📱Weaknesses with fundamental security problems have been discovered in the super-duper protected messenger "Threema" — audit of researchers at the University of🇨🇭ETH Zurich
Preferred by the Swiss government and the army, the Threema app with the loud slogan "Secure. Anonymous.Trusted by millions" turned out not to be as safe as it was originally supposed to be. A group of scientists from the reputable Swiss Federal Institute of Technology in Zurich (🇨🇭ETH Zurich), specializing in cryptography and mathematics, found out that due to fundamental security problems in the Threema application, potential attackers can clone accounts using 7 different attack options, read user messages, steal users' private keys, get contacts from the phone books and even produce compromising materials for the purpose of blackmail.
1️⃣ C2S Ephemeral Key Compromise attack
2️⃣ Vouch Box Forgery attack
3️⃣ Message Reordering and Deletion attack
4️⃣ Message Replay and Reflection attack
5️⃣ Kompromat attack
6️⃣ Cloning via Threema ID Export attack
7️⃣ Session Side-Channel attack
Three ETH Zurich researchers Kenneth Paterson, Matteo Scarlata and Kien Tuong Truong noted that they initially reported their findings to Threema in October 2022 so that they would promptly eliminate vulnerabilities, and then agreed to make the problems public on January 9, 2023, but the company preemptively, knowing about critical problems, publicly announced a new "the protected "Ibex" protocol in November 2022, which "no longer looks like the old one", trying to focus on novelty and the absence of fundamental security problems.
"Last year, a student of the Faculty of Computer Science at ETH Zurich wrote a master's thesis on the Threema protocol. Now the university has published his work in the form of an article. However, the research work is based on an old protocol that is no longer in use. The presented conclusions are not applicable to the current Threema "Ibex" communication protocol, - marketers of the secure messenger company cleverly played solitaire.
🤦♂️"Threema's statement is misleading. It is very annoying to see that they have depicted the current situation in this way," commented Kenneth Paterson, a doctor of computer science from ETH Zurich. (English: Threema's statement "is extremely misleading)
"On the other hand, the seven attacks we have presented highlight several fundamental weaknesses in the design of Threema. Indeed, the Threema protocols lack basic properties that are now considered de rigueur for a messenger app to be regarded as secure: forward secrecy with respect to a malicious server, and protection against replay, reflection, and reordering attacks," Swiss researchers summarize the Threema audit.
It is known that Threema has gained particular popularity among the Swiss military, who were forcibly obliged to switch to Threema in order to avoid surveillance by foreign countries. The app has more than 10 million users and 7,000 customers, including German Chancellor Olaf Scholz.