Firechat and Nearby Communication
Firechat and Nearby Communication
By https://twitter.com/9B22EB34 / breizh-entropy.org

I recently discovered the existence of Firechat when I heard that it was being used by thousands of protester during the ongoing "Umbrella Revolution" in Hong Kong. Firechat is said to be a messaging app which, unlike whatsapp wechat or TextSecure, can communicate from one device to another directly, without using any existing Internet connection.

Wireless has so much more to offer than just being a bridge to the Internet, especially right now where it is being more and more monitored. Wireless mesh networks offer an exiting alternative: a wild, disruptive and uncontrollable network. I love mesh network so I really wanted to know more about the Firechat app.

Firechat hands on

Firechat is developped by a start-up company called OpenGarden. This is not the first ad-hoc application they developed since they already provided an app called Open Garden enabling wireless multi-hop connectivity to the Internet. Firechat is their last and most widely used product and is actually being used in Hong Kong. So let's try it !

Sadly, Firechat is not Free Software and is not Open Source neither so the only way to download it was either from the GooglePlay (which I don't have) or to download the apk from a third party (which I don't recommand for obvious security reason). For the purpose of the test, I installed the APK and ran the application.

  

Second disapointment, a registration is necessary to start chatting around and it requires an Internet connection. As shown on the three pictures above, it asks for the "Real Name" "Full Name" [ndlr: FIX 06-10], a surname and an email address. The good thing is that there is no email verification mechanism so you can just enter bullshit information and it is going to work. All the communication in Firechat are public so it is strongly advised to enter false information anyway.

  

Third disapointment, an error message appears each time I load the main window to warn me that I don't have the Google Play Services which indeed I stripped from CyanogenMod (I try to be tracker-free and to only use free software). Despite of the warning, the application still runs and the interface is then very simple, your chatroom list is divided into three parts:

  • Everybody/Nearby: chat with people nearby, either from Internet based location (Everybody mode) or from bluetooth-based physical connectivity (nearby mode)
  • Joined rooms: the room you joined and for which you are participating
  • Firechats: a list with all the room

You can picture Firechat as an IRC server, there is a lot of people connected to it and you can create and join as many room as you want. Each time you join a new room, it will be added into your "Joined" set. I don't know if it is due to the absence of Google Play Service, but I didn't find a way to search for room which is very inconvenient since there are thousands of different rooms and only ten are being shown on the "Firechats" list.

Hence, the normal mode of communication of Firechat requires Internet. Every room are in fact hosted on the Firechat server and need an Internet connection to communicate with. The Nearby room however is the exception as it is dedicated for real physical colocation based on the bluetooth and the WiFi devices. I was a bit confused as how the Everyone chatroom worked. Like the Nearby room, it allows to communicate with people around you but at a much larger scale. Based on your IP address, it will connect you with the users from the same country as you which is inconvenient because if you use a VPN (like me) Firechat will connect you with the users whom their IPs are in the same country than the outer end of the tunnel.

Let's get our hand dirty and see how it works from a network point of view :)

Firechat Nearby communication

Bluetooth

Obviously, the Nearby room is the most interesting since it involves an original mean of communication called "adhoc networks". Nearby communication requires that either or both WiFi and Bluetooth interface to be turned on. Firechat does not enable the bluetooth interface automatically so it need to be manually turned on and set visible to every device (by default it is only visible to paired device). This can be done in the setting like the two following image :

 

Once Bluetooth is activated, Firechat will create two RFCOMM bluetooth channel. From my Laptop, I use the awesome blucat tool to scan and interact with the channels (like netcat but for bluetooth):

[root@archlinux:~] [sam. oct. 04 07:49:20] 
$ hciconfig hci0 up

[root@archlinux:~] [sam. oct. 04 07:49:20] 
$ blucat devices
Searching for devices
+,3C8BFE5CD657, "nameless", Trusted:false, Encrypted:false
Found 1 device(s)

