One of the most popular secure messengers, Threema, found itself at the center of a scandal this week. Researchers at ETH Zurich, a public research university in Switzerland, found seven (7!) vulnerabilities in Threema’s protocols. Meanwhile, the app’s developers downplayed the bugs, blogging that they’d “resolved all issues within a few weeks” and “none of them ever had any considerable real-world impact”. So what’s really going on, and should you switch to Signal right away?
It’s hard to get to the bottom of the Threema scandal, because both sides’ behavior, while civilized, isn’t ideal. The ETH Zurich team has clearly overstated the significance of its work, which describes not only vulnerabilities but also hypothetical exploitation scenarios, while Threema’s developers are clearly understating the seriousness of the vulnerabilities — claiming they’re near impossible to exploit.
For those interested only in practical takeaways, we suggest jumping straight to them (at the end of this post).
Threema vulnerabilities
All vulnerabilities were responsibly disclosed in October and promptly fixed. According to both sides, there was no in-the-wild exploitation of the vulnerabilities, so there appear to be no grounds to fear disclosure of information regarding them. That said, there’s still reason for concern.
Let’s focus on what can be gleaned from a careful read of the ETH Zurich report, the Threema statement, and other publicly available studies into the Threema app and its protocols.
The app uses strong cryptographic algorithms with robust, standardized NaCl implementation. However, this is wrapped in Threema’s own information exchange protocol — whose implementation is imperfect. This raises the possibility of various theoretical attacks (such as sending a message in a group chat that looks different to different recipients), as well as some rather practical ones. For example, anyone with physical access to the target smartphone will be able to read Threema databases and backups on it relatively easy — if no passphrase has been set to protect the app. It’s also possible to clone a Threema ID, allowing an attacker to send messages in the victim’s name (but not at the same time). Of course, all scenarios involving physical access to a smartphone are mostly worst-case for any app, and they’re incredibly difficult to defend against.
Some of the proposed hypothetical attacks through the new vulnerabilities would work only if an attacker has full control over the data exchange network. But that in itself isn’t enough; other complex exploitation conditions are also required. For example, one scenario requires forcing the victim to send a message with very strange content through Threema. That’s unlikely to work in practice.
Of the flaws in the communication protocol itself, most disturbing is the lack of both forward secrecy and future secrecy. That is, having decrypted one message, you can decrypt later ones. This weakness has been known for some time, for which reason, apparently, in December, Threema announced a fundamentally new, more secure version of its protocol. This new protocol — Ibex — has yet to undergo independent security audits. We can only take the developers at their word when they say that it covers all facets of modern practical cryptography. Threema would be wise to heed the advice of ETH Zurich to externally audit the protocols in the early stages of development — not after releasing them.
To exploit some of the vulnerabilities the Threema server should be compromised and someone on the operator side should be deliberately trying to steal exchanged data or disrupt communication. This is important for organizations that use Threema Work: if a company can’t expose its data even to a hypothetical risk, it should consider switching to Threema OnPrem, where it will have its own internal Threema server. In this case, the administrators need to explore ways to strengthen server security (known as hardening).
App developers, too, need to draw lessons from this situation. “Don’t concoct your own cryptographic algorithms!” cryptography experts scream endlessly (Telegram, for one, didn’t listen). But Threema’s developers employed time-tested cryptographic algorithms with their correct, standard implementation! A number of bugs crept in due to the use of standard cryptography in the original client-server communication protocol, which is deployed instead of standard TLS. Looks like the experts should have screamed “Don’t concoct your own cryptographic algorithms and protocols!”
Practical takeaways
If you chose Threema believing it’s the “most encrypted messenger”, don’t mind using your phone number with an instant messenger, and don’t want to get bogged down in technical details, you’re better off switching to Signal. As proven by real hacks and court orders, Signal’s cryptography and data storage principles are more robust and resistant. If you need have to use Threema as your main working messenger, or you like that your Threema ID isn’t linked to your phone number, you can carry on using it, but just be aware of the risks. They may be hypothetical — but they cannot be completely discounted. Be sure to double-check and verify offline the Threema IDs of new contacts, and use passphrases for secure login.
Medium and large organizations that use Threema in their business processes should seriously consider migrating to Threema OnPrem to have full control over the messenger servers.