I recently discovered the existence of Firechat when I heard that it was being used by thousands of protester during the ongoing "Umbrella Revolution" in Hong Kong. Firechat is said to be a messaging app which, unlike whatsapp wechat or TextSecure, can communicate from one device to another directly, without using any existing Internet connection.

Wireless has so much more to offer than just being a bridge to the Internet, especially right now where it is being more and more monitored. Wireless mesh networks offer an exiting alternative: a wild, disruptive and uncontrollable network. I love mesh network so I really wanted to know more about the Firechat app.

Firechat hands on

Firechat is developped by a start-up company called OpenGarden. This is not the first ad-hoc application they developed since they already provided an app called Open Garden enabling wireless multi-hop connectivity to the Internet. Firechat is their last and most widely used product and is actually being used in Hong Kong. So let's try it !

Sadly, Firechat is not Free Software and is not Open Source neither so the only way to download it was either from the GooglePlay (which I don't have) or to download the apk from a third party (which I don't recommand for obvious security reason). For the purpose of the test, I installed the APK and ran the application.

Second disapointment, a registration is necessary to start chatting around and it requires an Internet connection. As shown on the three pictures above, it asks for the "Real Name" "Full Name" [ndlr: FIX 06-10], a surname and an email address. The good thing is that there is no email verification mechanism so you can just enter bullshit information and it is going to work. All the communication in Firechat are public so it is strongly advised to enter false information anyway.

Third disapointment, an error message appears each time I load the main window to warn me that I don't have the Google Play Services which indeed I stripped from CyanogenMod (I try to be tracker-free and to only use free software). Despite of the warning, the application still runs and the interface is then very simple, your chatroom list is divided into three parts:

Everybody/Nearby: chat with people nearby, either from Internet based location (Everybody mode) or from bluetooth-based physical connectivity (nearby mode)

Joined rooms: the room you joined and for which you are participating

Firechats: a list with all the room

You can picture Firechat as an IRC server, there is a lot of people connected to it and you can create and join as many room as you want. Each time you join a new room, it will be added into your "Joined" set. I don't know if it is due to the absence of Google Play Service, but I didn't find a way to search for room which is very inconvenient since there are thousands of different rooms and only ten are being shown on the "Firechats" list.

Hence, the normal mode of communication of Firechat requires Internet. Every room are in fact hosted on the Firechat server and need an Internet connection to communicate with. The Nearby room however is the exception as it is dedicated for real physical colocation based on the bluetooth and the WiFi devices. I was a bit confused as how the Everyone chatroom worked. Like the Nearby room, it allows to communicate with people around you but at a much larger scale. Based on your IP address, it will connect you with the users from the same country as you which is inconvenient because if you use a VPN (like me) Firechat will connect you with the users whom their IPs are in the same country than the outer end of the tunnel.

Let's get our hand dirty and see how it works from a network point of view

Firechat Nearby communication

Bluetooth

Obviously, the Nearby room is the most interesting since it involves an original mean of communication called "adhoc networks". Nearby communication requires that either or both WiFi and Bluetooth interface to be turned on. Firechat does not enable the bluetooth interface automatically so it need to be manually turned on and set visible to every device (by default it is only visible to paired device). This can be done in the setting like the two following image :

Once Bluetooth is activated, Firechat will create two RFCOMM bluetooth channel. From my Laptop, I use the awesome blucat tool to scan and interact with the channels (like netcat but for bluetooth):