[root@archlinux:~] [sam. oct. 04 07:49:46] 
$ blucat services 3C8BFE5CD677  
Listing all services
+,3C8BFE5CD677, "nameless", Trusted:false, Encrypted:false
-,"Headset Gateway", "", btspp://3C8BFE5CD677:2
-,"Handsfree Gateway", "", btspp://3C8BFE5CD677:3
-,"AV Remote Control Target", "", btl2cap://3C8BFE5CD677:0017
-,"Advanced Audio", "", btl2cap://3C8BFE5CD677:0019
-,"", "", btl2cap://3C8BFE5CD677:0017
-,"Android Network Access Point", "", btl2cap://3C8BFE5CD677:000f
-,"MAP SMS/MMS", "", btgoep://3C8BFE5CD677:4
-,"MAP EMAIL", "", btgoep://3C8BFE5CD677:5
-,"OBEX Phonebook Access Server", "", btgoep://3C8BFE5CD677:19
-,"OBEX Object Push", "", btgoep://3C8BFE5CD677:12
-,"", "", btspp://3C8BFE5CD677:15
-,"FireChat", "", btspp://3C8BFE5CD677:6

most of the channels are quiet standard Android channels except for the last two which have been created by Firechat. I tried to connect to the last one called Firechat on bluetooth port 6 but I was not able to get any response from the application so I believe this is only a "beacon" to advertise the presence of a FireChat user to the neighborhood or maybe it is used to create multi-hop route I don't really know.

The second channel on bluetooth port 15 is more interesting because this is were the communication takes place. So let's first connect to it using the following blucat command blucat -url and see what happens when I send a message to the Nearby room from the Firchat application (in order to make a distinction between send and receive message, i append the [received] and [send] tags):

[root@archlinux:~] [sam. oct. 04 07:50:58] 
$ blucat -url btspp://3C8BFE5CD677:15
[received] {"t":246039.375,"uuid":"!'AX.]!F!+:KIGJO","user":"plopinou","msg":"Lorem ipsum","firechat":"Nearby","name":"plop"}

 

As we can see from above, first the Android phone interactively asks for the user to accept the pairing, once it is done, every message sent from the Firechat app will be sent over the bluetooth channel on port 15 to every paired devices. So when I sent the "Lorem Ipsum" message from the Firechat app, I received a string on blucat which we recognize to be a JSON format to describe the data which are :

  • t: timestamp in seconds
  • uuid: a unique identifier for the message (probably an armored hash)
  • user name: real name full name [ndlr: fix 06-10] of the user
  • msg: the message to be sent to the room
  • Firechat: the name of the chatroom
  • name: the surname

Most interestingly, it is pretty easy to communicate with Firechat Nearby room from a Linux computer using blucat by sending a JSON formatted string. Let's send the following string in blucat and see what happens :

$ blucat -url btspp://3C8BFE5CD677:15
[...]
[sent] {"t":246040.0,"uuid":"123456","user":"teletrollix","msg":"trololo","firechat":"Nearby","name":"generalol"}

From the screenshot, the Firechat app display the "trololo" message sent from the user "teletrollix" which goes by the name "generalol". I tried sending ridiculous long string and there doesn't seem to have any limit to the size of the string we can send.

A funny thing is that every message sent from the application to a room will be forwarded by bluetooth as well. So don't except the room to be private because even if you are only two in it, every message you send to the room are forwarded to the bluetooth users. For instance if I create a room "hdhdusuwhwhsudusbshsiw" and send the message "plop" from the Firechat app, it will appear in the blucat log !!

