Guest User


a guest
Aug 18th, 2011
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.84 KB | None | 0 0
  1. Breaking FluidNexus before Breakfast
  3. by T. Goodspeed, M. L. Patterson, E. Saitta, and three bottles of Club Mate
  5. ## Introduction
  7. The following is the story of how a few neighbors who were waiting for
  8. breakfast broke the security of FluidNexus, a short messaging service
  9. that runs through Bonjour and Bluetooth to allow for communication
  10. when cellular networks are cut during protests. It uses a naive
  11. broadcast model for message passing, which, while practical for the
  12. narrowly understood purpose--keeping communication links active when
  13. network infrastructure becomes unusable--is extremely dangerous in the
  14. much more loaded context for which it is intended.
  16. FluidNexus is directly marketed toward activists and dissidents,
  17. particularly those within regimes that might attack such a messaging
  18. service or its users. The product is fine as a fashion accessory or
  19. as a toy, but in practice it is worse than useless. It is so
  20. horrifically insecure as to get its users killed. Furthermore, the
  21. FluidNexus author has proven worse than unresponsive--indeed, outright
  22. belligerent--when confronted with the dangerous flaws in his design
  23. and implementation, and thus it behooves us to respond publicly and
  24. adamantly to his new-media hipster douchebaggery before his software
  25. puts anyone's life or liberty at risk.
  27. We would like to emphasize that these results really were found before
  28. breakfast, and that patching the issues we highlight here will not be
  29. sufficient to repair FluidNexus as a product. It is hopelessly
  30. insecure and cannot be repaired without a complete rewrite by an
  31. author who understands security. The only responsible move on the
  32. FluidNexus implementer's part is to withdraw his application from the
  33. Android Market, cease distribution to end-users, and subject the
  34. design and implementation to extensive community review before
  35. republishing.
  37. ## Motivation
  39. It is our intent to be neighborly, and normally we would not bend an
  40. implementation over without the courtesy of a reach-around like this
  41. before discreetly taking the developer aside and explaining the issues
  42. we found. However, after airing her concerns over Twitter, one of the
  43. authors discovered that the FluidNexus developer is an ignorant douchebag,
  44. as evidenced by the following remarks:
  46. @FluidNexus: ``@maradydd I look forward to it, and an explaination why
  47. plaintext is 'criminally irresponsible' in a broadcast model.''
  49. --Because all broadcast models are obviously created equal, especially
  50. where protests are concerned.
  52. @FluidNexus: ``@Dymaxion I guess the twitter activists in syria and
  53. egypt should be chastised for sending tactical info over twitter
  54. too.''
  56. --Because designing and deploying a brand-new communication system is
  57. exactly the same scenario as people on the ground devising uses for
  58. tools they already had available.
  60. @FluidNexus: ``@Dymaxion You can look at the code.I'm not a crypto
  61. researcher but nothing identifiable is sent nor saved, excepting what
  62. you put in the msg''
  64. --And thus the implementer had absolutely no responsibility whatsoever
  65. to consult with the crypto or privacy communities before deploying
  66. his tool on an unsuspecting userbase. If you believe this, we have a
  67. lovely bridge to sell you, and can arrange a package deal with a
  68. tower if you're interested. We looked at the code, and we are
  69. telling you now, you are leaking much more identifying data than you
  70. think you are.
  72. @FluidNexus: ``@Dymaxion And any participation in protest carries
  73. risk. We can't remove that through crypto. I submit it's better to
  74. have this out there rather than waiting until we have the perfect
  75. system.''
  77. --Translation: The implementer has never bothered to familiarize
  78. himself with the past decade-plus of cypherpunk literature
  79. explaining the hazards inherent in deploying sensitive
  80. communications software in politically dangerous situations where
  81. people can and do end up on the wrong end of a gun just for speaking
  82. their minds.
  84. At ``Are we to hold the designers
  85. of TCP/IP responsible for the imprisonments and deaths of people
  86. because the designers didn’t include crypto by default?''
  88. --Of course not, because TCP/IP wasn't *designed and advertised for a
  89. known-hostile environment*.
  91. ``As far as we are aware there are no relevant trust models for doing
  92. encryption within a broadcast model''
  94. --How about Paul A. Karger's master's thesis, ``Non-Discretionary
  95. Access Control for Decentralized Computing Systems''? You might also
  96. know it as the very first paper listed on AnonBib,
  97. It was written in 1977. See also
  98. Feamster et al, ``Thwarting Web Censorship with Untrusted Messenger
  99. Delivery'', 2003; Wright et al, ``Defending Anonymous Communication
  100. Against Passive Logging Attacks'', 2003; the entire literature on
  101. private information retrieval, especially Sassaman et al, ``The
  102. Pynchon Gate: A Secure Method of Pseudonymous Mail Retrieval'',
  103. 2005; Bauer et al, ``BitBlender: Light-Weight Anonymity for
  104. BitTorrent'', and many more. If the FluidNexus implementer was not
  105. aware of possible trust models for secure broadcast communication,
  106. it is because he never looked. (These papers do not address
  107. broadcast trust models using that exact terminology, but they
  108. contain applicable principles from which to derive one. Grep is not
  109. enough; this sort of research requires reading and understanding.)
