Researchers discovered severe flaws in the Confide which is also used by White House staffers

Pierluigi Paganini March 09, 2017

Confide App, the secure messaging app used by staffers in the White House and on Capitol Hill is not as secure as the company claims.

Confide is the secure messaging app used by President Donald Trump’s staffers for their secret communication. The official website of the application defines the encryption implemented by the mobile application with this statement:

“Confide uses military-grade end-to-end encryption to keep your messages safe and to ensure they can only be read by the intended recipients.” states the website.

The app allows users to send encrypted messages that self-destruct implementing end-to-end encryption.

News of the day is that two separate studies revealed that Confide app is not secure as previously thought.

The experts at the security firm IOActive discovered multiple critical flaws in the Confide app while auditing the version 1.4.2 for Windows, Mac OS X, and Android. The researchers ethically reported them to the Confide development team that quickly resolved the issue.

“During the evaluation, multiple security vulnerabilities of varying severities were identified, with corresponding attacker exploitation risks ranging from account impersonation and message tampering, to exposing user contact details and hijacking accounts.” reads the analysis published by IOActive.

According to IOActive, the confide flaws could be exploited for the following purposes:

  • Hijack an account session or guess a password to impersonate contacts. The Confide app failed to prevent brute-force attacks on account passwords.
  • Spy on contact details of Confide users (i.e. real names, email addresses, and phone numbers).
  • Intercept a conversation and decrypt messages. The researchers discovered that it is possible to launch MiTM attacks because the app’s notification system didn’t require any valid SSL server certificate to communicate. An attacker can capture messages in transit.
  • Modify the contents of a message or attachment in transit without first decrypting it.
  • Send malformed messages that can crash or slow the Confide application.

According to the research paper published by IOActive, the researchers gained access to more than 7,000 account records created between February 22 and 24, out of a database containing between 800,000 and 1 Million records.

During their 2-day test, the team was able to find a Donald Trump associate and several employees from the Department of Homeland Security (DHS) who downloaded the Confide app.

Below the Timeline disclosed by IOActive:

  • Timeline February 2017: IOActive conducts testing on the Confide application.
  • February 25, 2017: Confide begins fixing issues uncovered by the detection of anomalous behavior during the testing window.
  • February 27, 2017: IOActive contacts Confide via several public email addresses to establish a line of communication.
  • February 28, 2017: IOActive discloses issues to Confide. Confide communicates that some mitigations are already in progress and plans are being made to address all issues.
  • March 2, 2017: Confide releases an updated Windows client (1.4.3), which includes fixes that address some of IOActive’s findings.
  • March 3, 2017: Confide informs IOActive that remediation of critical issues is complete.
  • March 8, 2017: Findings are published.

As anticipated, a separate team of experts from Quarkslab also reviewed the code of the iOS app and demonstrated Confide exploits.

According to the experts, a series of design vulnerabilities in the Confide for iOS app could allow the company to read user messages, adding that the app didn’t notify users when encryption keys were changed.

Confide server can read your messages by performing a man-in-the-middle attack” “The end-to-end encryption used in Confide is far from reaching the state of the art. Building a secure instant messaging is not easy, but when claiming it, some strong mechanisms should really be enforced since the beginning.” reads the analysis of Quarkslab.

“The confidentiality of the exchanged messages depends on the robustness of TLS. Confide can technically read all the messages that pass through its servers. End-to-end encryption, as it is implemented, solely relies on the server through which the messages pass.”

Confide is not just an encrypted messenger. It provides other interesting security features:

  • Screenshot prevention: Received messages can theoretically not be copied by a user. As the astute reader may have noticed, the previous paragraphs present screenshots of the application.
  • Message deletion: Once a user reads a message, it is deleted from the client and from the server. Is it possible to prevent message deletion?
  • Secrets protection: Confide handle secrets, like private keys required to decrypt messages. Are these keys correctly protected?

 

The Quarkslab researchers explained that Confide server could generate its own key pair and transmit the public key to a client when requesting the public key of a recipient.

“This client then unknowingly encrypts a message that can be decrypted by the server,” the researchers added. “Finally, when the server sends the message to the recipient, it is able to re-encrypt the message with its own key for the actual recipient.”

Which is reply of the company?

In response to the analysis conducted by Quarkslab, Confide co-founder and president Jon Brod explained that the researchers have intentionally undermined the security of their own system to bypass several layers of Confide’s protection.

“The researchers intentionally undermined the security of their own system to bypass several layers of Confide’s protection, including application signatures, code obfuscation, and certificate pinning. The attack that they claim to be demonstrating does not apply to legitimate users of Confide, who are benefiting from multiple security protections that we have put in place. Undermining your own security or taking complete control of a device makes the entire device vulnerable, not just the Confide app.” said Brod.

Confide has released a version that fixes the critical vulnerabilities discovered by the researchers. According to the company, there is no evidence for their exploitation by attackers in the wild.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Confide app, hacking)

 



you might also like

leave a comment