Breaking FluidNexus before Breakfastby T. Goodspeed, M. L. Patterson, E. Sai

1. Breaking FluidNexus before Breakfast
2.  
3. by T. Goodspeed, M. L. Patterson, E. Saitta, and three bottles of Club Mate
4.  
5. ## Introduction
6.  
7. The following is the story of how a few neighbors who were waiting for
8. breakfast broke the security of FluidNexus, a short messaging service
9. that runs through Bonjour and Bluetooth to allow for communication
10. when cellular networks are cut during protests. It uses a naive
11. broadcast model for message passing, which, while practical for the
12. narrowly understood purpose--keeping communication links active when
13. network infrastructure becomes unusable--is extremely dangerous in the
14. much more loaded context for which it is intended.
15.  
16. FluidNexus is directly marketed toward activists and dissidents,
17. particularly those within regimes that might attack such a messaging
18. service or its users. The product is fine as a fashion accessory or
19. as a toy, but in practice it is worse than useless. It is so
20. horrifically insecure as to get its users killed. Furthermore, the
21. FluidNexus author has proven worse than unresponsive--indeed, outright
22. belligerent--when confronted with the dangerous flaws in his design
23. and implementation, and thus it behooves us to respond publicly and
24. adamantly to his new-media hipster douchebaggery before his software
25. puts anyone's life or liberty at risk.
26.  
27. We would like to emphasize that these results really were found before
28. breakfast, and that patching the issues we highlight here will not be
29. sufficient to repair FluidNexus as a product. It is hopelessly
30. insecure and cannot be repaired without a complete rewrite by an
31. author who understands security. The only responsible move on the
32. FluidNexus implementer's part is to withdraw his application from the
33. Android Market, cease distribution to end-users, and subject the
34. design and implementation to extensive community review before
35. republishing.
36.  
37. ## Motivation
38.  
39. It is our intent to be neighborly, and normally we would not bend an
40. implementation over without the courtesy of a reach-around like this
41. before discreetly taking the developer aside and explaining the issues
42. we found. However, after airing her concerns over Twitter, one of the
43. authors discovered that the FluidNexus developer is an ignorant douchebag,
44. as evidenced by the following remarks:
45.  
46. @FluidNexus: ``@maradydd I look forward to it, and an explaination why
47. plaintext is 'criminally irresponsible' in a broadcast model.''
48.  
49. --Because all broadcast models are obviously created equal, especially
50. where protests are concerned.
51.  
52. @FluidNexus: ``@Dymaxion I guess the twitter activists in syria and
53. egypt should be chastised for sending tactical info over twitter
54. too.''
55.  
56. --Because designing and deploying a brand-new communication system is
57. exactly the same scenario as people on the ground devising uses for
58. tools they already had available.
59.  
60. @FluidNexus: ``@Dymaxion You can look at the code.I'm not a crypto
61. researcher but nothing identifiable is sent nor saved, excepting what
62. you put in the msg''
63.  
64. --And thus the implementer had absolutely no responsibility whatsoever
65. to consult with the crypto or privacy communities before deploying
66. his tool on an unsuspecting userbase. If you believe this, we have a
67. lovely bridge to sell you, and can arrange a package deal with a
68. tower if you're interested. We looked at the code, and we are
69. telling you now, you are leaking much more identifying data than you
70. think you are.
71.  
72. @FluidNexus: ``@Dymaxion And any participation in protest carries
73. risk. We can't remove that through crypto. I submit it's better to
74. have this out there rather than waiting until we have the perfect
75. system.''
76.  
77. --Translation: The implementer has never bothered to familiarize
78. himself with the past decade-plus of cypherpunk literature
79. explaining the hazards inherent in deploying sensitive
80. communications software in politically dangerous situations where
81. people can and do end up on the wrong end of a gun just for speaking
82. their minds.
83.  
84. At http://fluidnexus.net/blog/post/5: ``Are we to hold the designers
85. of TCP/IP responsible for the imprisonments and deaths of people
86. because the designers didn’t include crypto by default?''
87.  
88. --Of course not, because TCP/IP wasn't *designed and advertised for a
89. known-hostile environment*.
90.  
91. ``As far as we are aware there are no relevant trust models for doing
92. encryption within a broadcast model''
93.  
94. --How about Paul A. Karger's master's thesis, ``Non-Discretionary
95. Access Control for Decentralized Computing Systems''? You might also
96. know it as the very first paper listed on AnonBib,
97. http://www.freehaven.net/anonbib. It was written in 1977. See also
98. Feamster et al, ``Thwarting Web Censorship with Untrusted Messenger
99. Delivery'', 2003; Wright et al, ``Defending Anonymous Communication
100. Against Passive Logging Attacks'', 2003; the entire literature on
101. private information retrieval, especially Sassaman et al, ``The
102. Pynchon Gate: A Secure Method of Pseudonymous Mail Retrieval'',
103. 2005; Bauer et al, ``BitBlender: Light-Weight Anonymity for
104. BitTorrent'', and many more. If the FluidNexus implementer was not
105. aware of possible trust models for secure broadcast communication,
106. it is because he never looked. (These papers do not address
107. broadcast trust models using that exact terminology, but they
108. contain applicable principles from which to derive one. Grep is not
109. enough; this sort of research requires reading and understanding.)
