A security audit reveals that TextSecure app is vulnerable to Unknown Key-Share Attack

Pierluigi Paganini November 03, 2014

A group of researcher that audited the popular TextSecure Private Messenger app discovered that it is vulnerable to Unknown Key-Share attacks.

The documents disclosed by Eduard Snowden on surveillance activities has caused a spike in the demand of privacy tools and solutions like the TextSecure Private Messenger app that we sill discuss in this post.

TextSecure is a free Android mobile app developed by Open WhisperSystems, its code is open-source and it implements end-to-end encryption to protect text messages sent by the users.

The TextSecure app was downloaded by nearly 500,000 users from the official Google’s Play Store. A Research team from Ruhr University Bochum has conducted an audit on TextSecure app discovering that the mobile app is open to an Unknown Key-Share attack.

TextSecure is considered one of most efficient text messaging application for mobile devices and its popularity increased after the Facebook bought WhatsApp, due to the fear of users that Intelligence agencies could have imposed to the company to give them the access to the servers.

“Since Facebook bought WhatsApp, instant messaging apps with security guarantees became more and more popular,” “We are the first to completely and precisely document and analyze TEXTSECURE’s secure push messaging protocol” states the author of the audit in a paper titled, “How Secure is TextSecure?“.

The research team explained a complete and precise document and analyze of TextSecure’s secure push messaging protocol.

According to the research team, TextSecure works on a the cryptographic protocol that is implemented in the CYANOGENMOD firmware, and the researchers discovered a way compromise it with a an Unknown Key-Share Attack (UKS) against the protocol.

“We found an Unknown Key-Share attack against the protocol. We have documented the attack and show how it can be mitigated. The attack has been communicated with and acknowledged by the developers of TEXTSECURE. We show that our proposed method of mitigation actually solves the issue” the team explained.

“We show that if long-term public keys are authentic, so are the message keys, and that the encryption block of TextSecure is actually one-time stateful authenticated encryption [and] prove TextSecure’s push messaging can indeed achieve the goals of authenticity and confidentiality.”

This is the attack scenario explained by the researchers with an example:

“UKS attack by replacing his own public key with Nelsons (Pe) public key and lets Milhouse verify the fingerprint of his new public key. This can be justified, for instance, by claiming to have a new device and having simply re-registered, as that requires less effort than restoring an encrypted backup of the existing key material. Now, as explained in more detail below, if Milhouse invites Bart to his birthday party, then Bart may just forward this message to Nelson who will believe that this message was actually sent from Milhouse. Thus, Milhouse (Pa) believes that he invited Bart (Pb) to his birthday party, where in fact, he invited Nelson (Pe)”

TextSecure attack scenario

The experts in the paper also recommended a mitigation strategy, that could avoid Unknown Key-Share attack against the TextSecure’s users. The solution proposed by the team was accepted by the development team of the app, it makes TextSecure’s push messaging secure and achieves one-time stateful authenticated encryption.

Pierluigi Paganini

Security Affairs –  (TextSecure, mobile)

you might also like

leave a comment