FireChat’s revolutionary use will not be revolutionary for long

Phone-powered protests. Alex Hofford/EPA

FireChat, the mobile phone app that allows users to communicate directly with each other through Bluetooth and Wi-Fi instead of through the existing telecoms network, has demonstrated its usefulness in Hong Kong recently.

Besides issues of providing connectivity when phone networks are congested, circumventing censorship is also a reason for the protesters to establish their own means of networking. The FireChat app has found a use for similar reasons in countries such as Taiwan, Iran, and Syria. For the moment, it appears the authorities have not implemented a way of effectively controlling or affecting people’s use of FireChat. As long as this is the case, it’s likely to remain popular.

In relatively small groups of people who know each other, this kind of communication works really well. The peer-to-peer structure means no centralised infrastructure (such as the internet, or telecoms networks) is necessary. Sending every message you see to everyone you can see (“flooding”) also avoids having to find out where any particular participants are.

However, the history of the growth of the internet tells us that unstructured broadcast chat does not scale well to stay effective for larger groups. It’s no coincidence that Usenet, the hierarchical structure of forum-like newsgroups that predated widespread use of the world wide web, was overtaken by the web as the internet medium of choice – at a time when there were so many posts that readers either could not keep up, or too many sub-groups were created. The first internet bridge club ran essentially from a single shared chatroom, until the number of users went from a few hundreds to many thousands. Text-based, multi-player internet games required privilege systems and moderators to keep their chat facilities usable even when the number of users was well below 100.

This all points to one obvious attack on FireChat communications: the use of “noise” to drown out genuine communication, in a way analogous to a denial of service attack on a website. FireChat has only half-hearted authentication: it asks for a genuine name and email address on registration, but makes no effort to check. So it’s easy to generate many accounts to produce an arbitrary amount of noise to drown out the signal.

To address some of the noise issues in the FireChat rooms, the latest version 3.0.0 introduces “moderation”. This is ultimately counter-productive, as it re-introduces a point of centralisation when the app’s selling point was its distributed nature. In fact, a system of proper authentication would also have had to find a way around this issue, as to meet the app’s promise of providing a fully separate, ad-hoc peer-to-peer network, FireChat cannot fall back on a central database of usernames and passwords.

Other active and passive attacks are possible. Messages sent by FireChat are not encrypted, so they can be easily intercepted with or without the app, or even modified in transit. The app’s developers OpenGarden admit as much: “Please note that FireChat is not meant for secure or private communications.” This may be the honest truth but it also undermines the “secret web” hype the app has received.

It’s clear that mesh networks and the iPhone’s Multipeer Connectivity Framework, which introduces the same functionality to iOS, will lead to brilliant new applications. Meanwhile FireChat has its issues, some of them easier to resolve than others. In the end this may not matter.

Another lesson from computing history is that the most sophisticated or secure technology does not always win in the long run. For uses like recently in Hong Kong, the obvious flaws of FireChat do not matter so long as the authorities are not trying to exploit them. Even then, by the time they do FireChat may have served its purpose. As in writer Cory Doctorow’s Little Brother, the “subversives” only ever need to be one step ahead in technology.

Research and contributions to this article from Oliver Florence, studying cybersecurity at the University of Kent.