Cryptology ePrint Archive: Report 2021/214

Mesh Messaging in Large-scale Protests: Breaking Bridgefy

Martin R. Albrecht and Jorge Blasco and Rikke Bjerg Jensen and Lenka Mareková

Abstract: Mesh messaging applications allow users in relative proximity to communicate without the Internet. The most viable offering in this space, Bridgefy, has recently seen increased uptake in areas experiencing large-scale protests (Hong Kong, India, Iran, US, Zimbabwe, Belarus), suggesting its use in these protests. It is also being promoted as a communication tool for use in such situations by its developers and others. In this work, we report on a security analysis of Bridgefy. Our results show that Bridgefy, as analysed, permitted its users to be tracked, offered no authenticity, no effective confidentiality protections and lacked resilience against adversarially crafted messages. We verified these vulnerabilities by demonstrating a series of practical attacks on Bridgefy. Thus, if protesters relied on Bridgefy, an adversary could produce social graphs about them, read their messages, impersonate anyone to anyone and shut down the entire network with a single maliciously crafted message.

Category / Keywords: applications / mesh messaging,security analysis

Original Publication (in the same form): CT-RSA 2021
DOI:
10.1007/978-3-030-75539-3_16

Date: received 26 Feb 2021, last revised 21 May 2021

Contact author: lenka marekova 2018 at live rhul ac uk, martin albrecht at rhul ac uk, jorge blascoalis at rhul ac uk, rikke jensen at rhul ac uk

Available format(s): PDF | BibTeX Citation

Version: 20210521:112743 (All versions of this report)

Short URL: ia.cr/2021/214


[ Cryptology ePrint archive ]