Injection Attacks Against End-to-End Encrypted Applications (2411.09228v1)

Abstract: We explore an emerging threat model for end-to-end (E2E) encrypted applications: an adversary sends chosen messages to a target client, thereby "injecting" adversarial content into the application state. Such state is subsequently encrypted and synchronized to an adversarially-visible storage. By observing the lengths of the resulting cloud-stored ciphertexts, the attacker backs out confidential information. We investigate this injection threat model in the context of state-of-the-art encrypted messaging applications that support E2E encrypted backups. We show proof-of-concept attacks that can recover information about E2E encrypted messages or attachments sent via WhatsApp, assuming the ability to compromise the target user's Google or Apple account (which gives access to encrypted backups). We also show weaknesses in Signal's encrypted backup design that would allow injection attacks to infer metadata including a target user's number of contacts and conversations, should the adversary somehow obtain access to the user's encrypted Signal backup. While we do not believe our results should be of immediate concern for users of these messaging applications, our results do suggest that more work is needed to build tools that enjoy strong E2E security guarantees.

• The paper identifies injection attacks targeting vulnerabilities in encrypted backups of messaging apps like WhatsApp and Signal.
• It demonstrates proof-of-concept exploits using deduplication, compression, and indexing flaws to infer sensitive user data.
• The research highlights the need for enhanced cryptographic practices to mitigate side-channel leakage in E2E encrypted systems.

Injection Attacks Against End-to-End Encrypted Applications

The paper "Injection Attacks Against End-to-End Encrypted Applications" explores an emergent threat model targeting end-to-end (E2E) encrypted messaging applications such as WhatsApp and Signal, focusing on the security implications of E2E encrypted backups. This research identifies a novel class of attacks termed "injection attacks," wherein an adversary injects chosen messages into a victim's application state. This injected adversarial content, once synchronized and encrypted as part of the application's regular backup process, can lead to potential information leakage—even without breaching the encryption key.

Summary of Attacks and Methodology

The authors present several proof-of-concept attacks within this framework across popular messaging platforms, primarily WhatsApp and Signal. The attacks capitalize on cryptographic design choices such as deduplication, compression before encryption, and searchable keyword indices in the encrypted application backups. Notably, while these attacks do not directly invalidate the underlying security protocols themselves (such as the Signal protocol), they exploit vulnerabilities in related functionalities, notably E2E encrypted backups.

• Deduplication Attack: This attack exploits WhatsApp's deduplication feature, which ensures only one version of each unique attachment is stored. By sending attachments from various sources but observing only one storage instance, adversaries can deduce which files a user has received.
• Compression Attack: Taking advantage of zlib compression employed by WhatsApp before encryption, this attack infers the presence of specific messages based on the size variations of the compressed database files resulting from injected content.
• FTS4 Indexing Attack: The exploitation of SQLite's FTS4 indexing in WhatsApp is another vector for attack, wherein adversarial queries can deduce information about message presence based on specific observable patterns in the indexed data structures.
• Signal Metadata Attack: The attack on Signal revolves around deducing user metadata—such as the number of contacts or received messages—by leveraging the serialization and encryption process of SQL statements and media stored in Signal backups.

Implications and Future Work

The observations from this paper reveal critical insights into the nuances of ensuring confidentiality in E2E encrypted systems, particularly concerning the design and implementation of backup functionalities. While the empirical results highlight potential vulnerabilities not perceived as immediate threats, they nonetheless underscore the necessity for robust cryptographic practices that preclude such side-channel information leakage. Specifically, the authors suggest improvements like disabling deduplication or adjusting compression strategies to mitigate similar attacks' efficacy.

On a larger scale, these insights call for scrutinizing encryption practices holistically, especially as more applications are adopting E2E encrypted mechanisms beyond messaging, including productivity tools and web services. Future research should aim to develop comprehensive countermeasures that do not solely rely on point fixes but also consider the broad interplay of encryption, application design, and user interaction patterns.

The paper concludes with responsible disclosure notes, having worked with WhatsApp and Signal towards improving the secure state of their backup functionalities. The described injection attacks serve as important indicators of the intricate balance that designers must maintain between utility and security within encrypted systems. Further explorations could contribute foundationally towards strengthening E2E encryption guarantees in various operational contexts, aligning with evolving security paradigms.