[messaging] Exposing MITM attacks socially engineered through group chat introductions

Sun Jan 25 00:03:18 PST 2015

A messaging system with a group chat facility would normally allow contacts to introduce other contacts through the group chat facility.  In fact, if the chat did not allow such introductions then it'd reveal social graph information about contacts, which sounds bad. 

Any such introduction facility admits a kind of socially engineered MITM attack :  Eve initiates a (group) conversation between Alice and Bob with the express intention of introducing Alice to Bob.  However, Eve actually introduces Alice to fakeBob and Bob to fakeAlice which maintain an MITM attack Alice and Bob’s future communications. 

There is nothing really intrinsic to the introductions or a group chat facility here since Eve could convince Alice and Bob to contact Eve’s fake Alice and Bob accounts that perform the MITM attack through ordinary one-on-one messages, but the attack appear more seamless. 

At the same time, I suspect the facility for introductions actually makes this style of socially engineered MITM attack less dangerous overall because : 
(a) it means introductions will frequently occur between honest parties, 
(b) it gives the software a place to explain the risks, and 
(c) such attacks can become visible though having multiple contacts that should represent the same person. 

I’ve recently submitted a patch to Pond for sending messages to multiple recipients, optionally introducing some to all the others.  It saves a rudimentary local social graph of such introductions to facilitate users exposing possible attacks of this form when they notice duplicate contacts :  https://github.com/agl/pond/pull/161

At present the patch records three types of information :
- who a contact was originally introduced by
- who else has verified/corroborated that contact by also sending an introduction
- who you introduced a contact to 

I’d appreciate any comments on the attack vector, or that patch in particular, especially if additional information should be retained in those local social graph records.  In particular, I’d love to address scenarios like this one :

Eve does introduction MITM attacks on Alice and Bob, and Bob and Carol.  Bob messages Alice and Carol, introducing them.  Alice and Carol are now MITMed by Eve too but see their introduction as coming from Bob, who they trust.  

How to address this? 

The software could note that Eve introduced Bob when it notes that Bob introduced someone.  This is a no brainer.  We could however imagine longer chains of introductions the suspicious party Eve is not visible to the newly introduced parties. 

Bob could attach flag or counter to his introduction message, indicating that Alice and Carol were introduced to him.  It’s not clear to me that his is particularly useful though.  And it reveals a small amount of information about Bob’s contact list, not much, but something. 

Alternatively, Bob could attach some form of token that’d help someone who also knows Eve identify that Eve was the original source of the introduction.  I suspect any such token could be defeated by Eve through using multiple accounts or similar and this reveals too much information about Bob’s social circle. 

Any thoughts? 

Thank you,
Jeff