EFF revises IM safety ratings after pen testers pop 'secure' tools

Pen tests find holes galore in common messaging apps


BSides Canberra Australian security duo Matt Jones and Daniel Hodson have found dangerous vulnerabilities in popular instant messaging platforms marked "secure" by the Electronic Frontier Foundation's (EFF) Scorecard.

The EFF says its Secure Messaging Scorecard (SMS) should not be viewed as an endorsement of a given IM platform and says it will update the page to make that statement clearer.

"We're working on a new format and update to SMS (the Scorecard) which will hopefully make it even more clear that it is not an endorsement of any tool, and that although many of the criteria on the Scorecard are necessary for a tool to be secure, some of them matter more than others – and even achieving all of them won't always guarantee security in practice," an EFF spokeswoman told Vulture South.

The Scorecard slaps green ticks on IM clients that boast certain security features. It is designed so non-security savvy users can find a client that claims to encrypt data in transit, documents security design, and has recently audited code.

Jones and Hodson – partners with security consultancy Elttam – conducted 24-hour penetration tests of various complexity over six months, targeting a selection of instant messaging platforms listed on the EFF Scorecard and found code execution and communication interception problems in many.

"The criteria for getting a green tick in that box is simply saying 'yes we've had a code audit, yes we are doing this' but there is no actual validation," Hodson told the BSides hacker conference in Canberra last week.

"We find it peculiar to say the least."

Hodson says the Scorecard is a valid concept but needs to be supported with more rigorous security testing.

The Scorecard

The EFF's secure messaging scorecard.

For some clients awarded green ticks, Jones and Hodson's reviews found poor code design in minutes, cross-site scripting equivalent flaws in 30 minutes, and XML external entity holes in an hour.

It led to deanonymization attacks, code execution, theft of keys and text messages, and denial of service. "It is crazy to see this kind of information going out to so many users globally," Jones (@volvent) said. "Doing a decent audit requires time."

Matt Jones (left) and Dan Hodson. Darren Pauli, The Register

Matt Jones (left) and Dan Hodson ... Photo by Darren Pauli / The Register.

Jones said "knee-jerk patching" is common in which vulnerabilities will be fixed without an overall assessment of code quality being done which misses systemic issues.

The pair are now assessing what clients are deserving of week-long security audits to flush out deeper security issues that lead to attacks like the SSL bug Heartbleed.

The EFF welcomed the audit. Both the Foundation and the research pair hope to work the security findings into the next iteration of the Scorecard.

"We are also very glad to see security researchers taking a deeper dive into these issues and we're looking forward to seeing the results," the EFF spokeperson says.

Tests of LibOTR, and potentially Ricochet and Signal are also on the researchers' cards. The pair will conduct ongoing assessments of instant messaging clients and post about their findings in a series of blog posts. ®

Similar topics


Other stories you might like

  • Ubuntu 21.10: Plan to do yourself an Indri? Here's what's inside... including a bit of GNOME schooling

    Plus: Rounded corners make GNOME 40 look like Windows 11

    Review Canonical has released Ubuntu 21.10, or "Impish Indri" as this one is known. This is the last major version before next year's long-term support release of Ubuntu 22.04, and serves as a good preview of some of the changes coming for those who stick with LTS releases.

    If you prefer to run the latest and greatest, 21.10 is a solid release with a new kernel, a major GNOME update, and some theming changes. As a short-term support release, Ubuntu 21.10 will be supported for nine months, which covers you until July 2022, by which point 22.04 will already be out.

    Continue reading
  • Heart FM's borkfast show – a fine way to start your day

    Jamie and Amanda have a new co-presenter to contend with

    There can be few things worse than Microsoft Windows elbowing itself into a presenting partnership, as seen in this digital signage for the Heart breakfast show.

    For those unfamiliar with the station, Heart is a UK national broadcaster with Global as its parent. It currently consists of a dozen or so regional stations with a number of shows broadcast nationally. Including a perky breakfast show featuring former Live and Kicking presenter Jamie Theakston and Britain's Got Talent judge, Amanda Holden.

    Continue reading
  • Think your phone is snooping on you? Hold my beer, says basic physics

    Information wants to be free, and it's making its escape

    Opinion Forget the Singularity. That modern myth where AI learns to improve itself in an exponential feedback loop towards evil godhood ain't gonna happen. Spacetime itself sets hard limits on how fast information can be gathered and processed, no matter how clever you are.

    What we should expect in its place is the robot panopticon, a relatively dumb system with near-divine powers of perception. That's something the same laws of physics that prevent the Godbot practically guarantee. The latest foreshadowing of mankind's fate? The Ethernet cable.

    By itself, last week's story of a researcher picking up and decoding the unintended wireless emissions of an Ethernet cable is mildly interesting. It was the most labby of lab-based demos, with every possible tweak applied to maximise the chances of it working. It's not even as if it's a new discovery. The effect and its security implications have been known since the Second World War, when Bell Labs demonstrated to the US Army that a wired teleprinter encoder called SIGTOT was vulnerable. It could be monitored at a distance and the unencrypted messages extracted by the radio pulses it gave off in operation.

    Continue reading

Biting the hand that feeds IT © 1998–2021