[ root@archlinux :~] [ sam . oct . 04 07 : 49 : 20 ] $ hciconfig hci0 up [ root@archlinux :~] [ sam . oct . 04 07 : 49 : 20 ] $ blucat devices Searching for devices +, 3C8BFE5CD657 , "nameless" , Trusted : false , Encrypted : false Found 1 device ( s ) [ root@archlinux :~] [ sam . oct . 04 07 : 49 : 46 ] $ blucat services 3C8BFE5CD677 Listing all services +, 3C8BFE5CD677 , "nameless" , Trusted : false , Encrypted : false - , "Headset Gateway" , "" , btspp :// 3C8BFE5CD677 : 2 - , "Handsfree Gateway" , "" , btspp :// 3C8BFE5CD677 : 3 - , "AV Remote Control Target" , "" , btl2cap :// 3C8BFE5CD677 : 0017 - , "Advanced Audio" , "" , btl2cap :// 3C8BFE5CD677 : 0019 - , "" , "" , btl2cap :// 3C8BFE5CD677 : 0017 - , "Android Network Access Point" , "" , btl2cap :// 3C8BFE5CD677 : 000f - , "MAP SMS/MMS" , "" , btgoep :// 3C8BFE5CD677 : 4 - , "MAP EMAIL" , "" , btgoep :// 3C8BFE5CD677 : 5 - , "OBEX Phonebook Access Server" , "" , btgoep :// 3C8BFE5CD677 : 19 - , "OBEX Object Push" , "" , btgoep :// 3C8BFE5CD677 : 12 - , "" , "" , btspp :// 3C8BFE5CD677 : 15 - , "FireChat" , "" , btspp :// 3C8BFE5CD677 : 6

most of the channels are quiet standard Android channels except for the last two which have been created by Firechat. I tried to connect to the last one called Firechat on bluetooth port 6 but I was not able to get any response from the application so I believe this is only a "beacon" to advertise the presence of a FireChat user to the neighborhood or maybe it is used to create multi-hop route I don't really know.

The second channel on bluetooth port 15 is more interesting because this is were the communication takes place. So let's first connect to it using the following blucat command blucat -url and see what happens when I send a message to the Nearby room from the Firchat application (in order to make a distinction between send and receive message, i append the [received] and [send] tags):

[ root@archlinux :~] [ sam . oct . 04 07 : 50 : 58 ] $ blucat -url btspp :// 3C8BFE5CD677 : 15 [ received ] { "t" : 246039.375 , "uuid" : "!'AX.]!F!+:KIGJO" , "user" : "plopinou" , "msg" : "Lorem ipsum" , "firechat" : "Nearby" , "name" : "plop" }

As we can see from above, first the Android phone interactively asks for the user to accept the pairing, once it is done, every message sent from the Firechat app will be sent over the bluetooth channel on port 15 to every paired devices. So when I sent the "Lorem Ipsum" message from the Firechat app, I received a string on blucat which we recognize to be a JSON format to describe the data which are :

t: timestamp in seconds

uuid: a unique identifier for the message (probably an armored hash)

user name: real name full name [ndlr: fix 06-10] of the user

full name [ndlr: fix 06-10] of the user msg: the message to be sent to the room

Firechat: the name of the chatroom

name: the surname

Most interestingly, it is pretty easy to communicate with Firechat Nearby room from a Linux computer using blucat by sending a JSON formatted string. Let's send the following string in blucat and see what happens :

$ blucat -url btspp :// 3C8BFE5CD677 : 15 [...] [ sent ] { "t" : 246040.0 , "uuid" : "123456" , "user" : "teletrollix" , "msg" : "trololo" , "firechat" : "Nearby" , "name" : "generalol" }

From the screenshot, the Firechat app display the "trololo" message sent from the user "teletrollix" which goes by the name "generalol". I tried sending ridiculous long string and there doesn't seem to have any limit to the size of the string we can send.

A funny thing is that every message sent from the application to a room will be forwarded by bluetooth as well. So don't except the room to be private because even if you are only two in it, every message you send to the room are forwarded to the bluetooth users. For instance if I create a room "hdhdusuwhwhsudusbshsiw" and send the message "plop" from the Firechat app, it will appear in the blucat log !!

