLS/HTTPS– Closed source, closed protocol– Used because others are blocked– Mostly comparable to Facebook Messenger
User requirements
● Ease of use → Number based tools● Pseudonymity → Account/Mail based tools● Sharing private information → E2EE, self
destorying messages, use your brain● Trust in software → open software● Best privacy, whistleblowing, censorship
→ Tor, Decentralized, PGP, Basic Infosec● Company guidelines → Selfhosted or E2EE
Summary
● Huge improvement in the last years– HTTPS by default, mostly cert-pinned– Big players have verifiable E2EE
● Horrible solutions are still in use● Good solutions are far from perfect● Best solution depends on requirements● Try out Signal, Wire, Tox and Ricochet!● Thesis/table: öä.eu/bac.pdf | bac.html