What Protesters in Hong Kong (and Anywhere Else) Should Know About FireChat

Cartoon by Matt Bors for Storymaker.cc (CC BY-NC-SA 2.0).

Cartoon by Matt Bors for Storymaker.cc (CC BY-NC-SA 2.0)

Nathan Freitas and Oiwan Lam contributed to this article.

On Monday, September 29, social media enthusiasts and western media outlets unleashed a flurry of stories about pro-democracy protesters in Hong Kong using the chat app FireChat. Although it appears that many of these accounts exaggerated the popularity of the app, activists and security researchers close to the situation believe it is important to make public information about what the app is — and what it is not.

First off, FireChat is not a messaging app. FireChat is a chatroom, a platform to send insecure and public messages to people over the Internet or within your geographical vicinity.

Once installed, the app requires the user to sign up with her real name (which will be pre-filled with the name she eventually configures on her iOS or Android phone), a username and an email address. Once logged in, a user can either join online chatrooms, create new ones, or start directly sending messages to everyone in her vicinity who is also connected to FireChat. These direct messages relay from one phone to another through Bluetooth technology. Thus, when rumor had it that authorities planned to shutdown mobile networks, FireChat was advertised as a way to chat while “off-the-grid,” as it doesn't necessarily require an Internet connection.

There are many misconceptions afoot about the capacity, privacy and security of FireChat, so let's get it straight: 

FireChat is not secure. It is not designed to preserve user privacy, or the security and confidentiality of user messages.

FireChat has no system for user authentication. If messages are sent from an apparent prominent name (for example, protest coordinators or reporters), there is no way to verify their legitimacy. An attacker could easily impersonate a prominent individual and either spread false information or spread links to download and install spyware. This has already happened to local activists on several occasions over the past few weeks.

Security researchers familiar with the technology recommend that activists not to use their real names and avoid sending messages with information that is private or sensitive. Remember that there may be infiltrators among the protesters collecting messages through FireChat, which are both stored on your device as well as sent over the network unencrypted. For more detailed analysis of FireChat, read this study (available only in English) from the University of Toronto's Citizen Lab here.

BynY07jCYAES3L9

There are inherent security risks to using Bluetooth. In general, whether or not one is using FireChat, having Bluetooth enabled can further expose one's phone to attacks, as well as provide means to infiltrators to enumerate and identify connected phones among protesters. In fact, recent days have seen numerous reports of spyware attacks against protesters in Hong Kong.

While some of them are groundless, there are credible reports of wide-spread messages specifically crafted to lure Occupy Central and Hong Kong Student Strike protesters to download and install apps that appear designed to coordinate protests, while in fact they are spyware designed to record phone calls, steal emails, and capture contacts, list as well as perform tracking of your geographical position.

One of these attacks was massively distributed over WhatsApp (see image left). Protesters should be cautious when receiving messages suggesting that they download and installation of applications, particularly if they did not request this.

While reports thus far suggest malware is being sent only via WhatsApp, it is plausible that similar attacks could be distributed through other means including forums and emails, as well as FireChat.

Recommendations for protesters 

Experts from The Tibet Action Institute have developed the CyberSuperHero security toolkit, available in Chinese and English, that protesters and digital activists should look to for help with both mobile and fixed line Internet connections. They have also prepared for Global Voices this simple set of tips:
 
1. Don't tap on unexpected links sent via SMS, Bluetooth or group chat broadcast messages from unknown sources.
 
2. If you don't need your phone to be connected, set it to airplane mode – you can still take pictures, etc, but it will be harder for you to be tracked or spammed.
 
3. Make sure to set a PIN or password on your phone, in case you are detained or it is stolen. It will help protect any data related to your friends, groups, networks.

It is important that people in Hong Kong remain conscious of the potential ramifications of using communication and publishing apps and that they stay on the lookout for potential attacks. As protests intensify and as the government receives international pressure to reduce the intervention of police forces, computer and mobile attacks might increase in number.

Follow our in-depth coverage: Hong Kong's Umbrella Revolution

4 comments

Join the conversation

Authors, please log in »

Guidelines

  • All comments are reviewed by a moderator. Do not submit your comment more than once or it may be identified as spam.
  • Please treat others with respect. Comments containing hate speech, obscenity, and personal attacks will not be approved.