$ blucat -url btspp :// 3C8BFE5CD677 : 15 [...] [ received ] { "t" : 254533.78125 , "uuid" : "=G95udh9s}#uhE" , "user" : "plopinou" , "msg" : "Plop" , "firechat" : "hdhdusuwhwhsudusbshsiw" , "name" : "plop" }

Now what happens, if I send a message using blucat to a random channel, will it get forwarded by the application to Internet to every user ? Well, even though the message does appear in the room from the Firechat App, it is not forwarded to the Internet. Take another example, from the Firechat app, I will send the "Hey Joe" message and will then send from Linux using blucat the message "IMPOSSIBRU" to the room "Everyone":

$ blucat -url btspp :// 3C8BFE5CD677 : 15 [...] [ received ] { "t" : 246494.15625 , "uuid" : "zn4!Q#4S~#X5,-mQ" , "user" : "plopinou" , "msg" : "Hey joe" , "firechat" : "Everyone" , "name" : "plop" } [ sent ] { "t" : 246500.0 , "uuid" : "jhzfjff" , "user" : "teletrollix" , "msg" : "IMPOSSIBRU" , "firechat" : "Everyone" , "name" : "generalol" }

From the previous image we understand the following things:

Firechat app does not forward message received by Internet to the bluetooth. Blucat did get the Hey Joe message but didn't get Chun Lam's message "Hi"

message sent by bluetooth to a random chatroom does appear in the firechat app (the IMPOSSIBRU message)

is it forwarded to the internet users ?

To be sure I used Wireshark to try to understand how does Firechat app communicate to its server that's where I discovered two interesting things.

Firechat Server

Using wireshark and filtering on the IP of my Android phone, I was able to determine that Firechat is sending message to two different IPs:

239.192.0.0

209.237.236.194

From the first IP, I understand that Firechat is also looking to create bond between WiFi device. It periodically sends UDP packet to the multicast address 239.192.0.0 and will also forward message just as it does with bluetooth. So not only every message sent are forwarded by bluetooth, they are also forwarded by WiFi !

This is actually quiet clever if we take into assumption that every message have to be public but I find it hard to swallow that they ask to provide a Real Name Full Name [ndlr: fix 06-10] given how it is wildly broadcasted and easy to intercept.

Let's keep going, the second IP is actually the Firechat server and message are sent through an SSL connection to the port 4176. And now comes the big surprise that is, if I simply connect to this IP using OpenSSL, then plenty of messages starts raining :

[ nameless@archlinux :~] [ sam . oct . 04 08 : 48 : 06 ] % openssl s_client -host 209.237 . 236.194 -port 4176 CONNECTED ( 00000004 ) depth = 0 C = US , ST = California , L = San Francisco , O = "Open Garden, Inc" , CN = firechat . opengarden . com verify error : num = 18 : self signed certificate verify return : 1 depth = 0 C = US , ST = California , L = San Francisco , O = "Open Garden, Inc" , CN = firechat . opengarden . com verify return : 1 [... Open SSL Connexion Log message ...]] { "firechat" : "Everyone" , "t" : 33.188826 , "name" : "Dhiraj Chainani" , "user" : "themagicalteddy" , "msg" : "this is cool" , "uuid" : "K@)&:6p3]t%xW#{p" , "loc" : "Singapore" , "st" : 1412402798 } { "t" : 247027.21875 , "name" : "plop" , "uuid" : "*y7H[:hScJ43&X>d" , "user" : "plopinou" , "msg" : "It is" , "firechat" : "Everyone" , "loc" : "Singapore" , "st" : 1412402856 } { "t" : 72723.0703125 , "name" : "Lance Wong" , "uuid" : "[Q$|p6fwHJ<:(bE=" , "user" : "lancey" , "msg" : "hello" , "firechat" : "Everyone" , "loc" : "Singapore" , "st" : 1412402869 } { "loc" : "Woodlands" , "firechat" : "Everyone" , "t" : 488.515361 , "name" : "Eugene" , "user" : "cybercat" , "msg" : "Wat make u cool" , "uuid" : "a7!^x_Nvn<(1,Md;" , "st" : 1412402888 } { "t" : 247153.59375 , "name" : "plop" , "uuid" : ">BC.y4iS.poVSa,S" , "user" : "plopinou" , "msg" : "It just is" , "firechat" : "Everyone" , "loc" : "Singapore" , "st" : 1412402982 } { "t" : 247672.375 , "name" : "plop" , "uuid" : "v:t{qA|@Y}Gn? <+" , "user" : "plopinou" , "msg" : "LOREM IPSUM" , "firechat" : "Everyone" , "loc" : "Singapore" , "st" : 1412403501 } { "t" : 248317.859375 , "name" : "plop" , "uuid" : ".qdWMiU%^IA,G}~u" , "user" : "plopinou" , "msg" : "Anybody ?" , "firechat" : "Everyone" , "loc" : "Singapore" , "st" : 1412404146 } { "t" : 4886.49169921875 , "name" : "MeeSiamMaiHum" , "uuid" : "[Y$S ?-yW(b-g1gL" , "user" : "maihum" , "msg" : ":-)" , "firechat" : "Everyone" , "loc" : "Singapore" , "st" : 1412404580 } { "name" : "Lim Chee Aun" , "t" : 101.390309 , "uuid" : "y%VV+CJl5*b<" , "msg" : "Test" , "firechat" : "Everyone" , "user" : "cheeaun" , "loc" : "Singapore" , "st" : 1412404734 } { "name" : "Valerie" , "t" : 25.014198 , "uuid" : "'DYJkO9s.{}ax}" , "msg" : "ðððð" , "firechat" : "Everyone" , "user" : "lerie86" , "loc" : "Singapore" , "st" : 1412404860 }

