Threema disputes crypto flaws disclosure, prompts security flap

‘Condescending’ response to vulnerability disclosure angers infosec community

Security researchers have defended academics who discovered several serious security flaws in Threema following criticism of their work by developers of the encrypted messaging app.

A team of computer scientists from Swiss university ETH Zurich found a total of seven vulnerabilities in secure messaging app Threema, which boasts 10 million users including the Swiss Government and current Chancellor of Germany, Olaf Scholz.

Threat models

The ETH team – comprising Professor Kenneth Paterson, Matteo Scarlata, and Kien Tuong Truong – found that Threema features neither ‘forward security’ nor post-compromise security.

Forward security means that even after a compromise, an attacker will be unable to decrypt data encrypted prior to the hack. Post-compromise security involves setting up such an architecture so that security can be restored after an attack, providing any attacker is purged from the process of communication exchange.

The seven vulnerabilities discovered fell across three distinct threat models: network attacker, compromised server, and compelled access.

Rolling their own crypto

Problems arose because of Threema’s use of bespoke encryption technologies. For example, the Swiss service’s bespoke client-to-server (C2S) protocol features ephemeral keys. This ought, in theory, to make sessions independent from each other.

However, ETH researchers discovered that compromising a single client ephemeral key allowed an attacker to impersonate that client indefinitely.

DON’T MISS The chance to win swag by telling us how to improve The Daily Swig

The researchers disclosed this flaw and six other vulnerabilities to Threema’s developers in early October last year. Modifications were made before Threema released a new protocol, Ibex, to further mitigate the attacks in late November 2022.

The researchers held off on publishing their findings until Monday January 9, as agreed.

‘Hopelessly oversell’

Threema decided to then disrespect the researchers in responding to publication of their findings, earning the ire of the wider infosec community in the process.

“There’s a new paper on Threema’s old communication protocol,” the vendor wrote on its official Twitter account. “Apparently, today’s academia forces researchers and even students to hopelessly oversell their findings. Here’s some real talk.”

In an associated statement, Threema acknowledged that “while some of the findings presented in the paper may be interesting from a theoretical standpoint, none of them ever had any considerable real-world impact”.

‘Condescending’

Swiss security researcher Christian Folini described Threema’s response as “condescending”.

“It’s not your job to judge the quality of security research. Your job is to get your act together, present us with the fixes, and leave the assessment to third parties,” Folini said on Twitter.

Professor Alan Woodward, a computer scientist at the University of Surrey, agreed that Threema had unnecessarily attacked the researchers for what he characterized as constructive criticism of the encrypted messaging app.

Catch up on the latest encryption security news

“Their [Threema’s] tone was rather dismissive stating it was an older version and they had fixed all the issues identified, but Threema were able to say this because of the work and the responsible disclosure,” Professor Woodward told The Daily Swig.

“I can’t help [but] think that researchers might be less inclined to cooperate as responsibly if the app developers take this attitude.”

On the substance of the security issues identified, Professor Woodward told The Daily Swig that the problems “appears to arise because they [Threema] rolled their own protocol plus they were working with some limitations of the chosen library, Nacl”.

The Daily Swig invited the ETH team to comment on the flaws they discovered and the disclosure process. No word back as yet, but we’ll update this story as and when more information comes to hand.

Professor Kenneth Paterson has spoken publicly of his disappointment in Threema's response.

“After a constructive engagement with ThreemaApp during responsible disclosure, this is unexpectedly dismissive. We broke their protocol six ways. They updated it, thanks to our work,” Professor Paterson said on Twitter.

RELATED Boffins rekindle one-time program cryptographic concept