Bridgefy

From Wikipedia the free encyclopedia

Bridgefy
Industrysoftware
technology
Founded2014
FounderJorge Rios
HeadquartersMexico
Area served
Worldwide
ProductsBridgefy App
Websitebridgefy.me

Bridgefy is a Mexican software company with offices in Mexico[1] and California, the United States, dedicated to developing mesh-networking technology for mobile apps. It was founded circa 2014 by Jorge Rios, who conceived the idea while participating in a tech competition called StartupBus.[2] Bridgefy's smartphone ad hoc network technology, apparently using Bluetooth Mesh, is licensed to other apps.[3][4][5] The app gained popularity during protests in different countries since it can operate without Internet, using Bluetooth instead. Aware of the security issues of not using cryptography and the criticism surrounding it,[6] Bridgefy announced in late October 2020 that they adopted the Signal protocol, in both their app and SDK, to keep information private,[7] though security researchers have demonstrated that Bridgefy's usage of the Signal Protocol is insecure.[8]

Usage[edit]

The app gained popularity as a communication tactic during the 2019–2020 Hong Kong protests and Citizenship Amendment Act protests in India,[9] because it requires people who want to intercept the message to be physically close because of Bluetooth's limited range, and the ability to daisy-chain devices to send messages further than Bluetooth's range.[10][11][12][13]

Security[edit]

In August 2020, researchers published a paper describing numerous attacks against the application, which allow de-anonymizing users, building social graphs of users’ interactions (both in real time and after the fact), decrypting and reading direct messages, impersonating users to anyone else on the network, completely shutting down the network, performing active man-in-the-middle attacks to read messages and even modify them.[6]

In response to the disclosures, developers acknowledged that "no part of the Bridgefy app is encrypted now" and gave a vague promise to release a new version "encrypted with top security protocols".[14] Later developers said they plan to switch to Signal Protocol, which is widely recognized by cryptographers and used by Signal and WhatsApp.[6] The Signal Protocol was integrated into the Bridgefy app and SDK by late October 2020, with the developers claiming to have included improvements such as the impossibility of a third person impersonating any other user, man-in-the-middle attacks done by modifying stored keys, and historical proximity tracking, among others.[7]

However, in 2022, the same security researchers, now including Kenny Paterson, published a paper describing how Bridgefy's usage of the Signal Protocol was incorrect, failing to remedy the previously discovered issues.[15] The researchers performed a demonstration, showing that it was possible for users to intercept messages intended for others without the sender noticing.[16] The researchers disclosed the vulnerabilities to the developers of Bridgefy in August 2021, but, according to the researchers, the developers had yet to resolve the issues as of June 2022.[8]

On July 31, 2023, the security firm 7asecurity released a blog post and pentest report of a white box penetration test and overall security review of the Bridgefy app in collaboration with the platform's developers. Their review, which began in November 2022 and concluded in May 2023, identified multiple critical vulnerabilities throughout the application. Many of the issues were fixed, or partially fixed, before the end of the audit, including user impersonation and biometric bypass. Bridgefy also published a blog post on August 8 2023 announcing the audit results.

See also[edit]

  • Signal protocol, which developers used to correct the security problems.
  • Briar, another communication app that can utilize Bluetooth

References[edit]

  1. ^ "Mexican-based startup".
  2. ^ Velázquez, Franck (November 22, 2018). "Bridgefy, la startup mexicana que te dejará pedir un Uber o recibir una alerta sísmica sin internet" [Bridgefy, the Mexican startup that will let you call an Uber or receive a seismic alert without the Internet]. Entrepreneur (in Spanish). Archived from the original on September 4, 2019. Retrieved September 4, 2019.
  3. ^ Silva, Matthew De (3 September 2019). "Hong Kong protestors revive mesh networks to preempt internet shutdown". Quartz. Archived from the original on 2019-09-03. Retrieved 2019-09-03.
  4. ^ "Hong Kong Protestors Are Using An App That Doesn't Need Internet, And Bypass Chinese Snooping". The Times of India. 2019-09-03. Archived from the original on 2019-09-03. Retrieved 2019-09-03.
  5. ^ Thompson, Clive (2019-09-03). "Hong Kong protestors using mesh-networking messaging app to evade authorities". Boing Boing. Archived from the original on 2019-09-03. Retrieved 2019-09-03.
  6. ^ a b c Goodin, Dan (2020-08-24). "Bridgefy, the messenger promoted for mass protests, is a privacy disaster". Ars Technica. Retrieved 2020-08-26.
  7. ^ a b "Press Release – Major Security Updates at Bridgefy!". Bridgefy. Archived from the original on 2021-12-14. Retrieved 2021-04-27.
  8. ^ a b Eikenberg, Raphael. "Breaking Bridgefy, again". GitHub. Retrieved 14 June 2022.
  9. ^ Nandi, Tamal (2019-12-19). "Bridgefy: An offline messaging app suddenly gaining traction in India". livemint.com. Retrieved 2019-12-22.
  10. ^ "Hong Kong protesters using Bridgefy to stop China monitoring actions". News | The CEO Magazine. 2019-09-03. Archived from the original on 2019-09-03. Retrieved 2019-09-03.
  11. ^ Jowitt, Tom (2019-09-03). "Bridgefy Grows Amid Hong Kong Protests | Silicon UK Tech News". Silicon UK. Archived from the original on 2019-09-03. Retrieved 2019-09-03.
  12. ^ Wakefield, Jane (2019-09-03). "Hong Kong protesters using Bluetooth app". Archived from the original on 2019-09-04. Retrieved 2019-09-03.
  13. ^ "Hong Kong: Protesters using offline app Bridgefy to avoid being identified". Sky News. Archived from the original on 2019-09-03. Retrieved 2019-09-03.
  14. ^ "Bridgefly: No part of the Bridgefy app is encrypted now". Twitter. Archived from the original on 2020-06-04. Retrieved 2020-08-26.
  15. ^ Albrecht, Martin R.; Eikenberg, Raphael; Paterson, Kenneth G. (2022). "Breaking Bridgefy, again". USENIX Security (22). ISBN 9781939133311. Retrieved 14 June 2022.
  16. ^ Eikenberg, Raphael. "Breaking Bridgefy again attack demo". Twitter. Retrieved 14 June 2022.

External links[edit]

Retrieved from "https://en.wikipedia.org/w/index.php?title=Bridgefy&oldid=1212749998"