We investigate whether modern messaging apps achieve the strong post-compromise security guarantees offered by their underlying protocols. In particular, we perform a black-box experiment in which a user becomes the victim of a clone attack; in this attack,the user’s full state (including identity keys) is compromised by an attacker who clones their device and then later attempts to impersonate them, using the app through its user interface.Our attack should be prevented by protocols that offer post-compromise security, and thus, by all apps that are based on Signal’s double-ratchet algorithm (for instance, the Signal app, WhatsApp,and Facebook Secret Conversations). Our experiments reveal that this is not the case: most deployed messaging apps fall far short of the security that their underlying mechanisms suggest. We conjecture that this security gap is a result of many apps trading security for usability, by tolerating certain forms of desynchronization. We show that the tolerance of desynchronization necessarily leads to loss of post-compromise security in the strict sense, but we also show that more security can be retained than is currently offered in practice. Concretely, we present a modified version of the double-ratchet algorithm that tolerates forms of desynchronization while still being able to detect cloning activity.Moreover, we formally analyze our algorithm using the Tamarin prover to show that it achieves the desired security properties.
ACM Conference on Computer and Communications Security (CCS)
2020-07-30
2024-11-15