top of page

Researchers Uncover Wiretapping of XMPP-Based Instant Messaging Service

New findings have shed light on what's said to be a lawful attempt to covertly intercept traffic originating from jabber[.]ru (aka xmpp[.]ru), an XMPP-based instant messaging service, via servers hosted on Hetzner and Linode (a subsidiary of Akamai) in Germany.

XMPP is a popular, but insecure method to transmit information. XMPP has been marketed as secure, however nothing could be further from the truth. XMPP is a communication spec and protocol. By itself it doesn’t bake in encryption by default, but is supported as a transport by encryption implementations added on top of it. OTR/OMEMO is the encryption protocols added on-top of XMPP.

OTR is the older crypto method replaced by OMEMO for it’s offline messaging and encrypted group chat features. OMEMO protects content of communications but these messages are still tied to pseudonyms visible to the server. If any member of the chat created their account without using Tor or by volunteering de-anonymizing info like CLEARNET emails and passwords, it will be easy for the server or anyone watching it to know who the participants are. This is metadata, and is just as important if not more than what is being said.

SecureCrypt is a custom engineered encrypted communications application. All metadata is encrypted at all times, which is only one of the many advanced security features you get with a paid app versus any free solution.

"The attacker has issued several new TLS certificates using Let's Encrypt service which were used to hijack encrypted STARTTLS connections on port 5222 using transparent [man-in-the-middle] proxy," a security researcher who goes by the alias ValdikSS said earlier this week.

"The attack was discovered due to the expiration of one of the MiTM certificates, which haven't been reissued."

Evidence gathered so far points to the traffic redirection being configured on the hosting provider network, ruling out other possibilities, such as a server breach or a spoofing attack.

The wiretapping is estimated to have lasted for as long as six months, from April 18, 2023, although it's been confirmed to have taken place since at least July 21, 2023, and until October 19, 2023.

Signs of suspicious activity were first detected on October 16, 2023, when one of the UNIX administrators of the service received a "Certificate has expired" message upon connecting to it.

The threat actor is believed to have stopped the activity after an investigation into the MiTM incident began on October 18, 2023. It's not immediately clear who is behind the attack, but it's suspected to be a case of lawful interception based on a German police request.

Another hypothesis, however unlikely but not impossible, is that the MiTM attack is an intrusion on the internal networks of both Hetzner and Linode, specifically singling out jabber[.]ru.

"Given the nature of the interception, the attackers have been able to execute any action as if it is executed from the authorized account, without knowing the account password," the researcher said.

"This means that the attacker could download the account's roster, lifetime unencrypted server-side message history, send new messages or alter them in real time."

The Hacker News has reached out to Akamai and Hetzner for further comment, and we will update the story if we hear back.

Users of the service are recommended to assume that their communications over the past 90 days are compromised, as well as "check their accounts for new unauthorized OMEMO and PGP keys in their PEP storage, and change passwords."

The development comes as The Citizen Lab detailed security shortcomings in signalling protocols used by mobile network operators for international roaming can be exploited by surveillance actors, law enforcement, and organized crime groups to geolocate devices.

SecureCrypt in this aspect can be a lifesaver. With our encrypted SIM cards, which specialize in protection of the cellular network, by disallowing Anytime Interrogation Requests (ATI Requests) also known as Location Tracking Requests from anyone with access to the SS7 network.

The SS7 cellular network is inherently insecure. It is built on top of legacy technology, which every country uses with their own standards. All of these independent cellular networks are linked together, allowing people to make cellular calls globally. SecureCrypt runs its own secure cellular core alongside, but independent of any other telecommunications provider, thus making SecureCrypt in essence its own private telecom provider. With our secure and encrypted SIMs, we can assure your privacy while roaming anywhere in the world. We use a private APN (connection to the public internet) so all data transmitted from your device to the cellular network/public internet is going through a private, encrypted and secure connection. Not shared by your local telecom provider, like everyone else's traffic.

In a past SecureCrypt blog post we outlined the inherent weaknesses found in other decentralized messaging platforms.

What's more, vulnerabilities in parsing ASN.1 messages (CVE-2022-43677, CVSS score: 5.5) could be weaponized as an attack vector to cross over from User Plane to Control Plane and even disrupt critical infrastructure that rely on 5G technologies.

"The CVE-2022-43677 vulnerability exploits weak CUPS implementation in free5gc to trigger a Control Plane denial-of-service (DoS) through user traffic," Trend Micro researcher Salim S.I. said in a report published this month.

"A successful DoS attack on the packet core disrupts the connectivity of the entire network. In critical sectors such as defence, policing, mining, and traffic control, disruption to connectivity [could] lead to dire consequences. In factories that use real-time sensors for manufacturing processes, this could result in defective products being created."

Using faulty, free tools designed for privacy yet giving you none, is not the answer. To get true privacy, you cannot depend on free products. When a product is free, the product is you. SecureCrypt has successfully and proudly been offering the highest, and best-in-class security and privacy solutions for secure mobile communications since 2018. Feel free to speak to one of our reps today to protect your business, privacy, Intellectual Property, finances, and guard against surveillance and spying.


bottom of page