A team of researchers from ETH Zurich has published a paper describing multiple security flaws in Threema, a secure end-to-end encrypted communications app.
Threema is a privacy-focused and security-enhanced Swiss-made communications app used by the country’s government, army services, and over 10 million users and 7,000 organizations worldwide.
The ETH Zurich team devised seven attacks against Threema’s protocol that could have consequences for the privacy of communication over the app, including stealing private keys, deleting messages, breaking authentication, spoofing servers, and more.
The findings were reported to Threema on October 2022, and soon after, the software firm released a new, stronger protocol named “Ibex,” which, according to them, addressed the issues.
Ultimately, Threema dismissed the importance of ETH Zurich’s research, saying that the disclosed issues are no longer relevant to the protocol used by the software and never had any considerable real-world impact.
The ETH Zurich team decided to look into Threema’s security and evaluate claims made by the software vendor because it did not feature forward or post-compromise security.
Ephemeral key compromise impersonation – An attacker can forever impersonate a client to the server by stealing their ephemeral key. Also, instead of using ephemeral keys only once, Threema appeared to be reusing them.
Vouch box forgery – An attacker can trick a user into sending them a valid vouch box, and then use it to impersonate the client to the server forever.
Message reordering and deletion – A malicious server can forward messages from one user to another in arbitrary order, or withhold delivery of specific messages, which serves like deletion.
Replay and reflection attacks – The message nonce database on the Android version of Threema isn’t transferable, opening the way to message replaying and reflection attacks.
Kompromat attack – A malicious server can trick the client into using the same key while talking to the server during the initial registration protocol and while talking to other users in the E2E protocol.
Cloning via Threema ID export – An attacker can clone other people’s accounts on their device during windows of opportunity like the victim leaving their device unlocked and unattended.
Compression side-channel – A vulnerability in Threema’s encryption allows attackers to extract a user’s private key by controlling their own username and forcing multiple backups on Android devices. The attack can take a few hours to execute.
The ETH Zurich analysts disclosed the above to Threema on October 3, 2022, while also providing mitigation recommendations, and agreed to publish the issues for January 9, 2023.
Meanwhile, on November 29, 2022, Threema released its new communication protocol, Ibex, which implements forward security for Threema’s e2ee layer. However, this protocol has not been audited yet.
Threema released a statement on the disclosure of the issues, stating that the finding’s current applicability and historic importance overall do not have considerable “real-world” impact.
More specifically, Threema says:
The ‘Cloning via Threema ID export’ attack was known and addressed in 2021.
The ‘Ephemeral key compromise impersonation’ attack was purely of technical interest and has “no practicable applicability whatsoever.”
The ‘Vouch box forgery’ attacks rely on “social engineering, could not have been applied in practice, and would have required deliberate, extensive, and unusual cooperation by the targeted user.”
The other attacks require physical access to an unlocked mobile device over an extended period or direct access to an unlocked Threema device.
Threema also dismisses the claims about the “Ibex” protocol being designed around the findings of the ETH Zurich team, as the protocol has been under development for 1.5 years already.
Furthermore, Threema claims that its release coincided with the researchers’ disclosure.