Academic researchers have discovered serious vulnerabilities at the core of Threema, an instant messenger that the Switzerland-based developer says offers a level of security and privacy “no other chat service” can offer. Despite the unusually strong claims and two independent security audits Threema has received, the researchers said the flaws completely undermine the assurances of confidentiality and authentication that are the cornerstone of any program sold as providing end-to-end encryption, commonly abbreviated to E2EE.
Threema has more than 10 million users, which include the Swiss government, the Swiss army, German Chancellor Olaf Scholz and other politicians in that country. Threema developers advertise it as a more secure alternative to Meta’s WhatsApp messenger. It is among the best Android apps for a fee-based category in Switzerland, Germany, Austria, Canada and Australia. The app uses a specially designed encryption protocol contrary to established cryptographic norms.
The Seven Deadly Flaws
Researchers from the Zurich-based ETH research university reported on Monday that they found seven vulnerabilities in Threema that seriously call into question the true level of security the app has offered over the years. Two of the vulnerabilities do not require any special access to a Threema server or app to cryptographically impersonate a user. Three vulnerabilities require an attacker to gain access to a Threema server. The remaining two can be exploited when an attacker gains access to an unlocked phone, for example at a border crossing.
“Overall, our attacks seriously undermine Threema’s security requirements,” the researchers wrote. “All of the attacks can be mitigated, but in some cases a major redesign is required.”
The seven vulnerabilities the researchers uncovered include:
- External actor with no special access
- In case a volatile key is exposed even once, an attacker can permanently impersonate the client to the server and then obtain all metadata in all E2EE messages. This is a notable shortcoming because volatile keys should never be able to authenticate a user. With Threema, leaking a volatile key has the same effect as leaking a long-term key. Sloppy key management also causes Threema to reuse volatile keys in places they should never be reused.
- A flaw in the way Threema’s client-to-server (C2S) protocol interacts with its end-to-end (E2E) protocol that causes a user to create a special Threema value known as a voucher box and send it to the attacker . The attacker can exploit it by tricking a user into sending a set of characters (u9j6’jjخЙ^ 1hW:-́;ܡRA) to a special but harmless account. One possible way for an attacker to do this is to spam a large number of users asking them to send the string of characters to a specific account to be eligible for a prize. From that point, the attacker can impersonate the hacked client to the server.
- When an attacker has compromised a Threema server:
- Lack of integrity protection on the message’s metadata. As a result, an attacker can covertly rearrange and/or delete messages sent from one client to another.
- Unhandled misuse allows “replay and reflection” attacks, where the threat actor resends old messages and sends a user a message that the user previously sent to someone else.
- A flaw in the challenge-and-response protocol used for a client to authenticate to the server during registration. During the process, the client proves possession of its private key by encrypting a server-selected message that is encrypted with a server-selected public key. A compromised server can exploit this design to create “kompromat” or potentially incriminating messages that can be delivered to a targeted user at any later time. Threema patched this vulnerability in December 2021, when its own researcher discovered it.
- When an attacker gains access to an unlocked phone running Threema:
- A feature that allows users to export their private key from one device to another. Poor design decisions make it trivial for an attacker to use the key to clone a Threema account and continue to access all future messages. Combined with a compromised Threema server, the adversary can also obtain all previously sent messages.
- Message compression that occurs before encryption when Threema creates a backup, combined with the ability for an attacker to use a nickname function to inject selected strings into the backup. This allows a more sophisticated attacker to observe the size of the backup file over multiple iterations and eventually recover the user’s private key.