I don’t consider myself exceptional in any regard, but I stumbled upon a few cryptography vulnerabilities in Matrix’s Olm library with so little effort that it was nearly accidental.

It should not be this easy to find these kind of issues in any product people purportedly rely on for private messaging, which many people evangelize incorrectly as a Signal alternative.

Later, I thought I identified an additional vulnerability that would have been much worse, but I was wrong about that one. For the sake of transparency and humility, I’ll also describe that in detail.

This post is organized as follows:

Disclosure Timeline
Vulnerabilities in Olm (Technical Details)
Recommendations
Background Information
An Interesting Non-Issue That Looked Critical

I’ve opted to front-load the timeline and vulnerability details to respect the time of busy security professionals.

Please keep in mind that this website is a furry blog, first and foremost, that sometimes happens to cover security and cryptography topics.

Many people have, over the years, assumed the opposite and commented accordingly. The ensuing message board threads are usually is a waste of time and energy for everyone involved. So please adjust your expectations.

Element: "Yes, we fund Matrix dev by selling encrypted messaging to governments, which includes police: if you don’t like that then please feel free to use a different app."

European authorities took down another sophisticated encrypted messaging app that was a hub for criminals, Europol said.

European authorities have taken down a messaging app called Matrix, describing it as a service “made by criminals for criminals”.

Matrix was a sophisticated encrypted messaging service that Dutch authorities discovered on the phone of a criminal who murdered a Dutch journalist in 2021, Europol, the EU's law enforcement agency, said in a statement.

By Oceane Duboust
Published on 04/12/2024 - 18:15 GMT+1
Share
Comments
European authorities took down another sophisticated encrypted messaging app that was a hub for criminals, Europol said.

European authorities have taken down a messaging app called Matrix, describing it as a service “made by criminals for criminals”.

Matrix was a sophisticated encrypted messaging service that Dutch authorities discovered on the phone of a criminal who murdered a Dutch journalist in 2021, Europol, the EU's law enforcement agency, said in a statement.
Related

Three men found guilty of killing Dutch investigative journalist

It was accessible by invitation only with 40 servers in multiple countries, Europol said.

A six-month subscription, costing between €1,300 and €1,600, gave access to video calls, tracking transactions, and anonymous use of the internet.

Authorities intercepted and monitored the messaging service for three months, deciphering over 2.3 million messages in 33 languages, according to the agency.

“The messages that were intercepted are linked to serious crimes such as international drug trafficking, arms trafficking, and money laundering,” Europol said.

The operation involved authorities from the Netherlands, France, Lithuania, Italy, and Spain.

Authorities seized €145,000 in cash and half a million euros in cryptocurrencies, Dutch police said.

Criminals are using both “legitimate” messaging services using end-to-end encryption as well as cybercriminal forums and marketplaces, according to Europol’s Internet Organised Crime Threat Assessment (IOCTA).

The move to take down Matrix comes after the dismantling of similar services such as Ghost, Exclu, and EncroChat in recent years.

“Criminals use a larger number of smaller service providers and deploy more complex technology,” Dutch police said, adding that “serious criminals wrongly believe that they can still operate in secret”.

The cross-border operation included actions in four countries. Arrests occurred in France and Spain. Houses were searched in Lithuania and the main servers were taken down in France and Germany.