Researchers at Citizen Lab have taken a close look at the extent of Internet filtering in Iraq, as well as the security of a popular offline chat app used there, and found an increase in the number of services blocked by the government and identified serious privacy and security problems with the chat app.
As tensions in Iraq began to rise earlier this year, the government began to filter large parts of the Internet content in the country, preventing users from reaching sites such as Facebook, Twitter and many more. The filtering was done at the ISP level, and Citizen Lab reported in June that about 20 URLs were blocked. The group, based at the University of Toronto, recently looked at the filtering landscape there again, and, in a new report published Thursday, found that the number of URLs being blocked is increasing and now includes popular Arab news sites.
Sites belonging to Al-Jazeera and Al Arabiya have been blocked at various times in the last few weeks, the researchers found. And the filtering of social networks, which was dropped at one point, has now been restored.
“Our most recent round of testing identified a total of 6 new URLs which we had not identified as filtered in our June 2014 report. In addition to Al-Arabiya and Al-Jazeera, we also identified four new URLs (herakiq.com, iraqislami.own0.com, muslm.org and hanein.info) that are blocked,” the new report says.
In the face of the widespread Internet filtering and monitoring in the country, Iraqi users have been looking for alternative methods of communication. One app that’s gained a lot of adherents in Iraq is FireChat, which is billed as an off-the-grid messaging app that enables users to communicate with nearby peers without an Internet connection. The app utilizes Bluetooth and the Apple Multipeer Connectivity network on iOS devices to allow users to conduct chats. The developers of the app don’t advertise it as a secure or private alternative to other messaging apps.
Users have the ability to create small, local chat rooms or send messages that anyone can see. Citizen Lab’s researchers scrutinized the security and privacy aspects of FireChat and found that all of the messages users send are transmitted unencrypted and a malicious user near target could read any of the target’s messages.
“The chat model of FireChat focuses on anonymity at the expense of confidentiality. Throughout the application we see no encryption used, which makes the service inappropriate for sending sensitive communications,” the report says.
FireChat does not perform any authentication of users and only prompts them to enter a username during startup. It then generates a unique user ID for each message that a user sends. However, despite the anonymity, there are still elements of the FireChat app that could put users at risk of identification.
“Users may or may not have an expectation that their communications are encrypted, as there is no user authentication and the service uses pseudonyms. However, it should be assumed that any message sent through the application can be read by anyone in the target range. This can occur whether or not you see other users in the ‘Nearby’ channel, as the Bluetooth packets themselves are unencrypted. In addition, network operators (such as an ISP or mobile provider) can see both the message content and IP address, which can be tied to a user’s real name and subscriber information,” the report says.
FireChat also stores all of the messages that a user sends and receives in an unencrypted folder on the user’s device. So if an attacker or other adversary gets access to the device, all of the messages would be accessible.
“This includes conversations in the ‘Everyone’, ‘FireChats’ as well as the ‘Nearby’ Bluetooth mode. This means that if someone’s phone is physically examined then all prior chats including those made offline are trivial to retrieve,” Citizen Lab’s report says.
Citizen Lab’s researchers said that they worry that the unstable environment in Iraq and other places can lead users to make bad choices about which tools and communication methods to use.
“The events since our last post on this subject show that access to information in Iraq remains highly contested. As stable access to Internet content — and indeed the Internet itself — remains in flux, users are understandably seeking out alternative
means of communication and access to information. However, in such a chaotic context poor choices can be made on the basis of incomplete information and users can end up putting themselves unintentionally at greater risk by hastily seeking to evade information controls. The rising popularity of FireChat in Iraq is a case in point: the tool is functionally insecure, something even the developers have admitted, and yet users are flocking to it,” the report says.