$ blucat -url btspp://3C8BFE5CD677:15
[...]
[received] {"t":254533.78125,"uuid":"=G95udh9s}#uhE","user":"plopinou","msg":"Plop","firechat":"hdhdusuwhwhsudusbshsiw","name":"plop"}

Now what happens, if I send a message using blucat to a random channel, will it get forwarded by the application to Internet to every user ? Well, even though the message does appear in the room from the Firechat App, it is not forwarded to the Internet. Take another example, from the Firechat app, I will send the "Hey Joe" message and will then send from Linux using blucat the message "IMPOSSIBRU" to the room "Everyone":

$ blucat -url btspp://3C8BFE5CD677:15
[...]
[received] {"t":246494.15625,"uuid":"zn4!Q#4S~#X5,-mQ","user":"plopinou","msg":"Hey joe","firechat":"Everyone","name":"plop"}
[sent]     {"t":246500.0,"uuid":"jhzfjff","user":"teletrollix","msg":"IMPOSSIBRU","firechat":"Everyone","name":"generalol"}

From the previous image we understand the following things:

  • Firechat app does not forward message received by Internet to the bluetooth. Blucat did get the Hey Joe message but didn't get Chun Lam's message "Hi"
  • message sent by bluetooth to a random chatroom does appear in the firechat app (the IMPOSSIBRU message)
  • is it forwarded to the internet users ?

To be sure I used Wireshark to try to understand how does Firechat app communicate to its server that's where I discovered two interesting things.

Firechat Server

Using wireshark and filtering on the IP of my Android phone, I was able to determine that Firechat is sending message to two different IPs:

  • 239.192.0.0
  • 209.237.236.194

From the first IP, I understand that Firechat is also looking to create bond between WiFi device. It periodically sends UDP packet to the multicast address 239.192.0.0 and will also forward message just as it does with bluetooth. So not only every message sent are forwarded by bluetooth, they are also forwarded by WiFi !

This is actually quiet clever if we take into assumption that every message have to be public but I find it hard to swallow that they ask to provide a Real Name Full Name [ndlr: fix 06-10] given how it is wildly broadcasted and easy to intercept.

Let's keep going, the second IP is actually the Firechat server and message are sent through an SSL connection to the port 4176. And now comes the big surprise that is, if I simply connect to this IP using OpenSSL, then plenty of messages starts raining :

[nameless@archlinux:~] [sam. oct. 04 08:48:06] 
% openssl s_client -host 209.237.236.194 -port 4176
CONNECTED(00000004)
depth=0 C = US, ST = California, L = San Francisco, O = "Open Garden, Inc", CN = firechat.opengarden.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Open Garden, Inc", CN = firechat.opengarden.com
verify return:1
[... Open SSL Connexion Log message ...]]

{"firechat":"Everyone","t":33.188826,"name":"Dhiraj Chainani","user":"themagicalteddy","msg":"this is cool","uuid":"K@)&:6p3]t%xW#{p","loc":"Singapore","st":1412402798}
{"t":247027.21875,"name":"plop","uuid":"*y7H[:hScJ43&X>d","user":"plopinou","msg":"It is","firechat":"Everyone","loc":"Singapore","st":1412402856}
{"t":72723.0703125,"name":"Lance Wong","uuid":"[Q$|p6fwHJ<:(bE=","user":"lancey","msg":"hello","firechat":"Everyone","loc":"Singapore","st":1412402869}
{"loc":"Woodlands","firechat":"Everyone","t":488.515361,"name":"Eugene","user":"cybercat","msg":"Wat make u cool","uuid":"a7!^x_Nvn<(1,Md;","st":1412402888}
{"t":247153.59375,"name":"plop","uuid":">BC.y4iS.poVSa,S","user":"plopinou","msg":"It just is","firechat":"Everyone","loc":"Singapore","st":1412402982}
{"t":247672.375,"name":"plop","uuid":"v:t{qA|@Y}Gn? <+","user":"plopinou","msg":"LOREM IPSUM","firechat":"Everyone","loc":"Singapore","st":1412403501}
{"t":248317.859375,"name":"plop","uuid":".qdWMiU%^IA,G}~u","user":"plopinou","msg":"Anybody ?","firechat":"Everyone","loc":"Singapore","st":1412404146}
{"t":4886.49169921875,"name":"MeeSiamMaiHum","uuid":"[Y$S ?-yW(b-g1gL","user":"maihum","msg":":-)","firechat":"Everyone","loc":"Singapore","st":1412404580}
{"name":"Lim Chee Aun","t":101.390309,"uuid":"y%VV+CJl5*b<","msg":"Test","firechat":"Everyone","user":"cheeaun","loc":"Singapore","st":1412404734}
{"name":"Valerie","t":25.014198,"uuid":"'DYJkO9s.{}ax}","msg":"😄😄😄😄","firechat":"Everyone","user":"lerie86","loc":"Singapore","st":1412404860}

