Bridgefy Explained
Bridgefy |
Industry: | software technology |
Founded: | 2014 |
Founder: | Jorge Rios, Roberto Betancourt, Diego Garcia |
Hq Location: | Mexico |
Area Served: | Worldwide |
Products: | Bridgefy App |
Bridgefy is a Mexican software company with offices in Mexico[1] and California, the United States, dedicated to developing mesh-networking technology for mobile apps. It was founded circa 2014 by Jorge Rios, Roberto Betancourt and Diego Garcia who conceived the idea while participating in a tech competition called StartupBus.[2] Bridgefy's smartphone ad hoc network technology, apparently using Bluetooth Mesh, is licensed to other apps.[3] [4] [5] The app gained popularity during protests in different countries since it can operate without Internet, using Bluetooth instead. Aware of the security issues of not using cryptography and the criticism surrounding it,[6] Bridgefy announced in late October 2020 that they adopted the Signal protocol, in both their app and SDK, to keep information private,[7] though security researchers have demonstrated that Bridgefy's usage of the Signal Protocol is insecure.[8]
Usage
The app gained popularity as a communication tactic during the 2019–2020 Hong Kong protests and Citizenship Amendment Act protests in India,[9] because it requires people who want to intercept the message to be physically close because of Bluetooth's limited range, and the ability to daisy-chain devices to send messages further than Bluetooth's range.[10] [11] [12] [13]
Security
In August 2020, researchers published a paper describing numerous attacks against the application, which allow de-anonymizing users, building social graphs of users’ interactions (both in real time and after the fact), decrypting and reading direct messages, impersonating users to anyone else on the network, completely shutting down the network, performing active man-in-the-middle attacks to read messages and even modify them.
In response to the disclosures, developers acknowledged that "no part of the Bridgefy app is encrypted now" and gave a vague promise to release a new version "encrypted with top security protocols".[14] Later developers said they plan to switch to Signal Protocol, which is widely recognized by cryptographers and used by Signal and WhatsApp. The Signal Protocol was integrated into the Bridgefy app and SDK by late October 2020, with the developers claiming to have included improvements such as the impossibility of a third person impersonating any other user, man-in-the-middle attacks done by modifying stored keys, and historical proximity tracking, among others.
However, in 2022, the same security researchers, now including Kenny Paterson, published a paper describing how Bridgefy's usage of the Signal Protocol was incorrect, failing to remedy the previously discovered issues.[15] The researchers performed a demonstration, showing that it was possible for users to intercept messages intended for others without the sender noticing.[16] The researchers disclosed the vulnerabilities to the developers of Bridgefy in August 2021, but, according to the researchers, the developers had yet to resolve the issues as of June 2022.
On July 31, 2023, the security firm 7asecurity released a blog post and pentest report of a white box penetration test and overall security review of the Bridgefy app in collaboration with the platform's developers. Their review, which began in November 2022 and concluded in May 2023, identified multiple critical vulnerabilities throughout the application. Many of the issues were fixed, or partially fixed, before the end of the audit, including user impersonation and biometric bypass. Bridgefy also published a blog post on August 8 2023 announcing the audit results.
See also
- Signal protocol, which developers used to correct the security problems.
- Briar, another communication app that can utilize Bluetooth
External links
Notes and References
- Web site: Mexican-based startup..
- News: Bridgefy, la startup mexicana que te dejará pedir un Uber o recibir una alerta sísmica sin internet. Bridgefy, the Mexican startup that will let you call an Uber or receive a seismic alert without the Internet. Franck. Velázquez. Entrepreneur. November 22, 2018. Spanish. September 4, 2019. https://web.archive.org/web/20190904030219/https://www.entrepreneur.com/article/323675. September 4, 2019. live.
- Web site: Hong Kong protestors revive mesh networks to preempt internet shutdown. Silva. Matthew De. Quartz. 3 September 2019 . en. 2019-09-03. https://web.archive.org/web/20190903211212/https://qz.com/1701045/hong-kong-protestors-use-bridgefy-to-preempt-internet-shutdown/. 2019-09-03. live.
- News: Hong Kong Protestors Are Using An App That Doesn't Need Internet, And Bypass Chinese Snooping. 2019-09-03. The Times of India. en. 2019-09-03. https://web.archive.org/web/20190903211212/https://www.indiatimes.com/technology/news/hong-kong-protestors-are-using-an-app-that-doesn-t-need-internet-and-bypass-chinese-snooping-374969.html. 2019-09-03. live.
- Web site: Hong Kong protestors using mesh-networking messaging app to evade authorities. Clive. Thompson. 2019-09-03. Boing Boing. en-US. 2019-09-03. https://web.archive.org/web/20190903211212/https://boingboing.net/2019/09/03/hong-kong-protestors-using-mes.html. 2019-09-03. live.
- Web site: Goodin. Dan. 2020-08-24. Bridgefy, the messenger promoted for mass protests, is a privacy disaster. 2020-08-26. Ars Technica. en-us.
- Web site: Press Release – Major Security Updates at Bridgefy!. 2021-04-27. Bridgefy. en-US. 2021-12-14. https://web.archive.org/web/20211214163819/https://bridgefy.me/press-release-major-security-updates-at-bridgefy/. dead.
- Web site: Eikenberg . Raphael . Breaking Bridgefy, again . GitHub . 14 June 2022.
- Web site: Bridgefy: An offline messaging app suddenly gaining traction in India. Nandi. Tamal. 2019-12-19. livemint.com. en. 2019-12-22.
- Web site: Hong Kong protesters using Bridgefy to stop China monitoring actions. 2019-09-03. News The CEO Magazine. en-US. 2019-09-03. https://web.archive.org/web/20190903211214/https://news.theceomagazine.com/world-news/hong-kong-protesters-defy-china/. 2019-09-03. live.
- Web site: Bridgefy Grows Amid Hong Kong Protests Silicon UK Tech News. Jowitt. Tom. 2019-09-03. Silicon UK. en-UK. 2019-09-03. https://web.archive.org/web/20190903211213/https://www.silicon.co.uk/e-regulation/surveillance/bluetooth-messaging-bridgefy-hong-kong-283301. 2019-09-03. live.
- News: Hong Kong protesters using Bluetooth app. Wakefield. Jane. 2019-09-03. 2019-09-03. en-GB. https://web.archive.org/web/20190904015531/https://www.bbc.com/news/technology-49565587. 2019-09-04. live.
- Web site: Hong Kong: Protesters using offline app Bridgefy to avoid being identified. Sky News. en. 2019-09-03. https://web.archive.org/web/20190903211212/https://news.sky.com/story/hong-kong-protesters-using-offline-app-bridgefy-to-avoid-being-identified-11801446. 2019-09-03. live.
- Web site: Bridgefly: No part of the Bridgefy app is encrypted now.. live. https://web.archive.org/web/20200604144136/https://twitter.com/bridgefy/status/1268551771124834313 . 2020-06-04 . 2020-08-26. Twitter. en.
- Albrecht . Martin R. . Eikenberg . Raphael . Paterson . Kenneth G. . Breaking Bridgefy, again . USENIX Security . 2022 . 22 . 9781939133311 . 14 June 2022 . breaking-bridgefy-again-usenix.
- Web site: Eikenberg . Raphael . Breaking Bridgefy again attack demo . Twitter . 14 June 2022 . breaking-bridgefy-again-demo.