Firechat: not secure….yet

Firechat is a new app for Android, iOS, and Windows phone that has gained momentum because of its interesting ability to create mesh networks or Ad hoc networks. There are a few conditions to use the app, one being that an internet connection is requited for initial creation of username and password. The fact that the creators ask for real names show how much they don’t understand how their app is being used. Though there is no verification on the real name. Firechat has become so popular because when in large protests like in Hong Kong cell networks can be congested and almost unusable. Also in protest situations the government can actually shutdown the networks to prohibit communication. Lastly there is the case where there is no network at all, for example at Burning Man in Nevada. This is where firechat comes in. Firechat uses mesh networks created with a combination of Bluetooth and Wi-Fi. Each phone acts as a node that has the ability to forward messages to the nodes around them.

This app is really cool just on the technical side alone but in practice there are some security flaws to mention. The messages the all the nodes on the mesh network are receiving are in plain text and there is no verification on the messages to see if they were manipulated. Using a tool called Blucat, it is a version of Netcat that port scans on Bluetooth can see the messages. It is then possible to spoof where the messages are coming from and sent your own fake messages.

In conclusion, firechat is a cool new app that has a lot of potential. I hope these security flaws are fixed soon and in the meanwhile have fun.

Live demo of Blucat @ 9:16

Source article