Breaking Bridgefy, again

Adopting libsignal is not enough

We analysed the Bridgefy messaging application and found that your private messages are not safe.

Read the PaperFAQContact Us
What is Bridgefy?
Bridgefy is a messaging application that uses Bluetooth to transmit messages, so that no Internet is required. Its developers (1, 2, 3, 4, 5, 6, 7) and others (Reuters, Forbes) have advertised it for use in areas witnessing large-scale protests and often violent confrontations between protesters and agents of the state. After a security analysis in August 2020 by Martin R. Albrecht, Jorge Blasco, Rikke Bjerg Jensen, and Lenka Mareková reported severe vulnerabilities, the Bridgefy developers adopted the Signal protocol. The Bridgefy developers then continued to advertise their application as being suitable for use by higher-risk users, for example during the Russian invasion of Ukraine in 2022 (8, 9, 10, 11).
Results

In this work, we analyse the revised security architecture of Bridgefy and report several vulnerabilities. The headline news is that we found a practical attack, with a proof-of-concept implementation, that breaks confidentiality of libsignal-protected private messages and succeeds with a probability of about 50%. Please note that this attack in no way threatens Signal or libsignal but attacks how Bridgefy uses it.

Our other findings include:

  1. Bridgefy users can still be tracked.
  2. Broadcast messages remain unauthenticated; an attacker can exploit this to mount impersonation attacks.
  3. The protocol remains susceptible to an attacker in the middle. While such an attack is now limited to the first exchange between a pair of users (i.e., it abuses a “trust on first use” or TOFU assumption) we note that Bridgefy offers users no option to verify the public keys of their contacts.
  4. Any nodes in the network that receive a single carefully crafted message become unable to participate in further network communication.
  5. The broadcast encryption mechanism employed by the Bridgefy SDK is susceptible to a ciphertext-only attack with the assumption of plaintexts from a small domain. The Bridgefy messenger not affected by this.
Disclosure

We disclosed our first vulnerabilities to Bridgefy in May 2021. According to the developers, the vulnerability allowing an attacker to read encrypted messages was fixed on 14 August 2021. The disclosure of our attacks on the broadcast encryption followed in September 2021. We asked the developers to comment on the remediation progress in early February 2022, however, at the time of writing the state of the remediation remains unclear.

We recommend that users avoid Bridgefy until its developers have committed to regular public security audits by respected third party auditors.

Paper
You can find more details in our research paper which we presented at the 31st USENIX Security Symposium.
Demo
A video demo of the TOCTOU attack can be found here on Twitter.
Exploit Code
The source code for our attacks is available here on GitHub.
Team

We are academic researchers from ETH Zurich and Royal Holloway: