A group of researcher that audited the popular TextSecure Private Messenger app discovered that it is vulnerable to Unknown Key-Share attacks.
The documents disclosed by Eduard Snowden on surveillance activities has caused a spike in the demand of privacy tools and solutions like the TextSecure Private Messenger app that we sill discuss in this post.
TextSecure is a free Android mobile app developed by Open WhisperSystems, its code is open-source and it implements end-to-end encryption to protect text messages sent by the users.
The TextSecure app was downloaded by nearly 500,000 users from the official Google’s Play Store. A Research team from Ruhr University Bochum has conducted an audit on TextSecure app discovering that the mobile app is open to an Unknown Key-Share attack.
TextSecure is considered one of most efficient text messaging application for mobile devices and its popularity increased after the Facebook bought WhatsApp, due to the fear of users that Intelligence agencies could have imposed to the company to give them the access to the servers.
“Since Facebook bought WhatsApp, instant messaging apps with security guarantees became more and more popular,” “We are the first to completely and precisely document and analyze TEXTSECURE’s secure push messaging protocol” states the author of the audit in a paper titled, “How Secure is TextSecure?“.
The research team explained a complete and precise document and analyze of TextSecure’s secure push messaging protocol.
According to the research team, TextSecure works on a the cryptographic protocol that is implemented in the CYANOGENMOD firmware, and the researchers discovered a way compromise it with a an Unknown Key-Share Attack (UKS) against the protocol.
“We found an Unknown Key-Share attack against the protocol. We have documented the attack and show how it can be mitigated. The attack has been communicated with and acknowledged by the developers of TEXTSECURE. We show that our proposed method of mitigation actually solves the issue” the team explained.
“We show that if long-term public keys are authentic, so are the message keys, and that the encryption block of TextSecure is actually one-time stateful authenticated encryption [and] prove TextSecure’s push messaging can indeed achieve the goals of authenticity and confidentiality.”
This is the attack scenario explained by the researchers with an example:
“UKS attack by replacing his own public key with Nelsons (Pe) public key and lets Milhouse verify the fingerprint of his new public key. This can be justified, for instance, by claiming to have a new device and having simply re-registered, as that requires less effort than restoring an encrypted backup of the existing key material. Now, as explained in more detail below, if Milhouse invites Bart to his birthday party, then Bart may just forward this message to Nelson who will believe that this message was actually sent from Milhouse. Thus, Milhouse (Pa) believes that he invited Bart (Pb) to his birthday party, where in fact, he invited Nelson (Pe)”
The experts in the paper also recommended a mitigation strategy, that could avoid Unknown Key-Share attack against the TextSecure’s users. The solution proposed by the team was accepted by the development team of the app, it makes TextSecure’s push messaging secure and achieves one-time stateful authenticated encryption.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.