The "mess" in mobile instant messengers Markus Vogl

Size: px

Start display at page:

Download "The "mess" in mobile instant messengers Markus Vogl"

Tamsyn Fox
6 years ago
Views:

1 The "mess" in mobile instant messengers Markus Vogl

Whoami Network & Security master student @ JKU

eu/bac.pdf Overview table: öä.eu/bac.html Email: vogl91@gmail.

29CD 43A3 7606 0FB2 5343 1F95 14F6 5C11 7E62

2 Whoami Network & Security master JKU Bachelor thesis Evaluation of the IM Landscape : öä.eu/bac.pdf Overview table: öä.eu/bac.html vogl91@gmail.com Not: Lawyer, cryptographer, sponsored PGP: 6C48 29CD 43A FB F95 14F6 5C11 7E62 Questions: Wire, Signal, WA; LIFO

: Facebook got E2EE + self destroying messages Facebook lite WhatsApp

3 Instant Messaging In use for 20 years New hype with social media Rapidly changing, updates since late Sept.: Facebook got E2EE + self destroying messages Facebook lite WhatsApp got VideoChat Signal and Wire got self destroying messages Google Allo updated to 2.0, keychange notif.

5 History 2000: Early messengers: ICQ, MSN, Skype 2005: Rise of social networks 2011: NSA leaks by Manning 2013: Snowden leaks, Merkelphone affair 2014: WhatsApp sold: $19B 2014: We kill people based on Metadata General Hayden, Director of NSA & CIA 2014

6 Security 101 Basic IM/Crypto knowledge assumed Information Security: Confidentiality - Encryption Integrity - Signatures Availability Proxy, DOS-Prevention Non-Repudiation Plausible Deniability Pseudonymity: N-Anonymity, Tor PFS (Perfect Forward Secrecy) Session keys, not long term key E2EE (End2End Encryption)

7 Data in IM Transferred messages Presence and status data logging Message history seperately stored Conflicting to E2EE / PFS, often in cloud Login and profile data Contact lists

8 Metadata in IM Unintentionally/unavoidably produced Low level: IPs, port, packet size Received / read / now typing notification Server-connection-times Multimedia metadata Text/Language metadata: keystroke dynamics, spelling mistakes

9 Metadata protection Protection: Xprivacy (Xposed Module) AppOps (<4.3) Privacy Guard (Cyanogen) Permission Manager (>5) Don t link accounts Disabling IM features like location Sleeping, turning off, killing Tor, Proxy, GnuNet, I2P

10 Attackers and attacks Alice: Bad user configuration/defaults Bob: Conversation partner leaks Snapchat save module, photo of screen Cain: Physical attacker Telegram: No default encryption Theft, borrowing, shoulder surfing, ADB backup over OTG-USB Developer, vendor: Closed source, auto update, backdoors, shipped software, third party apps

11 Attackers and attacks Eavesdropper: Classic MITM with technical vulnerabilities Future: Exponential growth(?), unknown algorithms, quantum computing Government: Block specific services ARP/DHCP/DNS spoofing, TLS exploits, GSM Chinese firewall, Twitter during protests Host: Cloud hosting, ISPs Legal and technical access

12 Risks and mitigation Weak number verification and login Guess 4/6-digit-code, MITM link Oauth/OpenID, multimodal login, biometrics Mobile network Chat history SS7 backbone network, GSM issues, LTE Self destorying, do not save to cloud Presence and contact lists DP5: Dagstuhl privacy preservering presence proto Local storage or decentralized

13 Analyzed messengers and protocols Order: Open to closed; Big to small userbase Open protocol and open source Open protocol and closed source FB Messenger, WhatsApp, Snapchat, Threema Closed protocol and closed source XMPP, Telegram, Signal/Wire, Ricochet, Ring/Tox Skype, imessage, Google *, Viber, Wickr Honorable mentions

14 Open source Open protocol

XMPP: extensible Message & Presence Protocol Mobile clients: ChatSecure, Conversations Federated: Host your server, like Email Mess #1: 10 RFCs: 3920-3923, 4622, 4854, 5122, 6120-6122, 669 pages Mess

15 XMPP: extensible Message & Presence Protocol Mobile clients: ChatSecure, Conversations Federated: Host your server, like Mess #1: 10 RFCs: , 4622, 4854, 5122, , 669 pages Mess #2: 380 XEPs (XMPP Extension Protocols), fragmentation, incompatiblity PGP, OTR, OMEMO (multidevice OTR), no e2ee-muc Multiple for mobile optimizations Multiple for live audio/video and file sharing Bare XMPP has minimal features and only TLS Security is not a feature you tack on

16 Telegram Bound to phone number Mess #1: Insecure by default Mess #2: No encrypted group chats Mess #3: Weird selfmade MTProto No TLS/HTTPS, no Axelotl Cert-pin by hardcoded RSA signature key Documentation!= Implementation Paper (2015) showed minor integrity flaws Seperate long term key per partner

Signal / Wire Axelotl/TextSecure/Signal protocol: First half of a DH-like key exchange (prekey for OTR) stored on server, PGP-like signed PGP like fingerprints Allows OTR with offline messages Signal

