Skip to main content

Royal Holloway cryptographers urge caution over use of secure messaging app

Site search

Royal Holloway cryptographers urge caution over use of secure messaging app

  • Date17 August 2021

Updates to the offline messaging app Bridgefy left users facing significant security vulnerabilities.

Cyber security - ISG

This new research from the Information Security Group at Royal Holloway, University of London and the Applied Cryptography Group at ETH Zurich suggests that users could still be tracked, or fall victim to snooping despite the application using an industry standard encryption library.

Bridgefy is a messaging app that has been advertised for use by people across the world during large-scale protests when normal forms of communication are down. The developers of the app reported increased uptake during sites of protest or government mandated Internet shutdowns. Bridgefy has cited high usage during protests in Hong Kong, India, Iran, Lebanon, Zimbabwe, the United States, and the company reported over a million downloads in Myanmar following a coup in February 2021.

In August 2020, researchers from Royal Holloway found serious vulnerabilities in the messaging app, warning that it could have significant consequences for its users. Following this, the developers updated their application to use the industry-standard Signal protocol to address these vulnerabilities, and resumed advertising their application for highly adversarial situations.

However, now a joint team of researchers – Raphael Eikenberg and Professor Kenny Paterson from the Applied Cryptography Group at ETH Zurich, and Professor Martin Albrecht from the Information Security Group at Royal Holloway demonstrated that these fixes were insufficient. In particular, they show that:

  1. Bridgefy users could still be tracked.
  2. Broadcast messages remained unauthenticated; an attacker can exploit this to impersonate other users on the network.
  3. The protocol remained susceptible to an attacker in the middle which can break confidentiality of messages. While such an attack was now limited to the first exchange between a pair of users, the research team notes that Bridgefy offers users no option to verify the public keys of their contacts.
  4. Any nodes in the network that receive a single carefully crafted message became unable to participate in further network communication. Given that Bridgefy is predominantly adopted to provide resilience against Internet outages this denial of service attack threatens its central application.

Most critical, however, is that the team managed to mount a practical attack against Signal-protected one-on-one messages that allows an attacker to read about half of all encrypted messages.

Professor Martin Albrecht, Director of the Cryptography Group at Royal Holloway, said: “We recommend that users avoid Bridgefy until its developers have committed to regular public security audits by respected third party auditors.”

The research team informed the Bridgefy developers on 21 May 2021 and the main vulnerability allowing an attacker to read encrypted messages was fixed on 14 August 2021.

Details about the research team’s finding can be found at https://eikendev.github.io/breaking-bridgefy-again.

More news

Browse all news

Royal Holloway academics launch essential anti-misinformation checklist ahead of global elections

24 Apr 2024

A group of academics from Royal Holloway have unveiled new guidance to help empower the public to make informed decisions amidst the fight against misinformation.

Royal Holloway student highlighted in new campaign celebrating those being the first in their family to attend university

15 Apr 2024

The success of a student from Royal Holloway, University of London, who was the first in their family (FiF) to attend university, is being highlighted in a new national campaign, 100 Faces.

Interim Pro-Vice-Chancellor (Education and Student Experience) appointed

11 Apr 2024

Professor Wyn Morgan has been appointed as Interim Pro-Vice-Chancellor (Education and Student Experience) and will join Royal Holloway on Monday 22 April 2024 for one year.

Royal Holloway included in campaign to show the creative and economic value of English degrees

22 Mar 2024

The Department of English at Royal Holloway, University of London has joined other universities across the UK to launch #EnglishCreates, a campaign to promote the study of English.

Explore Royal Holloway

Scholarships

Get help paying for your studies at Royal Holloway through a range of scholarships and bursaries.

Clubs and societies

There are lots of exciting ways to get involved at Royal Holloway. Discover new interests and enjoy existing ones.

Accommodation

Heading to university is exciting. Finding the right place to live will get you off to a good start.

Support and wellbeing

Whether you need support with your health or practical advice on budgeting or finding part-time work, we can help.

Departments and schools

Discover more about our 21 departments and schools.

Research Excellence Framework

Find out why Royal Holloway is in the top 25% of UK universities for research rated ‘world-leading’ or ‘internationally excellent’.

Challenge-led research themes

Royal Holloway is a research intensive university and our academics collaborate across disciplines to achieve excellence.

Research institutes and centres

Discover world-class research at Royal Holloway.

Royal Holloway today

Discover more about who we are today, and our vision for the future.

Our history

Royal Holloway began as two pioneering colleges for the education of women in the 19th century, and their spirit lives on today.

Our alumni

We’ve played a role in thousands of careers, some of them particularly remarkable.

Governance

Find about our decision-making processes and the people who lead and manage Royal Holloway today.