Paper 2021/214

Mesh Messaging in Large-scale Protests: Breaking Bridgefy

Martin R. Albrecht, Jorge Blasco, Rikke Bjerg Jensen, and Lenka Mareková

Abstract

Mesh messaging applications allow users in relative proximity to communicate without the Internet. The most viable offering in this space, Bridgefy, has recently seen increased uptake in areas experiencing large-scale protests (Hong Kong, India, Iran, US, Zimbabwe, Belarus), suggesting its use in these protests. It is also being promoted as a communication tool for use in such situations by its developers and others. In this work, we report on a security analysis of Bridgefy. Our results show that Bridgefy, as analysed, permitted its users to be tracked, offered no authenticity, no effective confidentiality protections and lacked resilience against adversarially crafted messages. We verified these vulnerabilities by demonstrating a series of practical attacks on Bridgefy. Thus, if protesters relied on Bridgefy, an adversary could produce social graphs about them, read their messages, impersonate anyone to anyone and shut down the entire network with a single maliciously crafted message.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Published elsewhere. CT-RSA 2021
DOI
10.1007/978-3-030-75539-3_16
Keywords
mesh messagingsecurity analysis
Contact author(s)
lenka marekova 2018 @ live rhul ac uk
martin albrecht @ rhul ac uk
jorge blascoalis @ rhul ac uk
rikke jensen @ rhul ac uk
History
2021-05-21: revised
2021-03-02: received
See all versions
Short URL
https://ia.cr/2021/214
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2021/214,
      author = {Martin R.  Albrecht and Jorge Blasco and Rikke Bjerg Jensen and Lenka Mareková},
      title = {Mesh Messaging in Large-scale Protests: Breaking Bridgefy},
      howpublished = {Cryptology {ePrint} Archive, Paper 2021/214},
      year = {2021},
      doi = {10.1007/978-3-030-75539-3_16},
      url = {https://eprint.iacr.org/2021/214}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.