17 Signal / Wire Axelotl/TextSecure/Signal protocol: First half of a DH-like key exchange (prekey for OTR) stored on server, PGP-like signed PGP like fingerprints Allows OTR with offline messages Signal / Signal protocol: Phone number, Multiparty-chat, 1:1 voice Legally: USA, Hosted: AmazonWS, using GCM Open source servers Wire / Proteus protocol: Phone number and/or + password Multiparty-voice, 1:1 video, multimedia features Legally in CH, Hosted in CH / EU, closed servers

18 Tox / Ring Decentralized protocol Every client is a server with an ID Blocking impossible, monitoring hard Storing data in Distributed Hash Table Difference: Cryptographic primitives Full multimedia capabilities Mess #1: No offline capabilites Mess #2: Bad mobile capabilites Mess #3: Accountfiles lost account lost

19 Ricochet Using TOR hidden services as username Nearly impossible to monitor Same flaws as TOX/Ring Only PC-client Only 1:1 chat, no multimedia, no voice

20 Closed source Open protocol

FB Messenger MQTT (Message Query Telemetry Transport Protocol) Designed for Machine2Machine / IoT Energy saving, modern, binary Subscriber-publisher based

21 FB Messenger MQTT (Message Query Telemetry Transport Protocol) Designed for Machine2Machine / IoT Energy saving, modern, binary Subscriber-publisher based Bound to Facebook account Most features of all IMs Mess #1: Insecure by default Mess #2: New feature: Optional Signal E2EE Unaudited Only 1:1 text with app

22 WhatsApp Worldwide most used pure IM Since 2016: Signal encrypted Basically a closed source Signal Also using GCM Hosted and owned by Facebook Mess: Backups all conversations to icloud / Google Cloud by default

Snapchat Over 100 million users Focus: Spontaneous sharing Deletes history on app-close Early adopter of self-destroying messages: Notifies other if screenshot taken Mess

23 Snapchat Over 100 million users Focus: Spontaneous sharing Deletes history on app-close Early adopter of self-destroying messages: Notifies other if screenshot taken Mess #1: Client-sided feature: Can be disabled with XPosed Module SnapPrefs Mess #2: Reverse engineered protocol: Not E2EE Using a REST API over HTTPS Showed various horrible flaws

24 Threema Mess #1: 3.5 Million users Mess #2: Costs money (~3 ) Audited well-documented E2EE protocol Also uploads backups to Google Clouds Encrypts with a password Bound to 8-alphanum-ID Also adds by phone number No live video, no self destroying messages Hosted and legally in CH

25 Closed source Closed protocol Mess Mess Mess Mess #1: #2: #3: #4: Unknown code... sending unknown data... to USA-based companies monetizing your data

26 Skype 300 Million users Internally using Windows Live Protocol Early adopter of live audio/video Mess #1: No E2EE Mess #2: Involved in PRISM

27 imessage Shipped with Apple devices Self-made E2EE crypto like Telegram Mess #1: Undocumented Mess #2: Limited to Apple devices

28 Google Allo Previous attempts: Google Plus Chat Google Talk (XMPP based!) Google Hangouts (partially replaced by Duo) Mess #1: Just optional E2EE Undocumented Unaudited Can talk to Google Assistant Chatbot Based on phone number

29 Viber Claims to have 700m registered users Same concept as Skype Based on phone number Self-made weird closed E2EE protocol Mess #1: Key not verifiable Mess #2: Previously analyzed users calls

30 Blackberry Messenger Early adopter of secure mobile IM in 2005 Previously only for Blackberry devices Mess #1: No special features or E2EE Mess #2: Shared data with canadian mounted police

31 Wickr Basically free Threema Mess #1: Closed protocol Mess #2: Based in USA Early adopter of self destroying messages Featured in Mr. Robot At least better than Snapchat

32 Honorable Mentions Franz: Desktop based multimessenger Using web-interfaces basically a browser Made in Austria Slack and Slack-Clones: Focus on cooperative working Basically IRC with a webinterface Some allow self-hosting, nearly all HTTPS

33 Honorable Mentions Various locally popular messengers like Line, WeChat, Tencent QQ, KIK, RenRen, KakaoTalk with 200M-800M users No or bad E2EE, often not even TLS/HTTPS Closed source, closed protocol Used because others are blocked Mostly comparable to Facebook Messenger

34 User requirements Ease of use Number based tools Pseudonymity Account/Mail based tools Sharing private information E2EE, self destorying messages, use your brain Trust in software open software Best privacy, whistleblowing, censorship Tor, Decentralized, PGP, Basic Infosec Company guidelines Selfhosted or E2EE

35 Summary Huge improvement in the last years HTTPS by default, mostly cert-pinned Big players have verifiable E2EE Horrible solutions are still in use Good solutions are far from perfect Best solution depends on requirements Try out Signal, Wire, Tox and Ricochet! Thesis/table: öä.eu/bac.pdf bac.html

SECURE COMMUNICATIONS: PAST, PRESENT, FUTURE

SECURE COMMUNICATIONS: PAST, PRESENT, FUTURE Jean-Philippe Aumasson P U B L I C THE SPEAKER PhD in cryptography from EPFL & FHNW, 2009 Principal Cryptographer at Kudelski Security Designed popular algorithms: