One of the most popular secure messengers, Threema, found itself at the center of a scandal this week. Researchers at ETH Zurich, a public research university in Switzerland, found seven (7!) vulnerabilities in Threema\u2019s protocols. Meanwhile, the app\u2019s developers downplayed the bugs, blogging that they\u2019d \u201cresolved all issues within a few weeks\u201d and \u201cnone of them ever had any considerable real-world impact\u201d. So what\u2019s really going on, and should you switch to Signal right away?<\/p>\n
It\u2019s hard to get to the bottom of the Threema scandal, because both sides\u2019 behavior, while civilized, isn\u2019t ideal. The ETH Zurich team has clearly overstated the significance of its work<\/a>, which describes not only vulnerabilities but also hypothetical exploitation scenarios, while Threema\u2019s developers are clearly understating<\/a> the seriousness of the vulnerabilities \u2014 claiming they\u2019re near impossible to exploit.<\/p>\n For those interested only in practical takeaways, we suggest jumping <\/a>straight to them (at the end of this post).<\/p>\n All vulnerabilities were responsibly disclosed in October and promptly fixed. According to both sides, there was no in-the-wild exploitation of the vulnerabilities, so there appear to be no grounds to fear disclosure of information regarding them. That said, there\u2019s still reason for concern.<\/p>\n Let\u2019s focus on what can be gleaned from a careful read of the ETH Zurich report, the Threema statement, and other publicly available studies into the Threema app and its protocols.<\/p>\n The app uses strong cryptographic algorithms with robust, standardized NaCl implementation. However, this is wrapped in Threema\u2019s own information exchange protocol \u2014 whose implementation is imperfect. This raises the possibility of various theoretical attacks (such as sending a message in a group chat that looks different to different recipients), as well as some rather practical ones. For example, anyone with physical access to the target smartphone will be able to read Threema databases and backups on it relatively easy \u2014 if no passphrase has been set to protect the app. It\u2019s also possible to clone a Threema ID, allowing an attacker to send messages in the victim\u2019s name (but not at the same time). Of course, all scenarios involving physical access to a smartphone are mostly worst-case for any app, and they\u2019re incredibly difficult to defend against.<\/p>\n Some of the proposed hypothetical attacks through the new vulnerabilities would work only if an attacker has full control over the data exchange network. But that in itself isn\u2019t enough; other complex exploitation conditions are also required. For example, one scenario requires forcing the victim to send a message with very strange content through Threema. That\u2019s unlikely to work in practice.<\/p>\n Of the flaws in the communication protocol itself, most disturbing is the lack of perfect forward secrecy<\/a>. That is, having decrypted one message, you can decrypt later ones. This weakness has been known<\/a> for some time, for which reason, apparently, in December, Threema announced a fundamentally new, more secure version of its protocol. This new protocol \u2014 Ibex \u2014 has yet to undergo independent security audits. We can only take the developers at their word when they say that it covers all facets of modern practical cryptography. Threema would be wise to heed the advice of ETH Zurich to externally audit the protocols in the early stages of development \u2014 not after releasing them.<\/p>\n To exploit some of the vulnerabilities the Threema server should be compromised and someone on the operator side should be deliberately trying to steal exchanged data or disrupt communication. This is important for organizations that use Threema Work: if a company can\u2019t expose its data even to a hypothetical risk, it should consider switching to Threema OnPrem, where it will have its own internal Threema server. In this case, the administrators need to explore ways to strengthen server security (known as hardening).<\/p>\n App developers, too, need to draw lessons from this situation. \u201cDon\u2019t concoct your own cryptographic algorithms!\u201d cryptography experts scream endlessly (Telegram, for one, didn\u2019t listen). But Threema\u2019s developers employed time-tested cryptographic algorithms with their correct, standard implementation! A number of bugs crept in due to the use of standard cryptography in the original client-server communication protocol, which is deployed instead of standard TLS. Looks like the experts should have screamed \u201cDon\u2019t concoct your own cryptographic algorithms and protocols!\u201d<\/p>\n If you chose Threema believing it\u2019s the \u201cmost encrypted messenger\u201d, don\u2019t mind using your phone number with an instant messenger, and don\u2019t want to get bogged down in technical details, you\u2019re better off switching to Signal. As proven by real hacks<\/a> and court orders<\/a>, Signal\u2019s cryptography and data storage principles are more robust and resistant. If you need have to use Threema as your main working messenger, or you like that your Threema ID isn\u2019t linked to your phone number, you can carry on using it, but just be aware of the risks. They may be hypothetical \u2014 but they cannot be completely discounted. Be sure to double-check and verify offline the Threema IDs of new contacts, and use passphrases for secure login.<\/p>\n Medium and large organizations that use Threema in their business processes should seriously consider migrating to Threema OnPrem to have full control over the messenger servers.<\/p>\n","protected":false},"excerpt":{"rendered":" What to do if your secret messenger isn\u2019t secret enough.<\/p>\n","protected":false},"author":2722,"featured_media":20569,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916,1917],"tags":[2088,261,577,43],"class_list":{"0":"post-20568","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-tips","11":"tag-encryption","12":"tag-messengers","13":"tag-privacy"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/7-threema-vulnerabilities\/20568\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/7-threema-vulnerabilities\/25074\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/7-threema-vulnerabilities\/10437\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/7-threema-vulnerabilities\/27657\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/7-threema-vulnerabilities\/25397\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/7-threema-vulnerabilities\/25714\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/7-threema-vulnerabilities\/28287\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/7-threema-vulnerabilities\/34527\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/7-threema-vulnerabilities\/46772\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/7-threema-vulnerabilities\/20011\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/7-threema-vulnerabilities\/20584\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/7-threema-vulnerabilities\/29669\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/7-threema-vulnerabilities\/25764\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/7-threema-vulnerabilities\/31437\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/7-threema-vulnerabilities\/31150\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/encryption\/","name":"encryption"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/20568","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2722"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=20568"}],"version-history":[{"count":1,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/20568\/revisions"}],"predecessor-version":[{"id":20570,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/20568\/revisions\/20570"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/20569"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=20568"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=20568"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=20568"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Threema vulnerabilities<\/h2>\n
Practical takeaways<\/span><\/h2>\n