EFF revises IM safety ratings after pen testers pop 'secure' tools
Pen tests find holes galore in common messaging apps
BSides Canberra Australian security duo Matt Jones and Daniel Hodson have found dangerous vulnerabilities in popular instant messaging platforms marked "secure" by the Electronic Frontier Foundation's (EFF) Scorecard.
The EFF says its Secure Messaging Scorecard (SMS) should not be viewed as an endorsement of a given IM platform and says it will update the page to make that statement clearer.
"We're working on a new format and update to SMS (the Scorecard) which will hopefully make it even more clear that it is not an endorsement of any tool, and that although many of the criteria on the Scorecard are necessary for a tool to be secure, some of them matter more than others – and even achieving all of them won't always guarantee security in practice," an EFF spokeswoman told Vulture South.
The Scorecard slaps green ticks on IM clients that boast certain security features. It is designed so non-security savvy users can find a client that claims to encrypt data in transit, documents security design, and has recently audited code.
Jones and Hodson – partners with security consultancy Elttam – conducted 24-hour penetration tests of various complexity over six months, targeting a selection of instant messaging platforms listed on the EFF Scorecard and found code execution and communication interception problems in many.
"The criteria for getting a green tick in that box is simply saying 'yes we've had a code audit, yes we are doing this' but there is no actual validation," Hodson told the BSides hacker conference in Canberra last week.
"We find it peculiar to say the least."
Hodson says the Scorecard is a valid concept but needs to be supported with more rigorous security testing.
For some clients awarded green ticks, Jones and Hodson's reviews found poor code design in minutes, cross-site scripting equivalent flaws in 30 minutes, and XML external entity holes in an hour.
It led to deanonymization attacks, code execution, theft of keys and text messages, and denial of service. "It is crazy to see this kind of information going out to so many users globally," Jones (@volvent) said. "Doing a decent audit requires time."
Matt Jones (left) and Dan Hodson ... Photo by Darren Pauli / The Register.
Jones said "knee-jerk patching" is common in which vulnerabilities will be fixed without an overall assessment of code quality being done which misses systemic issues.
The pair are now assessing what clients are deserving of week-long security audits to flush out deeper security issues that lead to attacks like the SSL bug Heartbleed.
The EFF welcomed the audit. Both the Foundation and the research pair hope to work the security findings into the next iteration of the Scorecard.
"We are also very glad to see security researchers taking a deeper dive into these issues and we're looking forward to seeing the results," the EFF spokeperson says.
Tests of LibOTR, and potentially Ricochet and Signal are also on the researchers' cards. The pair will conduct ongoing assessments of instant messaging clients and post about their findings in a series of blog posts. ®