Threema asserts that encryption flaws have never had any real-world consequences

A paper by researchers at ETH Zurich describes multiple security flaws found in Threema. It is a secure, end-to-end encryption app that allows for encrypted communication.

Threema, a Swiss-made privacy and security-enhanced communications app, is used by the government of Switzerland, and more than 10,000,000 users worldwide.

Seven attacks were devised by the ETH Zurich team against Threema’s protocol. These could impact privacy over communication via the app including deleting private keys and breaking authentication.

Threema received the findings on October 20, 222. Soon afterward, the software company released “Ibex,” a stronger protocol that, they claim, addresses the problems.

Threema ultimately dismissed the significance of ETH Zurich’s research and stated that the issues disclosed are not relevant to the protocol utilized by the software. It also said that they have never had any real-world effect.

Threema Breaking

Because Threema did not have forward- or post-compromise security, the ETH Zurich team decided that it should be investigated by security experts.

Although the researchers have published an describing their findings, the key issues that they discovered can be below:

• Improbability of Ephemeral Key An attacker could forever pretend to be a client by taking their ephemeral keys. Threema also appeared to be using the ephemeral key multiple times instead of reusing it.
• Forgery of a voucher box An attacker could trick an user into giving them a valid coupon box and then use that to pretend to be the client on the server.
• Ordering messages and deletion A malicious server may forward messages to one or more users in an arbitrary sequence, withhold specific messages delivery, which acts as deletion.
• Replay and Reflection Attacks – The Android Threema message database isn’t transferable. This opens the door to reflection attacks and message replaying.
• Kompromat attack A malicious server may trick a client into using the exact same key to talk to it during initial registration and to communicate with other E2E users.
• Cloning using Threema ID export An attacker may clone accounts of other individuals on their devices during window of opportunity. This is when the victim leaves their device open and unattended.
• Compression side channel – An attacker can extract the private key of a Threema user by controlling their username and forcing backups on Android. This attack could take several hours.

Threema was informed by ETH Zurich’s analysts on October 3, 2022. They also provided mitigation suggestions and they agreed to publish the issues January 9, 2023.

Threema also released Ibex on 29 November 2022. This protocol implements forward security to Threema’s e2ee Layer. This protocol is not yet audited.

Threema’s Response

Threema issued a statement regarding the issue disclosure, noting that the findings’ current applicability or historic significance overall don’t have significant “real-world” impact.

Threema explains:

• In 2021, the ‘Cloning via Threema ID Export’ attack was discovered and dealt with.
• The “Ephemeral Key compromise Impersonation” attack is purely technical and does not have any practical application whatsoever.
• “Social engineering” is used to attack the ‘Vouch Box Forgery’. This could not be applied in practice and would require extensive and uncommon cooperation from the target user.
• Other attacks involve physical access to unlocked devices over a long period of time or access to unlocked Threema devices.

Threema dismisses that the “Ibex” protocol was designed to accommodate the findings from the ETH Zurich group. The protocol is in development since 1.5 years.

Threema also claims its publication coincided with researchers’ disclosure.