Vulnerabilities in secure messenger Threema discovered
Professor Kenny Paterson, doctoral student Matteo Scarlata and Master’s student Kien Tuong Truong (meanwhile also a doctoral student) of the Applied Cryptography Group conducted a security analysis of the Threema messenger application and found vulnerabilities.
The ETH cryptographers Kenny Paterson, Matteo Scarlata and Kien Tuong Truong carried out seven attacks in three different threat scenarios. In one attack, they managed to break authentication in Threema by exploiting the lack of proper key separation between different sub-protocols. In another attack, the researchers managed to recover users' private keys by observing the size of Threema-encrypted backups via a side-channel attack based on compression. Their work highlights some of the difficulties faced by developers of secure messaging systems. Paterson, Scarlata and Tuong Truong also draw three lessons for developers of secure protocols in general.
external page Three Lessons from Threema: Analysis of a Secure Messenger
Read the article here: external page NZZ:«Verschlüsselung hinkt Jahre hinterher»: Der Schweizer Messenger Threema setzte bis vor kurzem auf veraltete Kryptografie(09.01.2023, DE)
About Threema
Threema is a provider of an encrypted messenger application based in Switzerland with over 10 million users and 7000 business customers. Along with Signal and Telegram, Threema is promoted as a secure alternative to WhatsApp. The messenger is among the top Android apps in the "for pay" category in Switzerland, Germany, Austria, Canada and Australia. The Swiss government and military use Threema for their official communications. German politicians, including the current German Chancellor Olaf Scholz, also rely on the secure messenger service.