Nathan Freitas and Oiwan Lam contributed to this article.
On Monday, September 29, social media enthusiasts and western media outlets unleashed a flurry of stories about pro-democracy protesters in Hong Kong using the chat app FireChat. Although it appears that many of these accounts exaggerated the popularity of the app, activists and security researchers close to the situation believe it is important to make public information about what the app is — and what it is not.
First off, FireChat is not a messaging app. FireChat is a chatroom, a platform to send insecure and public messages to people over the Internet or within your geographical vicinity.
Once installed, the app requires the user to sign up with her real name (which will be pre-filled with the name she eventually configures on her iOS or Android phone), a username and an email address. Once logged in, a user can either join online chatrooms, create new ones, or start directly sending messages to everyone in her vicinity who is also connected to FireChat. These direct messages relay from one phone to another through Bluetooth technology. Thus, when rumor had it that authorities planned to shutdown mobile networks, FireChat was advertised as a way to chat while “off-the-grid,” as it doesn't necessarily require an Internet connection.
There are many misconceptions afoot about the capacity, privacy and security of FireChat, so let's get it straight:
FireChat is not secure. It is not designed to preserve user privacy, or the security and confidentiality of user messages.
FireChat has no system for user authentication. If messages are sent from an apparent prominent name (for example, protest coordinators or reporters), there is no way to verify their legitimacy. An attacker could easily impersonate a prominent individual and either spread false information or spread links to download and install spyware. This has already happened to local activists on several occasions over the past few weeks.
Security researchers familiar with the technology recommend that activists not to use their real names and avoid sending messages with information that is private or sensitive. Remember that there may be infiltrators among the protesters collecting messages through FireChat, which are both stored on your device as well as sent over the network unencrypted. For more detailed analysis of FireChat, read this study (available only in English) from the University of Toronto's Citizen Lab here.
There are inherent security risks to using Bluetooth. In general, whether or not one is using FireChat, having Bluetooth enabled can further expose one's phone to attacks, as well as provide means to infiltrators to enumerate and identify connected phones among protesters. In fact, recent days have seen numerous reports of spyware attacks against protesters in Hong Kong.
While some of them are groundless, there are credible reports of wide-spread messages specifically crafted to lure Occupy Central and Hong Kong Student Strike protesters to download and install apps that appear designed to coordinate protests, while in fact they are spyware designed to record phone calls, steal emails, and capture contacts, list as well as perform tracking of your geographical position.
One of these attacks was massively distributed over WhatsApp (see image left). Protesters should be cautious when receiving messages suggesting that they download and installation of applications, particularly if they did not request this.
While reports thus far suggest malware is being sent only via WhatsApp, it is plausible that similar attacks could be distributed through other means including forums and emails, as well as FireChat.
Recommendations for protesters
It is important that people in Hong Kong remain conscious of the potential ramifications of using communication and publishing apps and that they stay on the lookout for potential attacks. As protests intensify and as the government receives international pressure to reduce the intervention of police forces, computer and mobile attacks might increase in number.