@jack is back with a weekend project. Yes, that Jack. [Jack Dorsey] spent last weekend learning about Bluetooth meshing, and built Bitchat, a BLE mesh encrypted messaging application. It uses X25519 for key exchange, and AES-GCM for message encryption. [Alex Radocea] took a look at the current state of the project, suspects it was vibe coded, and points out a glaring problem with the cryptography.

So let’s take a quick look at the authentication and encryption layer of Bitchat. The whitepaper is useful, but still leaves out some of the important details, like how the identity key is tied to the encryption keys. The problem here is that it isn’t.

Bitchat has, by necessity, a trust-on-first-use authentication model. There is intentionally no authentication central authority to verify the keys of any given user, and the application hasn’t yet added an out-of-band authentication method, like scanning QR codes. Instead, it has a favorites system, where the user can mark a remote user as a favorite, and the app saves those keys forever. There isn’t necessarily anything wrong with this approach, especially if users understand the limitations.

The other quirk is that Bitchat uses ephemeral keys for each chat session, in an effort to have some forward secrecy. In modern protocols, it’s desirable to have some protection against a single compromised encryption key exposing all the messages in the chain. It appears that Bitchat accomplishes this by generating dedicated encryption keys for each new chat session. But those ephemeral keys aren’t properly verified. In fact, they aren’t verified by a user’s identity key at all!

The attack then, is to send a private message to another user, present the public key of whoever your’re trying to impersonate, and include new ephemeral encryption keys. Even if your target has this remote user marked as a favorite, the new encryption keys are trusted. So the victim thinks this is a conversation with a trusted person, and it’s actually a conversation with an attacker. Not great.

Now when you read the write-up, you’ll notice it ends with [Alex] opening an issue on the Bitchat GitHub repository, asking how to do security reports. The issue was closed without comment, and that’s about the end of the write-up. It is worth pointing out that the issue has been re-opened, and updated with some guidance on how to report flaws.

Post-Quantum Scanning

There’s a deadline coming. Depending on where you land on the quantum computing skepticism scale, it’s either the end of cryptography as we know it, or a pipe dream that’s always going to be about 10 years away. My suspicion happens to be that keeping qubits in sync is a hard problem in much the same way that factoring large numbers is a hard problem. But I don’t recommend basing your cryptography on that hunch.

Governments around the world are less skeptical of the quantum computer future, and have set specific deadlines to migrate away from quantum-vulnerable algorithms. The issue here is that finding all those uses of “vulnerable” algorithms is quite the challenge. TLS, SSH, and many more protocols support a wide range of cryptography schemes, and only a few are considered Post Quantum Cryptography (PQC).

Anvil Secure has seen this issue, and released an Open Source tool to help. Pqcscan is a simple idea: Scan a list of targets and collect their supported cryptography via an SSH and TLS scan. At the end, the tool generates a simple report of how many of the endpoints support PQC. This sort of compliance is usually no fun, but having some decent tools certainly helps.

Citrixbleed 2

Citrix devices have a problem. Again. The nickname for this particular issue is CitrixBleed 2, which hearkens all the way back to Heartbleed. The “bleed” here refers to an attack that leaks little bits of memory to attackers. We know that it’s related to an endpoint called doAuthentication.do.

The folks at Horizon3 have a bit more detail, and it’s a memory management issue, where structures are left pointing to arbitrary memory locations. The important thing is that an incomplete login message is received, the code leaks 127 bytes of memory at a time.

What makes this vulnerability particularly bad is that Citrix didn’t share any signs of attempted exploitation. Researchers have evidence of this vulnerability being used in the wild back to July 1st. That’s particularly a problem because the memory leak is capable of revealing session keys, allowing for further exploitation. Amazingly, in an email with Ars Technica, Citrix still refused to admit that the flaw was being used in the wild.

Opossum

We have a new TLS attack, and it’s a really interesting approach. The Opossum Attack is a Man in the Middle (MitM) attack that takes advantage of of opportunistic TLS. This TLS upgrade approach isn’t widely seen outside of something like email protocols, where the StartTLS command is used. The important point here is that these connections allow a connection to be initiated using the plaintext protocol, and then upgrade to a TLS protocol.

The Opossum attack happens when an attacker in a MitM position intercepts a new TCP connection bound for a TLS-only port. The attacker then initiates a plaintext connection to that remote resource, using the opportunistic port. The attacker can then issue the command to start a TLS upgrade, and like an old-time telephone operator, patch the victim through to the opportunistic port with the session already in progress.

The good news is that this attack doesn’t result in encryption compromise. The basic guarantees of TLS remain. The problem is that there is now a mismatch between exactly how the server and client expect the connection to behave. There is also some opportunity for the attacker to poison that connection before the TLS upgrade takes place.

TSAs

AMD has announced yet another new Transient Execution attack, the Transient Scheduler Attack. The AMD PDF has a bit of information about this new approach. The newly discovered leak primitive is the timing of CPU instructions, as instruction load timings may be affected by speculative execution.

The mitigation for this attack is similar to others. AMD recommends running the VERW instruction when transitioning between Kernel and user code. The information leakage is not between threads, and so far appears to be inaccessible from within a web browser, cutting down the real-world exploitability of this new speculative execution attack significantly.

Bits and Bytes

The majority of McDonald’s franchises uses the McHire platform for hiring employees, because of course it’s called “McHire”. This platform uses AI to help applicants work through the application process, but the issues found weren’t prompt injection or anything to do with AI. In this case, it was a simple default username and password 123456:123456 that gave access to a test instance of the platform. No real personal data, but plenty of clues to how the system worked: an accessible API used a simple incrementing ID, and no authentication to protect data. So step backwards through all 64 million applications, and all that entered data was available to peruse. Yikes! The test credentials were pulled less than two hours after disclosure, which is an impressive turn-around to fix.

When you’ve been hit by a ransomware attack, it may seem like the criminals on the other side are untouchable. But once again, international law enforcement have made arrests of high-profile ransomeware gangs. This time it’s members of Scattered Spider that were arrested in the UK.

And finally, the MCP protocol is once again making security news. As quickly as the world of AI is changing, it’s not terribly surprising that bugs and vulnerabilities are being discovered in this very new code. This time it’s mcp-remote, which can be coerced to run arbitrary code when connecting to a malicious MCP server. Connect to server, pop calc.exe. Done.