In this work, we analyse the revised security architecture of Bridgefy and report severe vulnerabilities:
- Bridgefy users can still be tracked.
- Broadcast messages remain unauthenticated; an attacker can exploit this to mount impersonation attacks.
- The protocol remains susceptible to an attacker in the middle. While such an attack is now limited to the first exchange between a pair of users (i.e., it abuses a “trust on first use” or TOFU assumption) we note that Bridgefy offers users no option to verify the public keys of their contacts.
- Any nodes in the network that receive a single carefully crafted message become unable to participate in further network communication.
The headline news is, however, that we have a practical attack, with a proof of concept implementation, that breaks confidentiality of libsignal-protected private messages which succeeds with a probability of about 50%.
Our attack in no way threatens Signal or libsignal but attacks how Bridgefy uses it.