Four security researchers have identified five cryptographic vulnerabilities in code libraries that can be exploited to undermine the Matrix federated communication protocol and its client software. This includes impersonating users and sending messages as them.
The researchers – Martin Albrecht (University of London), Sofía Celi (Brave Software), Benjamin Dowling (University of Sheffield) and Daniel Jones (University of London) – described their findings in a pre-print paper titled “Practically-exploitable Cryptographic Vulnerabilities in Matrix” [PDF].
“Our perspective is that these attacks together show a rich attack surface in Matrix from both a protocol and implementation perspective,” Benjamin Dowling, a lecturer in cybersecurity, told The Register.
Formally modeling the protocol and analyzing the security of the protocol design is an important step in catching and thus preventing attacks of this nature
“While Matrix has performed security audits of the various existing implementations, they sometimes fail to catch attacks that are present due to protocol flaws. Formally modeling the protocol and analyzing the security of the protocol design is an important step in catching and thus preventing attacks of this nature.”
Matrix bills itself as an open standard for real-time, distributed communications with strong end-to-end encryption, user verification, and other cryptographic protection mechanisms. If you’re into crypto-system design, the above PDF will be a real deep-dive treat.
The attacks – two critical and three lower priority – target the Matrix standard as implemented in the matrix-react-sdk, matrix-js-sdk, and matrix-android-sdk2 libraries, and they affect client software that incorporates such code, like Element, Beeper, Cinny, SchildiChat, Circuli, and Synod.im.
On Wednesday, The Matrix.org Foundation, which manages the decentralized communication protocol, issued an advisory describing the flaws as vulnerabilities in Matrix’s end-to-end encryption, and directed users of those aforementioned apps and libraries to upgrade them.
“These have now been fixed, and we have not seen evidence of them being exploited in the wild,” the Matrix.org foundation said. “All of the critical vulnerabilities require cooperation from a malicious homeserver to be exploited.”
The two critical bugs are identified as “Key/Device Identifier Confusion in SAS Verification” (CVE-2022-39250) and “Trusted Impersonation” (CVE: CVE-2022-39251).
The former refers to a matrix-js-sdk bug (not in the iOS or Android SDKs) that confuses device IDs with cross-signing keys, which could allow malicious server admins to impersonate target users. The latter refers to a protocol-confusion bug in matrix-js-sdk (and derived SDKs) that could allow attackers to spoof historical messages from other users. The “Trusted Impersonation” bug is also tracked as CVE-2022-39255 (matrix-ios-sdk) and CVE-2022-39248 (matrix-android-sdk2).
A variant of the “Trusted Impersonation” attack, tracked under the same CVE, is referred to as “Malicious key backup.” It’s a scenario in which a malicious homeserver admin could add a malicious key backup to the user’s account to exfiltrate message keys.
The lower priority vulnerabilities include: “Semi-trusted Impersonation,” “Homeserver Control of Room Membership,” and “IND-CCA break.”
With the impersonation bug, the matrix-js-sdk (and derived SDKs) accepts keys forwarded by other users that have not been requested. This allows malicious admins to impersonate other users, though clients like Element will present a warning: “The authenticity of this encrypted message can’t be guaranteed.”
The bug has been designated moderate severity under the identifiers: CVE-2022-39249 (matrix-js-sdk), CVE-2022-39257 (matrix-ios-sdk), and CVE-2022-39246 (matrix-android-sdk2).
Trouble at home
The “Homeserver” bug allows a malicious homeserver to issue invites to server-controlled users or add server-controlled devices to user accounts. There are warnings to avoid this but Matrix.org says it intends to improve the behavior with fixes scheduled to land in the next few months.
And the “IND-CCA break” attack could allow “an adversary is able to decrypt a challenge ciphertext by querying encryption and decryption oracles, without requesting decryption of the challenge ciphertext directly,” the paper explains. However, the researchers say this attack is only theoretical as they don’t see a practical way to carry it out. Repairs are nonetheless planned.
The researchers’ paper observes that Matrix relies on a “bespoke cryptographic protocol [that] has not received an in-depth treatment from the cryptographic (academic or practitioner) community.”
Asked whether the flaws that have surfaced validate the advice of cryptography experts to stick with proven algorithms instead of rolling your own, Dowling said:
“Given that Matrix attempts to achieve strong secure messaging in a novel setting (specifically, decentralized group messaging), it follows that introducing a new protocol design is inevitable. We would instead say that these vulnerabilities highlight the need for rigorous formal analysis during the design phase and before using new cryptographic designs in production.”
“While today’s fixes are not complete, these are good first steps towards ensuring that Matrix lives up to its promises of confidentiality and authentication,” said Daniel Jones, a doctoral candidate at Royal Holloway, University of London, in a statement. “The longer term plans communicated to us by the Matrix developers should then provide full protection against our attacks.
“Matrix occupies a unique position within the messaging space, providing an end-to-end encrypted federated messaging platform. We hope our work inspires others to scrutinize its security to ensure that potential further issues are found-and-fixed or ruled out early. Doing so will help to strengthen the platform and ensure its long-term viability.” ®