 |
| © Threema |
Encrypted services are popular, and a growing number of major public and private players are using them. But, with such responsibilities, the interest of researchers and hackers is only increased tenfold, and the publisher of Threema has just paid the price.
Used by the German Chancellor or even by the Swiss government and military, Threema boasts of being more reliable than its competitors, such as Signal, also based in Switzerland. But recent studies have highlighted several flaws in its security protocol.
Data from millions of vulnerable users
A computer science student from Zurich, along with his two thesis supervisors, managed to thwart the application's defenses using several different methods. They thus found a wide range of situations: the usurpation of a user's identity, the reorganization of the succession of messages exchanged, the cloning of an account and even the exploitation of the backup mechanism to recover the key. secret of a user.
Some of these flaws, which require direct access to the victim's device, could allow a third party to scan the latter's future messages without their knowledge. A rather worrying finding, given some very important customers of the company. It is the so-called maximum security advanced by Threema which is called into question here.
Discovered and communicated to developers in early October, the flaws were closed nearly two months later as a new security protocol was rolled out to the messaging service. But, nothing says if these vulnerabilities have been exploited in the meantime, or even before the discovery of the Swiss researchers. The latter, moreover, made their conclusions public at the beginning of the year, provoking a public response from Threema the same day. The publisher expressed its thanks to the researchers, while emphasizing that none of the attack methods described “have ever had a significant impact in the real world. »
A puzzled response from the editor.
The company took the opportunity to say that its teams were already working on fixes before the researchers contacted them. While adding in a tweet that “today's academia forces researchers and even students to desperately oversell their results. Strongly criticized by the cybersecurity community for its mistrust, even its contempt of the researchers concerned, Threema had already been pinned in January 2018 for security flaws in its Android application.
A few months earlier, it was the turn of the MEGA cloud storage service to see its security called into question. If the market for encrypted services is not to be questioned, it is useful to keep in mind that, even if it is considered unlikely, a hack is always possible. Moreover, even if companies like Threema have strong founding principles in terms of security, and if their tools seem infallible, many depend on their reactivity in the event of a failure, and their sincerity towards their customers and above all …of themselves.
