from the not-as-advertised dept
Over the last year Bridgefy, a messaging app developed by Twitter cofounder Biz Stone, has been heavily promoted as just perfect for those trying to stand up to oppressive, authoritarian governments. The reason: the app uses both Bluetooth and mesh network routing to let users within a couple hundred meters of one another send group and individual messages — without their packets ever touching the internet. Originally promoted as more of a solution for those out of reach of traditional wireless, more recently the company has been playing up their product’s use for protesters in Belarus, India, the U.S., Zimbabwe, and Hong Kong.
The problem: the app is a security and privacy mess, and the company has known since April, yet it’s still marketing the app as great for protesters.
“Though it is advertised as ?safe? and ?private? and its creators claimed it was secured by end-to-end encryption, none of aforementioned use cases can be considered as taking place in adversarial environments such as situations of civil unrest where attempts to subvert the application?s security are not merely possible, but to be expected, and where such attacks can have harsh consequences for its users. Despite this, the Bridgefy developers advertise the app for such scenarios and media reports suggest the application is indeed relied upon.”
More specifically, the researchers reverse engineered the app and found they could create attacks allowing them to decrypt and read direct messages, “de-anonymize” users, impersonate users, track a target’s movement, subject users to man in the middle attacks making it possible to change message content, and even shut down the network:
“Moreover, we utilise compression to undermine the advertised resilience of Bridgefy: using a single message ?zip bomb? we can completely disable the mesh network, since clients will forward any payload before parsing it which then causes them to hang until a reinstallation of the application. Overall, we conclude that using Bridgefy represents a significant risk to participants of protests.”
Much of the problems stem from the fact that Bridgefy provides no means of cryptographic authentication, instead relying on a userID transmitted in plaintext. Users can then obtain this data while in local transit over the air, opening the door to impersonation and all manner of additional attacks.
The company was advised of the myriad of problems with its app back in April. And while it says it’s taking steps to address many of them (including revamping the system internals to utilize the Signal protocol), and making it a little bit more clear to users that the app does not feature true end-to-end encryption, the company continues to advertise the idea it’s a great tool for protesters. From Ars:
“But the company continues to send mixed messages. The App Store and Play Store promotions mentioned earlier give the impression Bridgefy can be trusted to keep messages private, even though it has been clear to the company since April that they can?t. Tweets that continue to refer to mass protests and welcome activists using the app are another example.”
Belated responses, no responses, or hostile responses to security researchers is common in the United States, where we like to talk a lot about privacy and security protection in marketing and speeches, but not practice it. So while it’s good Bridgefy acknowledged the flaws and even thanked the researchers in a statement, the company’s decision to continue marketing the app as perfect for protesters is actively exposing those users to surveillance, arrest, and potentially worse.