As we can see from the image Above :

  • Every message we sent to the room "Everyone" is easily intercepted by just connecting to the server with OpenSSL
  • message sent by bluetooth to the "Everyone" room to a Firechat app are not Forwarded to the Internet (see how the message from generalol are not received on the SSL).

Both my Android phone and my Laptop are connected to the Internet using my broadband modem. If now I configure both of them to use my VPN in order to get to the Internet from France, we then receive message from French people:

[nameless@archlinux:~] [sam. oct. 04 08:48:06] 
% openssl s_client -host 209.237.236.194 -port 4176
[... Open SSL Connexion Log message ...]]
{"firechat":"Everyone","t":2329.514754,"name":"Jbmdb","user":"jbmdb13","msg":"Tu as instagram ?","uuid":"q$){>5=xx_f0)oK%","loc":"Martigues","st":1412404607}
{"loc":"Saint-Paulien","firechat":"Everyone","t":514.790329,"name":"Morgane","user":"morgane17","msg":"Non dsl","uuid":"u+Fo32Txr%n,5bB{","st":1412404634}
{"name":"Bastian","t":493.515672,"uuid":"bzk&jZEmZR($","msg":"Slt tlm","firechat":"Everyone","user":"bastain37","loc":"Amboise","st":1412404770}
{"firechat":"Everyone","t":2493.639984,"name":"Jbmdb","user":"jbmdb13","msg":"Ouki ni snap je pari ?","uuid":"Q>2nQxbGNW`KF@n","loc":"Martigues","st":1412404771}

Conclusion

Wireless device such as bluetooth or WiFi have so much more to offer than just providing a mobility area to the Internet. It is good news to see application like FireChat popularising this exciting communication paradigm. However in the current state FireChat suffer from several flows that makes it unsuitable for an event like "Umbrella Revolution". First the application is closed source and its internal mechanism are pretty difficult to understand at first. It is hard to fully comprehend wether a message goes public or stay locally. The lack of information regarding this matter makes it irresponsable to ask users to fill in their full name before using the application.

During the study, we stressed that not only every message sent are broadcasted locally (both Bluetooth and Wifi) regardless of the room, but we also show how easy it was to intercept and send information from/to Firechat users. Given the political context of the Umbrella Revolution, I would advise people to stop using Firechat or at least try to avoid leaking any information that could link to their real identity.

