Home » News » Matrix chat encryption sunk by five now-patched holes

Five cryptographic flaws have been discovered in code libraries that may be used to break Matrix encrypted chat clients. This includes posing as people and sending messages on their behalf.

The researchers – Martin Albrecht (University of London), Sofía Celi (Brave Software), Benjamin Dowling (University of Sheffield), and Daniel Jones (University of London) – described their findings in a pre-print paper titled “Practically-exploitable Cryptographic Vulnerabilities in Matrix” [PDF].

“Our perspective is that these attacks together show a rich surface in Matrix from both a protocol and implementation perspective,” Benjamin Dowling, a lecturer in cybersecurity, told The Register this week.

“While Matrix has performed security audits of the various existing implementations, they sometimes miss attacks that are present due to protocol flaws. Formally modeling the protocol and analyzing the security of the protocol design is an important step in catching and thus preventing attacks of this nature.”

The Matrix is a real-time, distributed communications framework that claims to provide strong end-to-end encryption, user verification, and other cryptographic protection mechanisms. This standard has libraries and clients available. If you’re interested in cryptosystem architecture, the PDF above will be a genuine deep-dive treat.

The attacks – two critical and three lower priority – target implementations of Matrix in the matrix-react-sdk, matrix-js-sdk, and matrix-android-sdk2 libraries. They affect client software that incorporates such code as Element, Beeper, Cinny, SchildiChat, Circuli, and Synod. im. Not all clients are concerned, as it’s an implementation-level issue.

On Wednesday, The Matrix.org Foundation, which runs the decentralized communication protocol, published an alert describing the holes as flaws in Matrix end-to-end encryption software and urging users of vulnerable applications and libraries to update them.

“These have now been fixed, and we have not seen evidence of them being exploited in the wild,” the foundation said. “All critical vulnerabilities require cooperation from a malicious home server to be exploited.”

The two critical bugs are identified as “Key/Device Identifier Confusion in SAS Verification” (CVE-2022-39250) and “Trusted Impersonation” (CVE: CVE-2022-39251).

The former refers to a matrix-js-sdk bug (not in the iOS or Android SDKs) that confuses device IDs with cross-signing keys, which could allow malicious server admins to impersonate target users. The latter refers to a protocol-confusion bug in matrix-js-sdk (derived SDKs) that could allow attackers to spoof historical messages from other users. The “Trusted Impersonation” bug is also tracked as CVE-2022-39255 (matrix-ios-sdk) and CVE-2022-39248 (matrix-android-sdk2).

The “Trusted Impersonation” attack has a variant called the “Malicious key backup.” In this scenario, exfiltration of message keys could occur if a home server administrator adds a malicious key backup to the user’s account.

The lower priority vulnerabilities include: “Semi-trusted Impersonation,” “Homeserver Control of Room Membership,” and “IND-CCA break.”

With the impersonation bug, the matrix-js-sdk (and derived SDKs) accepts keys forwarded by other users that have not been requested. This allows malicious admins to impersonate other users, though some clients such as Element will present a warning: “The authenticity of this encrypted message can’t be guaranteed.”

The bug has been designated moderate severity under the identifiers: CVE-2022-39249 (matrix-js-sdk), CVE-2022-39257 (matrix-ios-sdk), and CVE-2022-39246 (matrix-android-sdk2).

Trouble at home

The “Homeserver” bug allows a malicious homeserver to issue invites to server-controlled users or add server-controlled devices to user accounts. There are warnings to avoid this, but Matrix.org says it intends to improve the behavior with fixes scheduled to land in the next few months.

And the “IND-CCA break” attack could allow “an adversary can decrypt a challenge ciphertext by querying encryption and decryption oracles, without requesting decryption of the challenge ciphertext directly,” the paper explains. However, the researchers say this attack is only theoretical as they don’t see a practical way to carry it out. Repairs are nonetheless planned.

The researchers’ paper observes that Matrix relies on a “bespoke cryptographic protocol [that] has not received an in-depth treatment from the cryptographic (academic or practitioner) community.”

Asked whether the flaws that have surfaced validate the advice of cryptography experts to stick with proven algorithms instead of rolling your own, Dowling said:

“Given that Matrix attempts to achieve strong secure messaging in a novel setting (specifically, decentralized group messaging), it follows that introducing a new protocol design is inevitable. We would instead say that these vulnerabilities highlight the need for rigorous formal analysis during the design phase and before using new cryptographic designs in production.”

“While today’s fixes are not complete, these are good first steps towards ensuring that Matrix lives up to its promises of confidentiality and authentication,” said Daniel Jones, a doctoral candidate at Royal Holloway, University of London, in a statement. “The longer-term plans communicated to us by the Matrix developers should then provide complete protection against our attacks.

“Matrix occupies a unique position within the messaging space, providing an end-to-end encrypted federated messaging platform. We hope our work inspires others to scrutinize its security to ensure that further potential issues are found, fixed, or ruled out early. Doing so will help to strengthen the platform and ensure its long-term viability.”

Leave a Reply

Your email address will not be published. Required fields are marked *