Bridgefy

Last updated
Bridgefy
Industrysoftware
technology
Founded2014
FounderJorge Rios, Roberto Betancourt, Diego Garcia
HeadquartersMexico
Area served
Worldwide
ProductsBridgefy App
Website bridgefy.me

Bridgefy is a Mexican software company with offices in Mexico [1] and California, the United States, dedicated to developing mesh-networking technology for mobile apps. It was founded circa 2014 by Jorge Rios, Roberto Betancourt and Diego Garcia who conceived the idea while participating in a tech competition called StartupBus. [2] Bridgefy's smartphone ad hoc network technology, apparently using Bluetooth Mesh, is licensed to other apps. [3] [4] [5] The app gained popularity during protests in different countries since it can operate without Internet, using Bluetooth instead. Aware of the security issues of not using cryptography and the criticism surrounding it, [6] Bridgefy announced in late October 2020 that they adopted the Signal protocol, in both their app and SDK, to keep information private, [7] though security researchers have demonstrated that Bridgefy's usage of the Signal Protocol is insecure. [8]

Contents

Usage

The app gained popularity as a communication tactic during the 2019–2020 Hong Kong protests and Citizenship Amendment Act protests in India, [9] because it requires people who want to intercept the message to be physically close because of Bluetooth's limited range, and the ability to daisy-chain devices to send messages further than Bluetooth's range. [10] [11] [12] [13]

Security

In August 2020, researchers published a paper describing numerous attacks against the application, which allow de-anonymizing users, building social graphs of users’ interactions (both in real time and after the fact), decrypting and reading direct messages, impersonating users to anyone else on the network, completely shutting down the network, performing active man-in-the-middle attacks to read messages and even modify them. [6]

In response to the disclosures, developers acknowledged that "no part of the Bridgefy app is encrypted now" and gave a vague promise to release a new version "encrypted with top security protocols". [14] Later developers said they plan to switch to Signal Protocol, which is widely recognized by cryptographers and used by Signal and WhatsApp. [6] The Signal Protocol was integrated into the Bridgefy app and SDK by late October 2020, with the developers claiming to have included improvements such as the impossibility of a third person impersonating any other user, man-in-the-middle attacks done by modifying stored keys, and historical proximity tracking, among others. [7]

However, in 2022, the same security researchers, now including Kenny Paterson, published a paper describing how Bridgefy's usage of the Signal Protocol was incorrect, failing to remedy the previously discovered issues. [15] The researchers performed a demonstration, showing that it was possible for users to intercept messages intended for others without the sender noticing. [16] The researchers disclosed the vulnerabilities to the developers of Bridgefy in August 2021, but, according to the researchers, the developers had yet to resolve the issues as of June 2022. [8]

On July 31, 2023, the security firm 7asecurity released a blog post and pentest report of a white box penetration test and overall security review of the Bridgefy app in collaboration with the platform's developers. Their review, which began in November 2022 and concluded in May 2023, identified multiple critical vulnerabilities throughout the application. Many of the issues were fixed, or partially fixed, before the end of the audit, including user impersonation and biometric bypass. Bridgefy also published a blog post on August 8, 2023, announcing the audit results.

See also

Related Research Articles

<span class="mw-page-title-main">Instant messaging</span> Form of computer communication over the internet or locally

Instant messaging (IM) technology is a type of synchronous computer-mediated communication involving the immediate (real-time) transmission of messages between two or more parties over the Internet or another computer network. Originally involving simple text message exchanges, modern IM applications and services tend to also feature the exchange of multimedia, emojis, file transfer, VoIP, and video chat capabilities.

End-to-end encryption (E2EE) is a private communication system in which only communicating users can participate. As such, no one else, including the communication system provider, telecom providers, Internet providers or malicious actors, can access the cryptographic keys needed to converse. End-to-end encryption is intended to prevent data being read or secretly modified, other than by the true sender and recipient(s). The messages are encrypted by the sender but the third party does not have a means to decrypt them, and stores them encrypted. The recipients retrieve the encrypted data and decrypt it themselves. Because no third parties can decipher the data being communicated or stored, for example, companies that provide end-to-end encryption are unable to hand over texts of their customers' messages to the authorities.

<span class="mw-page-title-main">Moxie Marlinspike</span> American entrepreneur

Matthew Rosenfeld, better known by the pseudonym Moxie Marlinspike, is an American entrepreneur, cryptographer, and computer security researcher. Marlinspike is the creator of Signal, co-founder of the Signal Technology Foundation, and served as the first CEO of Signal Messenger LLC. He is also a co-author of the Signal Protocol encryption used by Signal, WhatsApp, Google Messages, Facebook Messenger, and Skype.

<span class="mw-page-title-main">Cryptocat</span> Open source encrypted chat application

Cryptocat is a discontinued open-source desktop application intended to allow encrypted online chatting available for Windows, OS X, and Linux. It uses end-to-end encryption to secure all communications to other Cryptocat users. Users are given the option of independently verifying their buddies' device lists and are notified when a buddy's device list is modified and all updates are verified through the built-in update downloader.

