Firechat, a peer-to-peer messaging app using bluetooth or wifi signals, is getting a lot of attention for being downloaded 100,000 times during recent protests in China. Organizers in Hong Kong are instructing protesters to download Firechat in the event authorities shutter cellular or internet service.
But lost in the noise has been the fact that Firechat (currently just an iOS app) wasn't designed for either privacy or security. If Chinese authorities stood in the midst of a protesters' group Firechat, which has a range of about 200 feet, they too would be able to connect via mesh network. They would even see every message because it's all made public in Firechat's open chat rooms.
Peer-to-peer wireless mesh networks, like the one Firechat creates, can be created with radio waves and wifi routers on mobile devices. The advantages to mesh networks are their hyper-locality and ability to identify and block hackers. They also push all communications outside of central authorities like an ISP or cell tower, which can be easily surveilled by intelligence agencies.
As you can imagine, mesh networks are a boon for regions with poor reception, and advantageous for users under the yoke of heavy government surveillance or internet and cellular blackouts.
Back in June, Christophe Daligault, Vice President of Sales and Marketing at Open Garden, the start-up that created Firechat, told Wired that this very openness could put users in harm's way if they are amid hostiles.
"People need to understand that this is not a tool to communicate anything that would put them in a harmful situation if it were to be discovered by somebody who's hostile," Daligualt told Wired, discussing Firechat's adoption by Iranians when WhatsApp was banned. "It was not meant for secure or private communications."
An attacker could flood the network with bogus messages to spread misinformation or overload the network.
It's also vital to understand that Firechat doesn't allow one-to-one messaging, and there is no encryption. If Chinese state authorities wished to track in real-time the decision-making process and tactics of protesters via Firechat messaging, all they would have to do, in theory, is dress in plain clothes, pose as either a protestor or observer, and connect to Firechat. It would be as informative as if they were hearing protesters verbally discuss decisions and tactics.
Strangely, Daligault isn't voicing the same concern on his Twitter feed. Instead, he's retweeting articles about how integral Firechat is to Hong Kong's anti-China protests. Daligault did not respond to Motherboard's requests for comment.
Elijah Sparrow of the LEAP Encryption Access Project, and co-creator of encrypted messaging app Bitmask, said while he thinks that mesh networking tools like Firechat hold a lot of future potential, the big problem is how to communicate to the user what threats they are exposing themselves to.
"It is difficult to convey to users all the security implications of an app," said Sparrow. "Firechat messages are unauthenticated, so an attacker could flood the network with bogus messages to spread misinformation or overload the network."
Sparrow also said an attacker could inject messages containing false information, and impersonate another user, sending messages that appear to be legitimate. "These are really hard problems, and just 'adding encryption' will not address any of those issues," Sparrow said.
Hong Kong protest organizers seem more concerned with acting preemptively against a state internet shutdown. Firechat would indeed be invaluable in such a situation. But that's no reason to throw caution to the wind and expose communications to the authorities that could be walking in the protesters' midst.