Royal Holloway researchers have found serious vulnerabilities in the messaging app, Bridgefy, which could have significant consequences for its users

The messaging app has been advertised for use by people across the world during large-scale protests when normal forms of communication are down, for example due to a government mandated internet shutdown. The developers of the app reported increased uptake from several sites of protest such as Hong Kong, India, Iran, Lebanon, Zimbabwe, and the US.

The academics from the Information Security Group (ISG) at Royal Holloway found that Bridgefy did not design and implement their application with security in mind and have proposed that Bridgefy should make use of an established cryptographic library.

The main flaws found by the researchers in the ISG, Lenka Mareková (CDT student), Jorge Blasco, Rikke Bjerg Jensen and Martin R. Albrecht, were that Bridgefy did not implement some necessary cryptographic protections and some cryptographic protections were implemented incorrectly.

They also found that the protocol wasn’t designed in a way to minimise information leaking, and its robustness against maliciously crafted messages was weak.

The key feature of Bridgefy is that it exchanges data using Bluetooth when an internet connection is not available. The application can send the following kinds of messages:

  • -one-to-one messages between two parties
  • -sent over the internet if both parties are online
  • -sent directly via Bluetooth if the parties are in physical range, or
  • -sent over the Bluetooth mesh network, and
  • -Bluetooth broadcast messages that anyone can read in a special “Broadcast mode” room.

Professor Martin Albrecht, from ISG at Royal Holloway, said: “We disclosed the vulnerabilities we found to Bridgefy developers in April this year. They confirmed these vulnerabilities soon after. Following up, the Bridgefy team began to inform their users that they should not expect confidentiality guarantees from the current version of the application.

“In June, they told us they are implementing a switch to the Signal protocol. This would provide cryptographic assurances and would fix many, but not all of the issues we found.”

This research is part of a larger interdisciplinary project between social scientists, systems security researchers and cryptographers on information security needs and requirements in protests. It showcases the integration of different disciplines studying information security as a key feature of the Information Security Group and our Centre for Doctoral Training in Cyber Security for the Everyday.

Comments

Post a Comment

Popular posts from this blog

Post-PhD thoughts on the Cyber Security field: Amy Ertan, 2017 CDT Cohort, now Cyber and Hybrid Policy Officer at NATO HQ in Brussels.

It has been just over a year since I successfully completed my viva – a milestone that initially felt both terrifying and insurmountable when I first joined the CDT. Now, I have the privilege of reflecting on my PhD journey and how its opportunities have shaped my present. I also wish to inspire curious students to embrace the full potential of the CDT and similar programs.   When I first came across the CDT application form, I initially envisioned transforming from a disillusioned city worker into a technical cyber security wizard, focusing on governance or incident response – as those were the only cyber security functions I was familiar with at the time. Very quickly, the CDT taught me that cyber security encompasses a vast and comprehensive range of approaches, offering me a holistic perspective on the field. Supported by the CDT, I engaged with exciting research and practitioner communities to learn about security governance, feminist and critical approaches, geography, the philos
Read more

Remote working and Cyber Security: Georgia Crossland and Amy Ertan

Image
Introducing the project The shift to remote working represents a huge shift for employees and organisations alike, introducing significant implications for cyber security. Amy Ertan and Georgia Crossland are currently working on a research project, in collaboration with the Research Institute for Sociotechnical Cyber Security (RISCS) and funded by the UK National Cyber Security Centre (NCSC), on the impact of remote working on cyber security and wellbeing. This blog post will give an overview of a section of this project, how remote working impacts cyber security. In response to COVID-19, in March 2020, organisations across the world made the rapid shift away from physical office working to remote working, wherever possible. This shift has had a significant impact across many aspects of organisations. This blog post will offer a high-level overview of how the cyber threat landscape was impacted for many organisations and may further change organisational cyber resilience. Remote workin
Read more

New Publication: Remote Working and (In)Security?: Amy Ertan

Image
A recent research report by CDT researchers Amy Ertan and Georgia Crossland has been published with the Research Institute for Sociotechnical Cyber Security (RISCS). The report examines ‘The Impact of Pandemic-Driven Remote Working on Employee Wellbeing, the Psychological Contract and Cyber Security’, with research carried out through a series of interviews with senior cyber security colleagues between January and April 2021. The full report can be found on the RISCS website: New publication: Remote Working and (In)Security | RISCS. Context In the UK and around the world, the impact of COVID-19 represented a total shift away from what was considered ‘normal living’. One aspect of this change was the rapid transition to remote working as people were encouraged to work from home and limit contact with others as far as possible through repeated lockdown conditions. Fellow CDT colleague Georgia Crossland and I were curious to explore how remote working has impacted the experiences - and se
Read more