Whisper Systems was an American enterprise mobile security company that was co-founded by security researcher Moxie Marlinspike and roboticist Stuart Anderson in 2010. The company was acquired by Twitter in November 2011. Some of the company's software products were released under open-source licenses after the acquisition. An independent group called Open Whisper Systems later picked up the development of this open-source software, which led to the creation of the Signal Technology Foundation.

<span class="mw-page-title-main">Guardian Project (software)</span> Open source security software project

The Guardian Project is a global collective of software developers, designers, advocates, activists, and trainers who develop open-source mobile security software and operating system enhancements. They also create customized mobile devices to help individuals communicate more freely and protect themselves from intrusion and monitoring. The effort specifically focuses on users who live or work in high-risk situations and who often face constant surveillance and intrusion attempts into their mobile devices and communication streams.

TextSecure was an encrypted messaging application for Android that was developed from 2010 to 2015. It was a predecessor to Signal and the first application to use the Signal Protocol, which has since been implemented into WhatsApp and other applications. TextSecure used end-to-end encryption to secure the transmission of text messages, group messages, attachments and media messages to other TextSecure users.

<span class="mw-page-title-main">Open Whisper Systems</span> Open source software organization

Open Whisper Systems was a software development group that was founded by Moxie Marlinspike in 2013. The group picked up the open source development of TextSecure and RedPhone, and was later responsible for starting the development of the Signal Protocol and the Signal messaging app. In 2018, Signal Messenger was incorporated as an LLC by Moxie Marlinspike and Brian Acton and then rolled under the independent 501c3 non-profit Signal Technology Foundation. Today, the Signal app is developed by Signal Messenger LLC, which is funded by the Signal Technology Foundation.

FireChat was a proprietary mobile app, developed by Open Garden, which used wireless mesh networking to enable smartphones to pass messages to each other peer-to-peer via Bluetooth, Wi-Fi, or Apple's Multipeer, without an internet connection.

<span class="mw-page-title-main">Briar (software)</span> Mesh-networking and messaging app

Briar is an open-source software communication technology, intended to provide secure and resilient peer-to-peer communications with no centralized servers and minimal reliance on external infrastructure. Messages can be transmitted through Bluetooth, Wi-Fi, over the internet via Tor or removable storage, such as USB sticks. All communication is end-to-end encrypted. Relevant content is stored in encrypted form on participating devices. Long-term plans for the project include support for distributed applications such as crisis mapping and collaborative document editing.

<span class="mw-page-title-main">HomeKit</span> Software framework by Apple for home automation

HomeKit, also known as Apple Home, is a software framework and communication protocol developed by Apple Inc. that lets users configure, communicate with and control smart-home appliances using Apple devices. It provides users with a way to automatically discover such devices and configure them. By designing rooms, items and actions in HomeKit, users can enable automations in the home through a voice command to Siri or through Apple's Home app or third party apps. With HomeKit, developers are able to create complex applications in order to manage accessories at a high level.

Smartphone ad hoc networks are wireless ad hoc networks that use smartphones. Once embedded with ad hoc networking technology, a group of smartphones in close proximity can together create an ad hoc network. Smart phone ad hoc networks use the existing hardware in commercially available smartphones to create peer-to-peer networks without relying on cellular carrier networks, wireless access points, or traditional network infrastructure. Wi-Fi SPANs use the mechanism behind Wi-Fi ad-hoc mode, which allows phones to talk directly among each other, through a transparent neighbor and route discovery mechanism. SPANs differ from traditional hub and spoke networks, such as Wi-Fi Direct, in that they support multi-hop routing and relays and there is no notion of a group leader, so peers can join and leave at will without destroying the network.

Wire Swiss GmbH is a software company with headquarters in Zug, Switzerland. Its development center is in Berlin, Germany. The company is best known for its messaging application called Wire.

<span class="mw-page-title-main">Signal (software)</span> Privacy-focused encrypted messaging app

Signal is an open-source, encrypted messaging service for instant messaging, voice calls, and video calls. The instant messaging function includes sending text, voice notes, images, videos, and other files. Communication may be one-to-one between users or may involve group messaging.

Eddystone was a Bluetooth Low Energy beacon profile released by Google in July 2015. In December 2018 Google stopped delivering both Eddystone and Physical Web beacon notifications. The Apache 2.0-licensed, cross-platform, and versioned profile contained several frame types, including Eddystone-UID, Eddystone-URL, and Eddystone-TLM. Eddystone-URL was used by the Physical Web project, whereas Eddystone-UID was typically used by native apps on a user's device, including Google's first party apps such as Google Maps.

Bluetooth beacons are hardware transmitters — a class of Bluetooth Low Energy (LE) devices that broadcast their identifier to nearby portable electronic devices. The technology enables smartphones, tablets and other devices to perform actions when in close proximity to a beacon.