0.0 ·
0
What's Next
Trending Today
10 Provocative Quotes from Ivan Illich's "Deschooling Society"
Daniel Lattier · 10,607 views today · Ivan Illich’s groundbreaking book Deschooling Society (1971) offers a radical critique of the institutionalization of education within modern societies. Illich believed that we...
This Text Message Exchange Between a Mother and Daughter is Pure Gold
Belinda Hankins · 10,198 views today · When Belinda Hankins got a text message from her 13-year-old daughter, who was shopping for period products, it started an exchange that will resonate with women everywhere. Enjoy.
What Makes Call-Out Culture So Toxic
Asam Ahmad · 4,283 views today · Call-out culture refers to the tendency among progressives, radicals, activists, and community organizers to publicly name instances or patterns of oppressive behaviour and...
Welcome to Marinaleda: The Spanish Anti-Capitalist Town With Equal Wage Full Employment and $19 Housing
Jade Small · 3,890 views today · With virtually no police, crime or unemployment, meet the Spanish town described as a democratic, socialist utopia. Unemployment is non-existent in Marinaleda, an Andalusian...
When You Kill Ten Million Africans You Aren't Called 'Hitler'
Liam O'Ceallaigh · 3,062 views today · Take a look at this picture. Do you know who it is? Most people haven’t heard of him. But you should have. When you see his face or hear his name you should get as sick in...
Superblocks: How Barcelona Is Taking City Streets Back From Cars
5 min · 2,477 views today · Modern cities are designed for cars. But the city of Barcelona is testing out an urban design trick that can give cities back to pedestrians.
What You Might Notice If You Forgot Your Phone For a Day
2 min · 2,323 views today · There is a moment happening right in front of you, right this second, and you just might be missing it
Ikigai - Finding Your Reason for Being
Chip Richards · 2,093 views today · What Gets You Out of Bed in the Morning? When asked what is the single most powerful contributing factor to one’s health and vitality, integrative medical...
11 Traits of People With High Emotional Intelligence
Raven Fon · 1,876 views today · Lately, new ways to describe human interactions, social behaviours, and many facets of psychology have emerged on the social network scene. One of those descriptions is “high...
Who Are You? Watching This Breathtaking Video Could Be the Moment You Change Your Life
2 min · 1,723 views today · "Normal is getting dressed in clothes that you buy for work, driving through traffic in a car that you are still paying for, in order to get to a job that you need so you can...
93 Documentaries to Expand Your Consciousness
Films For Action · 1,585 views today · There are over 800 documentaries now cataloged in our library of social change films. That's probably way too many for any mortal to ever watch in a lifetime, let alone a few...
Throw (2016)
10 min · 1,422 views today · The first installment of Invisible Thread, an ongoing ELM passion project series, Throw tells the story of an outsider from East Baltimore, an area challenged by gang violence...
Today I Rise: This Beautiful Short Film Is Like a Love Poem For Your Heart and Soul
4 min · 1,264 views today · "The world is missing what I am ready to give: My Wisdom, My Sweetness, My Love and My hunger for Peace." "Where are you? Where are you, little girl with broken wings but full...
Schooling the World (2010)
66 min · 942 views today · If you wanted to change an ancient culture in a generation, how would you do it? You would change the way it educates its children. The U.S. Government knew this in the 19th...
Forest Man
16 min · 717 views today · Since the 1970's Majuli islander Jadav Payeng has been planting trees in order to save his island. To date he has single handedly planted a forest larger than Central Park NYC...
Real Change in Democracy Comes Not in the Voting Booth but Activism at the Grass-Roots
Ilze Peterson · 706 views today · Many years ago, the late Judy Guay, a low-income woman from Bangor, founded the Maine Association of Interdependent Neighborhoods in order to advocate for the neediest in our...
Doctors Response to Daily Mail Bigotry is Beautiful
Neil Tiwari · 646 views today · A poetic open letter to the Daily Mail newspaper from Dr. Neil Tiwari, in response to a bigoted attack on his colleagues, is going viral and it's beautiful.
John Lennon's "Imagine," Made Into a Comic Strip
John Lennon. Art by Pablo Stanley · 634 views today · This is easily the best comic strip ever made.  Pabl
Fighting Trump - Residents Opposing Donald Trump's Scottish Golf Resort
14 min · 629 views today · Documentary on the residents protesting against Donald Trump's golf development on the Menie Estate in Aberdeenshire, Scotland. Directed and Presented by James Trosh.
How to Criticize with Kindness: Philosopher Daniel Dennett on the Four Steps to Arguing Intelligently
Maria Popova · 577 views today · “Just how charitable are you supposed to be when criticizing the views of an opponent?”
Load More
Like us on Facebook?
Firechat and Nearby Communication