A comprehensive analysis of the cryptographic protocols used in the Swiss encrypted messaging application Threema has revealed a number of loopholes that could be exploited to break authentication protections and even recover users’ private keys.
The seven attacks span three different threat models, according to ETH Zurich researchers Kenneth G. Paterson, Matteo Scarlata, and Kien Tuong Truong, who reported the issues to Threema on October 3, 2022. The weaknesses have since been addressed as part of updates released by the company on November 29, 2022.
Threema is an encrypted messaging app that’s used by more than 11 million users as of October 2022. “Security and privacy are deeply ingrained in Threema’s DNA,” the company claims on its website.
Officially used by the Swiss Government and the Swiss Army, it’s also advertised as a secure alternative alongside other services such as Signal, Meta-owned WhatsApp, and Telegram.
While Threema has been subjected to third-party code audits at least twice – once in 2019 and a second time in 2020 – the latest findings show that they weren’t thorough enough to uncover the problems present in the “cryptographic core of the application.”
“Ideally, any application using novel cryptographic protocols should come with its own formal security analyses (in the form of security proofs) in order to provide strong security assurances,” the researchers said.
In a nutshell, the attacks could pave the way for a wide range of exploitation scenarios, namely allowing an attacker to impersonate a client, reorder the sequence of messages exchanged between two parties, clone the account of a victim user, and even leverage the backup mechanism to recover the user’s private key.
The latter two attack pathways, which require direct access to a victim’s device, could have severe consequences, as it enables the adversary to stealthily access the users’ future messages without their knowledge.
Also uncovered is a case of replay and reflection attack related to its Android app that occurs when users reinstall the app or change devices, granting a bad actor with access to Threema servers to replay old messages. A similar replay attack was identified in January 2018.
Last but not least, an adversary could also stage what’s called a Kompromat attack wherein a malicious server tricks a client “into unwittingly encrypting a message of the server’s choosing that can be delivered to a different user.”
It’s worth noting that this attack was previously reported to Threema by University of Erlangen-Nuremberg researcher Jonathan Krebs, prompting the company to ship fixes in December 2021 (version 4.62 for Android and version 4.6.14 for iOS).
“Using modern, secure libraries for cryptographic primitives does not, on its own, lead to a secure protocol design,” the researchers said. “Libraries such as NaCl or libsignal can be misused while building more complex protocols and developers must be wary not to be lulled into a false sense of security.”
“While the mantra ‘don’t roll your own crypto’ is now widely known, it should be extended to ‘don’t roll your own cryptographic protocol’ (assuming one already exists that meets the developer’s requirements),” they added. “In the case of Threema, the bespoke C2S protocol could be replaced by TLS.”
When reached for comment, Threema told The Hacker News that it has released a new communication protocol called Ibex that renders “some of the issues obsolete,” adding it “acted instantly to implement fixes for all findings within weeks.”
“While some of the findings […] may be interesting from a theoretical standpoint, none of them ever had any considerable real-world impact,” the company further noted. “Most assume extensive and unrealistic prerequisites that would have far greater consequences than the respective finding itself.”
It also pointed out that some of the attacks bank on having physical access to an unlocked mobile device over an extended time period, at which point the “entire device must be considered compromised.”
The study arrives almost six months after ETH Zurich researchers detailed critical shortcomings in the MEGA cloud storage service that could be weaponized to crack the private keys and fully compromise the privacy of the uploaded files.
Then in September 2022, another group of researchers disclosed a host of security flaws in the Matrix decentralized, real-time communication protocol that grant a malicious server operator the ability to read messages and impersonate users, effectively undermining the confidentiality and authenticity of the service.
