Skip to main content

Using messaging service, Bridgefy, could have dire consequences for users if privacy protection issues aren’t fixed

Using messaging service, Bridgefy, could have dire consequences for users if privacy protection issues aren’t fixed

  • Date25 August 2020

Researchers at Royal Holloway have found serious vulnerabilities in the messaging app, Bridgefy which could have significant consequences for its users.

Cyber security - ISG

The messaging app has been advertised for use by people across the world during large-scale protests when normal forms of communication are down, for example due to a government mandated internet shutdown. The developers of the app reported increased uptake from several sites of protest such as Hong Kong, India, Iran, Lebanon, Zimbabwe, and the US.

The academics from the Information Security Group (ISG) at Royal Holloway found that Bridgefy did not design and implement their application with security in mind and have proposed that Bridgefy should make use of an established cryptographic library.

The main flaws found by the researchers in the ISG, Lenka Mareková, Jorge Blasco, Rikke Bjerg Jensen and Martin R. Albrecht, were that Bridgefy did not implement some necessary cryptographic protections and some cryptographic protections were implemented incorrectly.

They also found that the protocol wasn’t designed in a way to minimise information leaking, and its robustness against maliciously crafted messages was weak.

The key feature of Bridgefy is that it exchanges data using Bluetooth when an internet connection is not available. The application can send the following kinds of messages:

  • one-to-one messages between two parties
  • sent over the internet if both parties are online
  • sent directly via Bluetooth if the parties are in physical range, or
  • sent over the Bluetooth mesh network, and
  • Bluetooth broadcast messages that anyone can read in a special “Broadcast mode” room.

Professor Martin Albrecht, from ISG at Royal Holloway, said: “We disclosed the vulnerabilities we found to Bridgefy developers in April this year. They confirmed these vulnerabilities soon after. Following up, the Bridgefy team began to inform their users that they should not expect confidentiality guarantees from the current version of the application.

“In June, they told us they are implementing a switch to the Signal protocol. This would provide cryptographic assurances and would fix many, but not all of the issues we found.”

This research is part of a larger interdisciplinary project between social scientists, systems security researchers and cryptographers on information security needs and requirements in protests. It showcases the integration of different disciplines studying information security as a key feature of the Information Security Group and its Centre for Doctoral Training in Cyber Security for the Everyday.

Explore Royal Holloway

Get help paying for your studies at Royal Holloway through a range of scholarships and bursaries.

There are lots of exciting ways to get involved at Royal Holloway. Discover new interests and enjoy existing ones.

Heading to university is exciting. Finding the right place to live will get you off to a good start.

Whether you need support with your health or practical advice on budgeting or finding part-time work, we can help.

Discover more about our 21 departments and schools.

Find out why Royal Holloway is in the top 25% of UK universities for research rated ‘world-leading’ or ‘internationally excellent’.

Royal Holloway is a research intensive university and our academics collaborate across disciplines to achieve excellence.

Discover world-class research at Royal Holloway.

Discover more about who we are today, and our vision for the future.

Royal Holloway began as two pioneering colleges for the education of women in the 19th century, and their spirit lives on today.

We’ve played a role in thousands of careers, some of them particularly remarkable.

Find about our decision-making processes and the people who lead and manage Royal Holloway today.