  111. ## A Morning's Worth of Vulns
  113. FluidNexus functions by passing short messages over an RFCOMM
  114. Bluetooth link or a TCP Bonjour socket. Messages are stored locally
  115. (in the user's home directory on a PC, or on the SD card on an Android
  116. phone) in an unencrypted SQLite3 database, and they are transferred as
  117. cleartext with the encryption--if any--being the responsibility of the
  118. Bluetooth socket.
  121. Bonjour connections occur without pairing, and even though they are
  122. intended for use over local Wifi networks, there doesn't appear to be
  123. anything to prevent them from leaking into the cellular data network.
  124. Therefore, a police state could easily ask the telephone company to
  125. packet sniff all EDGE and 3G data connections for Bonjour
  126. advertisements of the FluidNexus service. It could also actively
  127. participate in this service, giving it full visibility of a network
  128. that was only intended to run with local proximity.
  131. The software also allows for messages to be forwarded to the world at
  132. large through the Nexus, a Python web service. The Nexus API also
  133. attempts to prevent HTML injection by stripping HTML tags from POSTed
  134. messages, but it does so with a regular expression, perhaps because
  135. Beautiful Soup was too complicated.
  137. The Nexus API documentation conveniently indicates that updates to the
  138. Nexus timeline are sent via HTTP POST, and "will be controlled by
  139. OAuth", but are not currently. The source code (
  140. suggests that the author has attempted to restrict public-timeline
  141. posting to users who have already registered with the site and
  142. authenticated via OAuth, by requiring a message nonce and an (empty)
  143. private key (neither of which are mentioned in the API documentation),
  144. but this is the lowest of hurdles for spammers and forgers. There is
  145. no attempt whatsoever to prevent antagonistic users from posting
  146. facetious public messages designed to direct eager protesters into the
  147. welcoming arms of a kettle or police van. Furthermore, attempting to
  148. post a public message from the desktop client, even without a login
  149. token, indicates that this code is never even executed--the warning
  150. message that a valid access token is required (
  151. never appears in the log. Posting public messages simply does not
  152. work.
  155. The Bluetooth service runs over RFCOMM to all devices which are paired
  156. and advertising the service by name. Messages can be fetched or
  157. freely inserted by any paired device, and they will then be repeated
  158. through the network.
  161. There is nothing to prevent the insertion of thousands of messages or
  162. the editing of previously published messages to include fraudulent
  163. information. That is, a message of ``Martians have landed at
  164. Jannowitzbruecke.'' could easily be edited to be ``The TARDIS has
  165. landed at Jannowitzbruecke.'' with nothing to indicate which message
  166. is older or which was inserted after the fact. This could even be
  167. automated through the Bonjour cellular network, causing all cellular
  168. phones to be infected with the fraudulent message.
  171. Further, the default messages are explicitly antagonistic to
  172. authority. Every time a new user joins the network, the following
  173. messages are broadcast, making any user of the software--EVEN AN
  174. INNOCUOUS ONE--appear to be a dissident.
  176. [SAMPLE MESSAGE] Run against Bush in progress (just went through times sq). media march starts at 7, 52nd and broadway
  177. [SAMPLE MESSAGE] Video dispatch. Federal agents trailing activists at 6th Ave and 9th St. Situation tense.
  178. [SAMPLE MESSAGE] CT delegation @ Maison (7th Ave. & 53rd). Outdoor dining area. Try to get people there.
  181. Additionally, the ownership of a message is attributable when the
  182. client's database is dumped. On an Android phone, *any* application
  183. with access to the SD card can dump the database in this way, making
  184. trojans trivial to implement. Further, this database column does
  185. nothing to benefit the users of the software, putting them at risk for
  186. no reason.
  188. pro% sqlite3 ~/.FluidNexus/FluidNexus.db
  189. SQLite version 3.7.4
  190. Enter ".help" for instructions
  191. Enter SQL statements terminated with a ";"
  192. sqlite> select title from messages where mine;
  193. Run
  194. Martians know cryptography!
  195. Things change.
  196. Evidence against me.
  197. sqlite>
  199. ## Conclusions
  201. Just because you as a toolsmith care a lot about your cause does not
  202. guarantee that the tools you write will be fit for purpose. If you
  203. are confronted with the fact that you did not, in fact, have a
  204. sufficient depth of knowledge to be doing the work you've attempted to
  205. do, the only acceptable response is to put aside your ego, acknowledge
  206. the situation, and work to repair it before people die.
  208. Please withdraw Fluid Nexus from the Android Market and stop
  209. distributing the application to end-users until the design has been
  210. vetted and corrected.
  212. As security and privacy researchers, we are extremely sympathetic to
  213. the need for censorship-resistant communications, especially in
  214. locations such as Egypt, Tunisia, and San Francisco. As hackers, we
  215. also appreciate and even encourage n00bs getting involved in the fight
  216. for unfettered speech. However, n00b enthusiasm untempered by an
  217. appreciation for the lessons that the remailer, onion-routing and
  218. cryptography communities have spent the last two decades discovering
  219. is arrogant to the point of active hostility toward activists whose
  220. personal safety depends on fault-tolerant, Byzantine-tolerant,
  221. unforgeable and secure communication.
  223. We bitch-slap you because we care.
Add Comment
Please, Sign In to add comment