Bridgefy, A Messaging App Hyped As Great For Protesters, Is A Security Mess

from the not-as-advertised dept

Over the last year Bridgefy, a messaging app developed by Twitter cofounder Biz Stone, has been heavily promoted as just perfect for those trying to stand up to oppressive, authoritarian governments. The reason: the app uses both Bluetooth and mesh network routing to let users within a couple hundred meters of one another send group and individual messages — without their packets ever touching the internet. Originally promoted as more of a solution for those out of reach of traditional wireless, more recently the company has been playing up their product’s use for protesters in Belarus, India, the U.S., Zimbabwe, and Hong Kong.

The problem: the app is a security and privacy mess, and the company has known since April, yet it’s still marketing the app as great for protesters.

A new research study, first spotted by Ars Technica, found that the app suffers from numerous vulnerabilities that could actually put protesters at risk:

“Though it is advertised as ?safe? and ?private? and its creators claimed it was secured by end-to-end encryption, none of aforementioned use cases can be considered as taking place in adversarial environments such as situations of civil unrest where attempts to subvert the application?s security are not merely possible, but to be expected, and where such attacks can have harsh consequences for its users. Despite this, the Bridgefy developers advertise the app for such scenarios and media reports suggest the application is indeed relied upon.”

More specifically, the researchers reverse engineered the app and found they could create attacks allowing them to decrypt and read direct messages, “de-anonymize” users, impersonate users, track a target’s movement, subject users to man in the middle attacks making it possible to change message content, and even shut down the network:

“Moreover, we utilise compression to undermine the advertised resilience of Bridgefy: using a single message ?zip bomb? we can completely disable the mesh network, since clients will forward any payload before parsing it which then causes them to hang until a reinstallation of the application. Overall, we conclude that using Bridgefy represents a significant risk to participants of protests.”

Much of the problems stem from the fact that Bridgefy provides no means of cryptographic authentication, instead relying on a userID transmitted in plaintext. Users can then obtain this data while in local transit over the air, opening the door to impersonation and all manner of additional attacks.

The company was advised of the myriad of problems with its app back in April. And while it says it’s taking steps to address many of them (including revamping the system internals to utilize the Signal protocol), and making it a little bit more clear to users that the app does not feature true end-to-end encryption, the company continues to advertise the idea it’s a great tool for protesters. From Ars:

“But the company continues to send mixed messages. The App Store and Play Store promotions mentioned earlier give the impression Bridgefy can be trusted to keep messages private, even though it has been clear to the company since April that they can?t. Tweets that continue to refer to mass protests and welcome activists using the app are another example.”

Belated responses, no responses, or hostile responses to security researchers is common in the United States, where we like to talk a lot about privacy and security protection in marketing and speeches, but not practice it. So while it’s good Bridgefy acknowledged the flaws and even thanked the researchers in a statement, the company’s decision to continue marketing the app as perfect for protesters is actively exposing those users to surveillance, arrest, and potentially worse.

Filed Under: , , , ,
Companies: bridgefy

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Bridgefy, A Messaging App Hyped As Great For Protesters, Is A Security Mess”

Subscribe: RSS Leave a comment
7 Comments
Anonymous Coward says:

I originally wondered if the awful implementation (user names in clear text, wtf??) coupled with promoting it as good for activists had malicious intent behind it but then I remembered – do not assign to malice that which can easily be explained as stupidity…

That the marketing fairies are still pushing it at activists is.. just marketing. Never let facts get in the way of a good sales promotion.

So bad engineering and dumb marketing is much more likely but much less of a story 🙂

Who Cares (profile) says:

Zip bombing? Good grief that was the kind of ‘prank’ I played in 1995. Sending a 16 KB archive, without password, through the school servers, crafted to extract to 4 GB worth of ones. Minor reaction to them opening any archive without password and deleting the ones with. These days there are mitigation strategies to prevent the computer processing it from running into memory/processor time issues.
Same thing with the second prong of my little protest where the mail account I sent it to (and from) would forward this specific archive back to the sender twice (Just to make sure that the e-mail servers would crash from running out of space). There are mitigation strategies for that little prank as well these days.

Yes I did not like them deleting archives because they were password protected and me failing a course due to that.

Bartondbs (user link) says:

dating a filipina what to expect

Equitization of state establishments in vietnam

Number of beneficial Japanese firms operating in Vietnam rises

A view of AEON Tan Phu Celadon nearby mall in HCM City. (pictureprofessional: AEON Vietnam) Hanoi (VNS/VNA) The proportion of Japanese enterprises operating [url=https://www.bestbrides.net/meet-hot-viet-girl-the-sexiest-influencers-to-follow-in-vietnam/%5Dhot vietnamese girls[/url] in Vietnam forecast to be profitable operating activities last year is 54.3 pct, down 4.7 points when you compare 2020. This figure is part of a survey on Japanese asset in Asia and Oceania 2021. Chief representative of the Japan External Trade Organisation (JETRO) In Hanoi Takeo Nakajima presented the figure on January 19. this particular 35th survey, The programme received responses from 702 Japanese organisations operating in Vietnam. obviously, the survey period was from August 25 to September 24 last year, Coinciding with the time when Vietnam completed strict social distance measures due to the COVID 19 pandemic. like a result, It affected the response results of associations, had said Nakajima. within the, could be Japanese businesses investing and operating in Vietnam saying their profit improvedreached 31.4 amount, any kind of [read more.] About Number of viable Japanese firms operating in Vietnam risesVit Nam refutes ‘false’ claim on militia deployment in East SeaLk Lake, A silent spot in the Central Highlands16,715 new COVID 19 cases reported on ThursdayMasan Group Top ASEAN consumer pick in Bank of America16,715 new cases introduced on January 20Vit Nam, Hungary foster parliamentary cooperationApple discontinues adult size HomePod, to spotlight HomePod miniiPhone demand weakness just ‘noise,’ outlook may be strong, Analyst saysAd followed HBO Max option coming in JuneApple Watch SE returns to $259, Cellular $309 in today’s Amazon dealsDaVinci Resolve and Fusion now basically support M1 Macs.
[—-]

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...