A team of cryptographers – Dan Jones and Martin Albrecht (Royal Holloway), Sofía Celi (Brave) and Benjamin Dowling (University of Sheffield) has found several, practically-exploitable cryptographic vulnerabilities in the end-to-end encryption provided by the popular Matrix protocol and its flagship client implementation Element.
These attacks break the confidentiality and authentication of end-to-end encrypted messages against a malicious server and allow such a server to read user messages and to impersonate them to each other. The research paper (pre-print) is available online and a first set of countermeasures and mitigations has been released on Wednesday, 28 September by the Matrix developers.
Matrix is an open-source project that aims to provide secure, decentralised, real-time communication.While Matrix’ federated nature makes it difficult to assess how widely it is used, several notable organisations and institutions have adopted it or announced plans to do so. For example, both KDE and Mozilla announced plans to switch their internal communications to Matrix in 2019; the Fourth Estate announced its plans to build an encrypted messenger for journalists and news organisations based on Matrix in 2021; the French government announced plans to create their own instant messaging app – Tchap – based on Matrix which was released in 2019; the German ministry of defence launched BwMessenger – for use in internal, official (and classified) communication – based on Matrix in 2020 with a view to move over other parts of the German government; the German healthcare system announced its plans to adopt Matrix in 2021. In March 2021, matrix.org – the most popular Matrix server – announced that there are 28 million global visible accounts. The Element website claims +60M Matrix users.
The attacks work in the setting where encrypted messaging and verification are enabled, i.e. in the presence of the strongest protections offered by the protocol. A caveat worth noting is that if this condition is not satisfied, even for one device or user, then e.g. impersonation becomes trivial. While Element already supports the option of refusing to send messages to unverified devices, an option that is being extended in today's fixes, it does not reject messages from such devices. Thus, unless a client-side option is provided to reject all communication from unverified devices or rooms with such devices within them, Matrix clients will not provide a secure chat environment regardless of cryptographic guarantees provided for verified devices.
Dan Jones, a PhD candidate at Royal Holloway, University of London and the study's main author, commented: "While today's fixes are not complete, these are good first steps towards ensuring that Matrix lives up to its promises of confidentiality and authentication. The longer term plans communicated to us by the Matrix developers should then provide full protection against our attacks. Matrix occupies a unique position within the messaging space, providing an end-to-end encrypted federated messaging platform. We hope our work inspires others to scrutinise its security to ensure that potential further issues are found-and-fixed or ruled out early. Doing so will help to strengthen the platform and ensure its long-term viability."