This repository contains the code for our proof of concept attacks; see below for a rough overview. You can find out more about our attacks in our FAQ.
This directory contains the Go program ptxtrecov
which is used to simulate the Broadcast Message Recovery attack.
It has two subcommands, "simulate" and "attack".
The former collects packets for the simulation phase, while the latter does so for the attack phase.
For the simulation phase, the program iterates for all possible payload contents through all possible hops the same number of times, and records the packet's length.
It outputs a JSON file that represents a mapping p -> h -> l -> l' -> c
, where p
is the payload content, h
is the hop where the packet was recorded, l
is the length of the packet, l'
is the length of the packet at the previous hop, and c
is the count.
For the attack phase, the program only iterates for through all possible hops for the specified payload content, and records the packet's length.
It outputs a JSON file that represents a mapping of the same form, but now p
takes only the value of the specified payload content.
This directory contains Frida scripts to perform the TOCTOU attack (Breaking Confidentiality of Private Chats) and other demos. To run the TOCTOU demo, install Python3 and Frida, and execute the script as follows.
./userid-toctou.py <adb_phone_id> 'Bridgefy'
A video demo of this attack is available here on Twitter. Be aware that the attack no longer works on more recent versions of Bridgefy.
This directory contains a Python program to analyse the files generated by ptxtrecov
.
It reads a simulation file and one or multiple attack files, and outputs the rank of each attack file.
Here is a snipped of an example output:
paradise 4
paradise 10
paradise 71
[...]
kimberly 18
kimberly 45
kimberly 27
The program can be instructed to disregard packets from a certain hop with the --max-hop
parameter.
For smoothing the length frequencies, either Laplace or Good-Turing can be selected with the --method
parameter.