As we can see from the image Above :

Every message we sent to the room "Everyone" is easily intercepted by just connecting to the server with OpenSSL

message sent by bluetooth to the "Everyone" room to a Firechat app are not Forwarded to the Internet (see how the message from generalol are not received on the SSL).

Both my Android phone and my Laptop are connected to the Internet using my broadband modem. If now I configure both of them to use my VPN in order to get to the Internet from France, we then receive message from French people:

[ nameless@archlinux :~] [ sam . oct . 04 08 : 48 : 06 ] % openssl s_client -host 209.237 . 236.194 -port 4176 [... Open SSL Connexion Log message ...]] { "firechat" : "Everyone" , "t" : 2329.514754 , "name" : "Jbmdb" , "user" : "jbmdb13" , "msg" : "Tu as instagram ?" , "uuid" : "q$){>5=xx_f0)oK%" , "loc" : "Martigues" , "st" : 1412404607 } { "loc" : "Saint-Paulien" , "firechat" : "Everyone" , "t" : 514.790329 , "name" : "Morgane" , "user" : "morgane17" , "msg" : "Non dsl" , "uuid" : "u+Fo32Txr%n,5bB{" , "st" : 1412404634 } { "name" : "Bastian" , "t" : 493.515672 , "uuid" : "bzk&jZEmZR($" , "msg" : "Slt tlm" , "firechat" : "Everyone" , "user" : "bastain37" , "loc" : "Amboise" , "st" : 1412404770 } { "firechat" : "Everyone" , "t" : 2493.639984 , "name" : "Jbmdb" , "user" : "jbmdb13" , "msg" : "Ouki ni snap je pari ?" , "uuid" : "Q>2nQxbGNW`KF@n" , "loc" : "Martigues" , "st" : 1412404771 }

Conclusion

Wireless device such as bluetooth or WiFi have so much more to offer than just providing a mobility area to the Internet. It is good news to see application like FireChat popularising this exciting communication paradigm. However in the current state FireChat suffer from several flows that makes it unsuitable for an event like "Umbrella Revolution". First the application is closed source and its internal mechanism are pretty difficult to understand at first. It is hard to fully comprehend wether a message goes public or stay locally. The lack of information regarding this matter makes it irresponsable to ask users to fill in their full name before using the application.

During the study, we stressed that not only every message sent are broadcasted locally (both Bluetooth and Wifi) regardless of the room, but we also show how easy it was to intercept and send information from/to Firechat users. Given the political context of the Umbrella Revolution, I would advise people to stop using Firechat or at least try to avoid leaking any information that could link to their real identity.