The privacy perils of using a mesh network – and why we urgently need one that is robust and open source

One of the reasons why protecting privacy is so hard is that our data is vulnerable in so many ways as it flows across the Internet. Threats can come from the companies that run online services, ISPs, telecom companies and governments. That’s bad enough for everyday situations, but in extreme ones, those weaknesses can have serious consequences.

For example, demonstrations and marches are much in the news these days. In some parts of the world, they take place in contexts where the local police and the military intervene, often violently and sometimes fatally. Communication among those taking part in such demonstrations is vitally important for coordination, and for keeping people safe by warning them of imminent threats. As a result, the authorities will be keen to eavesdrop on those conversations and, if necessary, to block them. Gathering information from mobile phone communications, and shutting down the Internet entirely, are two common approaches taken by some governments when tackling public demonstrations. Finding alternatives is vital for people who wish to protest safely.

The obvious solution is to create an independent, non-hierarchical, self-configuring local network that connects people within a group. This forms what is generally known as a mesh network. It’s an idea that has been around for several decades, but the near ubiquity of powerful smartphones has turned it into a practical approach that can be used by ordinary people without technical expertise. All that is needed is suitable software providing the mesh networking capabilities. One app that has become popular with people taking part in demonstrations is Bridgefy, which is based on Bluetooth communications. It was used by pro-democracy protesters in Hong Kong last year, and Bridgefy’s Twitter account has mentioned its deployment in the US, India, Zimbabwe and Belarus. Despite that widespread use around the world, often in contexts where the authorities will be interested in monitoring who is using the app, or in blocking it, a group of researchers at Royal Holloway, University of London, found a range of serious vulnerabilities in Bridgefy that underline the dangers of naively assuming that a mesh network app is safe to use for purposes requiring complete confidentiality.

As the academics’ paper explains, one major privacy problem is that anyone joining Bridgefy’s temporary mesh network can build a social graph of the interactions taking place there, both in real time and afterwards. Clearly, this kind of information is invaluable for the authorities who are trying to work out who is organizing protests, and who should be targeted in clampdowns. Since the Bridgefy app does not implement effective authentication, it is easy to impersonate arbitrary users. That’s a huge issue, because it means that it is simple to carry out a “man-in-the-middle” (MITM) attack, where the content of messages between any two users can be read, even though public key encryption is used, and they might assume their conversation is private. Essentially, the attacker impersonates both users, which enables encrypted messages to be read before being passed on so as not to reveal the surveillance. This is a dangerous situation: not only is surveillance taking place, but those affected are unaware of the fact.

Another problem with Bridgefy is that the basic encryption scheme used can be broken given a reasonable amount of time – for example, if a smartphone is seized by the authorities, and can be attacked repeatedly. Finally, the researchers were able to construct a “zip bomb” that completely shuts down the mesh network. This works by broadcasting a specially-constructed compressed zip file to all users. When the relatively small file is unzipped, it increases in size greatly, causing the Bridgefy app to crash. When the user restarts the app, the file is unzipped again, and the app crashes once more. The overall result is that the mesh network becomes unusable. To its credit, Bridgefy has accepted that it must address these serious flaws:

We realized that Bridgefy’s security model was appropriate for a small startup, but not for the scale it has achieved today and the growth we want in the future.

Trying not to reinvent the wheel, we searched for an existing solution that we could use and was already validated by security experts, and so we decided to start implementing the Signal Protocol, a robust end-to-end encryption library.

That’s for future versions of Bridgefy. In the meantime, there is a real need for an easy-to-use, robust and truly secure mesh network system that can be used by people taking part in demonstrations and protests, or in places where there is no Internet connection. The Royal Holloway researchers looked at some of the alternatives to Bridgefy. They mention FireChat, BLE Mesh Networking, HypeLabs, Briar, Serval and Subnodes, but found issues with all of them. That lack of a viable solution is extraordinary, and shows how superficial the protection for online privacy remains. Our continuing dependence on mainstream networks, which are subject to surveillance from many quarters, and risk being cut off completely, means that our privacy is still only provisional and partial.

Moreover, what is needed is not just a good, secure mesh networking solution, but an open source one. Proprietary systems can’t be trusted when it comes to sensitive matters, since companies are always liable to acquiesce to government demands for access or backdoors. A global mesh networking project should be a priority for free software coders everywhere. It would need some serious resources put behind it, and a concerted effort by privacy and human rights organization to fund jointly such a major project is long overdue.

Featured image by congerdesign.