<span class="mw-page-title-main">Signal Protocol</span> Non-federated cryptographic protocol

The Signal Protocol is a non-federated cryptographic protocol that provides end-to-end encryption for voice and instant messaging conversations. The protocol was developed by Open Whisper Systems in 2013 and was introduced in the open-source TextSecure app, which later became Signal. Several closed-source applications have implemented the protocol, such as WhatsApp, which is said to encrypt the conversations of "more than a billion people worldwide" or Google who provides end-to-end encryption by default to all RCS-based conversations between users of their Google Messages app for one-to-one conversations. Facebook Messenger also say they offer the protocol for optional Secret Conversations, as does Skype for its Private Conversations.

Wire is an encrypted communication and collaboration app created by Wire Swiss. It is available for iOS, Android, Windows, macOS, Linux, and web browsers such as Firefox. Wire offers a collaboration suite featuring messenger, voice calls, video calls, conference calls, file-sharing, and external collaboration – all protected by a secure end-to-end-encryption. Wire offers three solutions built on its security technology: Wire Pro – which offers Wire's collaboration feature for businesses, Wire Enterprise – includes Wire Pro capabilities with added features for large-scale or regulated organizations, and Wire Red – the on-demand crisis collaboration suite. They also offer Wire Personal, which is a secure messaging app for personal use.

Bluetooth Mesh is a computer mesh networking standard based on Bluetooth Low Energy that allows for many-to-many communication over Bluetooth radio. The Bluetooth Mesh specifications were defined in the Mesh Profile and Mesh Model specifications by the Bluetooth Special Interest Group. Bluetooth Mesh was conceived in 2014 and adopted on July 13, 2017.

Amazon Sidewalk is a low-bandwidth long-range wireless communication protocol developed by Amazon. It uses Bluetooth Low Energy (BLE) for short distance communication, and 900 MHz LoRa and other frequencies for longer distances.

References

  1. "Mexican-based startup".
  2. Velázquez, Franck (November 22, 2018). "Bridgefy, la startup mexicana que te dejará pedir un Uber o recibir una alerta sísmica sin internet" [Bridgefy, the Mexican startup that will let you call an Uber or receive a seismic alert without the Internet]. Entrepreneur (in Spanish). Archived from the original on September 4, 2019. Retrieved September 4, 2019.
  3. Silva, Matthew De (3 September 2019). "Hong Kong protestors revive mesh networks to preempt internet shutdown". Quartz. Archived from the original on 2019-09-03. Retrieved 2019-09-03.
  4. "Hong Kong Protestors Are Using An App That Doesn't Need Internet, And Bypass Chinese Snooping". The Times of India. 2019-09-03. Archived from the original on 2019-09-03. Retrieved 2019-09-03.
  5. Thompson, Clive (2019-09-03). "Hong Kong protestors using mesh-networking messaging app to evade authorities". Boing Boing . Archived from the original on 2019-09-03. Retrieved 2019-09-03.
  6. 1 2 3 Goodin, Dan (2020-08-24). "Bridgefy, the messenger promoted for mass protests, is a privacy disaster". Ars Technica. Retrieved 2020-08-26.
  7. 1 2 "Press Release – Major Security Updates at Bridgefy!". Bridgefy. Archived from the original on 2021-12-14. Retrieved 2021-04-27.
  8. 1 2 Eikenberg, Raphael. "Breaking Bridgefy, again". GitHub. Retrieved 14 June 2022.
  9. Nandi, Tamal (2019-12-19). "Bridgefy: An offline messaging app suddenly gaining traction in India". livemint.com. Retrieved 2019-12-22.
  10. "Hong Kong protesters using Bridgefy to stop China monitoring actions". News | The CEO Magazine. 2019-09-03. Archived from the original on 2019-09-03. Retrieved 2019-09-03.
  11. Jowitt, Tom (2019-09-03). "Bridgefy Grows Amid Hong Kong Protests | Silicon UK Tech News". Silicon UK. Archived from the original on 2019-09-03. Retrieved 2019-09-03.
  12. Wakefield, Jane (2019-09-03). "Hong Kong protesters using Bluetooth app". Archived from the original on 2019-09-04. Retrieved 2019-09-03.
  13. "Hong Kong: Protesters using offline app Bridgefy to avoid being identified". Sky News. Archived from the original on 2019-09-03. Retrieved 2019-09-03.
  14. "Bridgefly: No part of the Bridgefy app is encrypted now". Twitter. Archived from the original on 2020-06-04. Retrieved 2020-08-26.
  15. Albrecht, Martin R.; Eikenberg, Raphael; Paterson, Kenneth G. (2022). "Breaking Bridgefy, again". USENIX Security (22). ISBN   9781939133311 . Retrieved 14 June 2022.
  16. Eikenberg, Raphael. "Breaking Bridgefy again attack demo". Twitter. Retrieved 14 June 2022.