A team of researchers from ETH Zurich uncovered multiple security vulnerabilities in Threema, a popular app that purports to provide secure communication through end-to-end encryption.
The app is used by over 10 million people and 7,000 organizations worldwide, including some high-profile politicians and the Swiss army.
The researchers identified seven potential attacks against Threema’s protocol that could threaten the privacy of communications on the app, potentially lead to account takeovers, trick clients into sending private keys to spoofed servers, and more.
Upon receiving the research findings in October 2022, the software company behind Threema promptly developed a stronger protocol named “Ibex” to address the issues.
Despite this, the company downplayed the significance of the research, stating that the reported vulnerabilities were no longer relevant to the current protocol and had no real-world impact on its product.
Attacks on the Protocol
The researchers at ETH Zurich investigated Threema to validate the claims the software vendor made about its security and found several issues that contrast them.
The seven attacks summarized in a dedicated portal the researchers set up to publicize the issues are the following:
- Ephemeral key compromise impersonation: an attacker could impersonate a client to the server by stealing their ephemeral key, which also appears to be reused by the platform.
- Vouch box forgery: an attacker could trick a user into sending a valid vouch box, which could then be used to permanently impersonate the client to the server.
- Message reordering and deletion: a malicious server could forward messages in an arbitrary order or prevent the delivery of specific messages indefinitely.
- Replay and reflection attacks: the message nonce database on the Android version of Threema cannot be transferred to new devices, permitting message replay and reflection attacks.
- Kompromat attack: a malicious server could deceive the client into utilizing the identical key during the initial registration process and while communicating with other users in the end-to-end encryption protocol.
- Cloning via Threema ID export: an attacker could clone the victim’s accounts if the victim leaves their devices unlocked.
- Compression side-channel: a vulnerability in Threema’s encryption allows attackers to extract a user’s private key by controlling their username and forcing multiple backups on their Android devices.
ETH Zurich also published a technical paper describing the above in full detail.
The researchers shared their findings and mitigation recommendations with Threema in October 2022, and the vendor accepted them with gratitude.
In November 2022, Threema released a new communications protocol named “Ibex,” which they claim is more secure, incorporating fixes for all issues the security researchers had reported. However, Ibex has not been audited yet, so these claims have not been confirmed.
In response to the disclosed issues, Threema issued a statement saying that “none of them ever had any considerable real-world impact” and that most of the vulnerabilities “assume extensive and unrealistic prerequisites.
For more details on Threema’s deconstruction of each of the issues raised by ETH Zurich, check out the company’s full response here.