New Threat Model Identified for E2E Encrypted Applications
/ 4 min read
Quick take - The article discusses a newly identified threat model for end-to-end encrypted applications, highlighting injection attacks that can allow adversaries to send chosen messages to target clients, potentially leading to the inference of confidential information from encrypted backups in widely used messaging apps like WhatsApp and Signal, and emphasizes the need for enhanced security measures in these applications.
Fast Facts
- A new threat model for end-to-end (E2E) encrypted applications highlights injection attacks that allow adversaries to send chosen messages to target clients, potentially leading to malicious content being stored in an observable manner.
- Research focused on WhatsApp and Signal, revealing that attackers could recover information from E2E encrypted messages if they compromise a user’s Google or Apple account, and weaknesses in Signal’s backup design could expose metadata.
- The study identified three attack vectors in WhatsApp: deduplication of attachments, compression of the database file, and a keyword search index, which can leak information about received messages and attachments.
- Signal has implemented mitigations for identified vulnerabilities, while WhatsApp acknowledged them but had not deployed fixes at the time of reporting, emphasizing the need for comprehensive security evaluations in E2E encrypted applications.
- The authors propose countermeasures like disabling deduplication and compression, though these may affect performance, and call for further research to develop robust security mechanisms against injection attacks.
New Threat Model for E2E Encrypted Applications
A new threat model concerning end-to-end (E2E) encrypted applications has been identified, focusing on injection attacks that allow adversaries to send chosen messages to target clients. These attacks can lead to the injection of malicious content into the application’s state. Once encrypted, this content is stored in a manner that remains observable to the adversary. By analyzing the lengths of the resulting ciphertexts stored in the cloud, attackers can potentially infer confidential information from the encrypted data.
Research Context and Findings
The research investigates this injection threat model within the context of widely used encrypted messaging applications, namely WhatsApp and Signal. Both applications support E2E encrypted backups. Proof-of-concept attacks were conducted, demonstrating that an adversary could recover information about E2E encrypted messages or attachments sent via WhatsApp if they can compromise the target user’s Google or Apple account. Moreover, weaknesses in Signal’s backup design were identified, which could enable attackers to infer metadata, such as the number of contacts and conversations, if they gain access to the user’s encrypted Signal backup.
While the authors indicate that these findings are not an immediate concern for users, they highlight an urgent need for enhanced security measures in E2E encrypted applications. E2E encryption has significantly improved data confidentiality and integrity across various applications, including messaging and cloud storage. However, the complexity of these tools has escalated with the introduction of backup features that allow users to recover messages when switching devices. WhatsApp offers automatic backup uploads to Google Drive or iCloud, while Signal provides manual export options. Importantly, these backups are encrypted and intended to be decryptable only by the legitimate user, maintaining the same confidentiality level as E2E encrypted messaging.
Attack Vectors and Security Analysis
The research introduces novel attacks targeting the backup mechanisms of E2E encrypted messaging applications. These attacks do not compromise the E2E encryption protocol itself; instead, they exploit vulnerabilities inherent in the backup systems. A security analysis was performed on both WhatsApp and Signal, identifying three distinct attack vectors for WhatsApp: deduplication of attachments, compression of the serialized database file, and the use of a search index for messages.
The deduplication mechanism permits attackers to infer information about received attachments by observing changes in backup sizes. The compression mechanism can be manipulated to deduce which messages were recently received by the target user through binary search-style injection attacks. Additionally, the keyword search index in WhatsApp can leak insights into the messages received by the target user. Despite Signal’s backup mechanism being more secure, the study reveals that it still allows for attacks that can infer metadata about the user’s contacts and messages.
The authors stress the necessity for continued research to develop tools that provide robust E2E security guarantees. Ethical considerations were rigorously observed during the experiments, which were designed to impose minimal load on the messaging services. The findings have been reported to both Signal and WhatsApp. Signal has implemented mitigations in response to the identified vulnerabilities, while WhatsApp acknowledged these vulnerabilities but had not deployed any mitigations at the time of the report.
Conclusion and Recommendations
The article underscores the critical need for comprehensive security evaluations for E2E encrypted applications, especially as more platforms adopt similar encryption standards. The authors propose potential countermeasures, such as disabling deduplication and compression, cautioning that such measures may impact performance. They advocate for future work to explore principled mechanisms for discovering and mitigating injection attacks in E2E encrypted applications.
Original Source: Read the Full Article Here
