Confide, a favorite app of Trump’s White House, is ‘a triumph of marketing over substance’
Encryption is en vogue in Washington, D.C., but the app of choice for some of the most powerful and “paranoid Republicans” in the capital is profoundly insecure — a problem emblematic of the confounding security issues that have plagued Donald Trump’s young presidency.
Republicans in D.C., including members of the Trump administration, are now using Confide, an encrypted messaging app that quickly deletes old chats. Riding waves of media attention following major hacks from Sony to the Clinton campaign, the app boasts “military grade encryption” that attracts powerful businesspeople and political operatives as customers.
What does that actually mean?
“It’s a triumph of marketing over substance,” Alan Woodward, a security researcher and professor at the University of Surrey, told CyberScoop.
Aside from impressive-sounding marketing slogans, Confide has shared precious little specific technical information about the encryption it employs. There is no code to check, no white paper to analyze. But a preliminary review this week raised questions about possibly critically broken encryption under the hood of the app.
To encrypt messages, Confide uses OpenSSL, according to a preliminary independent review of the software by Jean-Philippe Aumasson, the principal research engineer at Kudelski Security. The OpenSSL version the app may use, 1.0.1f, dates back to January 2014 and has been obsolete and broken for years. This version is vulnerable to the Heartbleed bug that was disclosed in April 2014. The full scope of facts on how Confide works are not yet entirely clear due to the lack of transparency.
“OpenSSL has had a lot of vulnerabilities exposed in the last two years, and if Confide is using a version from 2014, all the recent vulnerabilities are there,” Khalil Sehnaoui, a Middle East-based cybersecurity specialist and founder of Krypton Security told CyberScoop.
The list of vulnerabilities runs to 68 known flaws, five of which are critical. The vulnerabilities allow the extraction of private keys which would mean that merely updating the version of OpenSSL in the app wouldn’t be enough to secure it. They’d have to re-issue all of the keys, a much more complex operation, Sehnaoui explained.
“Confide claims on their homepage that they’re using military grade encryption, which is usually referring to AES256,” he said. “As far as I know that level of encryption is not broken yet, but using an outdated version of OpenSSL is a not a problem in the encryption method, it’s a problem in the implementation of the crypto. Suggesting secure and encrypted communications while using carelessly an outdated version of OpenSSL is a dangerous thing for whoever will rely on such an application.”
Despite a three-year-old public relations operation that’s seen the app mentioned everywhere from the New York Times to TechCrunch, it appears that not a single reporter asked what “military grade encryption” really meant even as the app has reached the highest rungs of power in America. Nor did Confide offer any explanations. That runs counter to every security industry norm, under which encryption is transparent and its implementation is subject to constant testing. None of the popular articles on the app sought independent opinions of cryptography experts, but some reports nevertheless called Confide “the most secure messaging app we’ve ever seen.”
“It always worries me when someone starts by saying they use ‘military grade encryption.’ That immediately makes me start to look for the snake oil,” Woodward said. “It sounds like sales puff over substance.”
Confide’s team did not respond to a request for comment.
Misreading the TLS
The single technical-sounding detail included on Confide’s website is demonstrably wrong: “Transport Layer Security,” the website reads. “All communication goes through Transport Layer Security (TLS), preventing any possible man-in-the-middle attack and providing yet another layer of security, privacy and data integrity.”
The claim that TLS is immune to man-in-the-middle attacks is wrong and has been known to be wrong for years.
“The whole point about TLS is that it can be attacked by man-in-the-middle attacks,” Woodward said. “Look at hacker tools like sslstrip. Go and buy yourself a WiFi Pineapple, that’s one of the very things it does. So I don’t understand that claim.”
Apps like Signal are open about how they encrypt messages. The code is available for review, independent security experts continue to pick it apart and search for strengths and weaknesses.
Confide’s encryption is publicly unreviewable. Aumasson’s recent critical look notwithstanding, Confide has never had an independent security review even as apps like Signal and Wire have done so.
“Every messaging company must take exceptional care to protect its customer’s private data,” Alan Duric, the co-founder and CTO of Wire, told CyberScoop. “Regular audits of protocols, implementation and complete solutions are essential to ensure security. As applications evolve and are improved and extended, there are more risks that need to be evaluated. It is vital that independent experts are brought on board for this, as they have more distance from the code, and can bring unbiased and honest judgement.”
A personnel issue
A cryptographer might help, but Confide employs none.
The core team that put the app together includes successful businesspeople and developers but no cryptographers or security experts. They offer themes for sale and premium analytics for teams, a business model that’s won them nearly $4 million in venture capital from firms like Google Ventures, which did not respond to a request for comment. Still, no cryptographers.
“I don’t like crypto written by those who are general developers without advice from those skilled in the subject,” Woodward said. “It’s a sure way to introduce a weakness into the protocol regardless of what encryption might be used.”
Confide’s rise to popularity among obviously high-value targets — businesspeople and political operatives in this case — echoes the rise of Telegram, the messaging app that boasts over 100 million users but has repeatedly been criticized by cryptographers and security experts.
Then again, not all cryptographers were willing to criticize Confide’s boom in the nation’s capital.
“As an opponent of the Trump administration, I would not want to provide sourcing to a story that might keep them from continuing to use Confide,” Thomas Ptacek, a security researcher at Latacora, told CyberScoop.
Despite deliberate opaqueness, Confide has a few features that are easy to size up. For instance, they have a “Confide for Siri” feature that sends Siri (and thus Apple) a permanent copy of the message, poking a deep hole in the app’s ephemeral messaging, arguably the main selling point of the app.
How secure are features like ephemeral messaging and screenshot blocking, anyway? Look at Confide’s track record.
The app’s most high-profile known user is disgraced Democratic politician Anthony Weiner, who allegedly used it to communicate with underage girls. One accuser took photos of the “disappearing” messages from Weiner and shared them with reporters, a trivial task that undermines the app’s security promise. Those photos of Weiner’s messages haven’t disappeared, and now prosecutors are reportedly weighing child pornography charges against the former New York congressman.
For its customer base, Confide targets powerful professionals with serious privacy and security concerns.
“If you think about the type of people who are great for Confide, it’s people who communicate a lot of sensitive information as a matter of course,” company co-founder Jon Brod said in an interview on Monday morning with Cheddar, a video network. “Think about lawyers, journalists, media … management consultants, executives, boards of directors. Political operatives, regardless of which side of the aisle they fall on, fit nicely into that category.”
These are high-value targets who ought to be aware that Snapchat-style ephemeral messaging means little if an adversary whips out another device to snap a picture. While there is undoubtedly a strong security and privacy argument for minimizing the amount of old data and communications you retain — thus limiting some of the damage that can come from potential data breaches — it’s hardly the kind of tactic that will stymie a person who is even mildly determined to beat it.
“Complete transparency and community engagement must be of the utmost importance for any product that professes security as its core,” Duric said. “This cultivates the highest levels of trust and guarantees swift response times when vulnerabilities are discovered. Transparency must also apply to everything that is being done, from how customer data is being used, through the privacy policy, and the ability to prove this with the open sourced-code.”
Confide’s profound problems come on the heels of sustained criticism directed at Trump for using an old, insecure Android smartphone as well as criticism at his team for pointing their phones at critical national security documents while out in the open at Trump’s Mar-a-Lago golf club.
If broken encryption and Snapchat-style messaging is what’s protecting the White House now, the security trouble runs even deeper than previously thought.