110.  
111. ## A Morning's Worth of Vulns
112.  
113. FluidNexus functions by passing short messages over an RFCOMM
114. Bluetooth link or a TCP Bonjour socket. Messages are stored locally
115. (in the user's home directory on a PC, or on the SD card on an Android
116. phone) in an unencrypted SQLite3 database, and they are transferred as
117. cleartext with the encryption--if any--being the responsibility of the
118. Bluetooth socket.
119.  
120.  
121. Bonjour connections occur without pairing, and even though they are
122. intended for use over local Wifi networks, there doesn't appear to be
123. anything to prevent them from leaking into the cellular data network.
124. Therefore, a police state could easily ask the telephone company to
125. packet sniff all EDGE and 3G data connections for Bonjour
126. advertisements of the FluidNexus service. It could also actively
127. participate in this service, giving it full visibility of a network
128. that was only intended to run with local proximity.
129.  
130.  
131. The software also allows for messages to be forwarded to the world at
132. large through the Nexus, a Python web service. The Nexus API also
133. attempts to prevent HTML injection by stripping HTML tags from POSTed
134. messages, but it does so with a regular expression, perhaps because
135. Beautiful Soup was too complicated.
136.  
137. The Nexus API documentation conveniently indicates that updates to the
138. Nexus timeline are sent via HTTP POST, and "will be controlled by
139. OAuth", but are not currently. The source code (Networking.py:484)
140. suggests that the author has attempted to restrict public-timeline
141. posting to users who have already registered with the site and
142. authenticated via OAuth, by requiring a message nonce and an (empty)
143. private key (neither of which are mentioned in the API documentation),
144. but this is the lowest of hurdles for spammers and forgers. There is
145. no attempt whatsoever to prevent antagonistic users from posting
146. facetious public messages designed to direct eager protesters into the
147. welcoming arms of a kettle or police van. Furthermore, attempting to
148. post a public message from the desktop client, even without a login
149. token, indicates that this code is never even executed--the warning
150. message that a valid access token is required (Networking.py:469)
151. never appears in the log. Posting public messages simply does not
152. work.
153.  
154.  
155. The Bluetooth service runs over RFCOMM to all devices which are paired
156. and advertising the service by name. Messages can be fetched or
157. freely inserted by any paired device, and they will then be repeated
158. through the network.
159.  
160.  
161. There is nothing to prevent the insertion of thousands of messages or
162. the editing of previously published messages to include fraudulent
163. information. That is, a message of ``Martians have landed at
164. Jannowitzbruecke.'' could easily be edited to be ``The TARDIS has
165. landed at Jannowitzbruecke.'' with nothing to indicate which message
166. is older or which was inserted after the fact. This could even be
167. automated through the Bonjour cellular network, causing all cellular
168. phones to be infected with the fraudulent message.
169.  
170.  
171. Further, the default messages are explicitly antagonistic to
172. authority. Every time a new user joins the network, the following
173. messages are broadcast, making any user of the software--EVEN AN
174. INNOCUOUS ONE--appear to be a dissident.
175.  
176. [SAMPLE MESSAGE] Run against Bush in progress (just went through times sq). media march starts at 7, 52nd and broadway
177. [SAMPLE MESSAGE] Video dispatch. Federal agents trailing activists at 6th Ave and 9th St. Situation tense.
178. [SAMPLE MESSAGE] CT delegation @ Maison (7th Ave. & 53rd). Outdoor dining area. Try to get people there.
179.  
180.  
181. Additionally, the ownership of a message is attributable when the
182. client's database is dumped. On an Android phone, *any* application
183. with access to the SD card can dump the database in this way, making
184. trojans trivial to implement. Further, this database column does
185. nothing to benefit the users of the software, putting them at risk for
186. no reason.
187.  
188. pro% sqlite3 ~/.FluidNexus/FluidNexus.db
189. SQLite version 3.7.4
190. Enter ".help" for instructions
191. Enter SQL statements terminated with a ";"
192. sqlite> select title from messages where mine;
193. Run
194. Martians know cryptography!
195. Things change.
196. Evidence against me.
197. sqlite>
198.  
199. ## Conclusions
200.  
201. Just because you as a toolsmith care a lot about your cause does not
202. guarantee that the tools you write will be fit for purpose. If you
203. are confronted with the fact that you did not, in fact, have a
204. sufficient depth of knowledge to be doing the work you've attempted to
205. do, the only acceptable response is to put aside your ego, acknowledge
206. the situation, and work to repair it before people die.
207.  
208. Please withdraw Fluid Nexus from the Android Market and stop
209. distributing the application to end-users until the design has been
210. vetted and corrected.
211.  
212. As security and privacy researchers, we are extremely sympathetic to
213. the need for censorship-resistant communications, especially in
214. locations such as Egypt, Tunisia, and San Francisco. As hackers, we
215. also appreciate and even encourage n00bs getting involved in the fight
216. for unfettered speech. However, n00b enthusiasm untempered by an
217. appreciation for the lessons that the remailer, onion-routing and
218. cryptography communities have spent the last two decades discovering
219. is arrogant to the point of active hostility toward activists whose
220. personal safety depends on fault-tolerant, Byzantine-tolerant,
221. unforgeable and secure communication.
222.  
223. We bitch-slap you because we care.