Threat Composition
The Threat Model analyses Connect's attack surface one architectural layer at a time. This page asks the harder question: what does a sophisticated adversary experience when attacking across layers simultaneously?
Three attack objectives are traced end-to-end — (A) impersonating a contact, (B) extracting the social graph, (C) reading message content — across the full stack of NFC/QR trust establishment, BLE discovery, Double Ratchet sessions, MLS group encryption, and the optional Tor relay.
Key finding: the three primary defences (physical-first trust, E2E encryption, no-server architecture) are genuinely independent — breaking one does not automatically break the others. The exception is device compromise, which collapses all three objectives simultaneously. Two structural gaps exist at layer boundaries: the NFC tap → BLE recognition transition, and the unencrypted type/audience routing fields in feed envelopes.
Objective A — Impersonating a Contact
Goal: an adversary forges messages that appear to come from a known contact (Alice) to another contact (Bob).
A user's identity in Connect binds to an Ed25519 signing keypair, a hash-chained feed of entries signed with that keypair, a set of per-contact Double Ratchet sessions, and MLS group memberships. Every layer independently prevents forgery.
| Layer | Attack | Feasibility | Defence |
|---|---|---|---|
| NFC tap | MITM — adversary relays the tap and substitutes their own key | Extremely low — requires co-presence within 4 cm, simultaneous with both devices; X3DH is transparent to passive relay | Key fingerprint comparison (Safety Numbers pattern): Bob and Alice verbally compare a short displayed string |
| QR scan | Photograph the QR code and replay it to a different scanning device | Low–moderate — QR must be used within 30–60 s; fingerprint comparison required | Ephemeral QR with timestamp + signature; short expiry; verbal fingerprint comparison |
| Feed entries | Sign a forged entry with a different key | Impossible without Alice's private key | Hash chain + signature verification; clients reject entries signed by a key not in the rotation chain |
| Double Ratchet session | Inject a forged message into an established session | Impossible without Alice's ratchet state | AEAD authentication — forged ciphertext produces an invalid tag and is rejected |
| BLE discovery | Forge a rotating beacon that Alice's contacts will authenticate as Alice | Impossible without the shared contact key | Shared-key mutual authentication over GATT before any identification |
| Device theft | Attacker holds the physical device and all keys on it | High — the only practical impersonation path after trust establishment | Three-tier revocation (BIP39, Shamir 2-of-3, guardian threshold); MLS Remove by any group member; BLE gossip propagation |
Layer-boundary gap: a physical-proximity adversary who observes both the NFC tap at time T and subsequent BLE encounters can correlate "this device participated in a tap at T" with "this device is now doing BLE discovery". This does not enable impersonation but does confirm device identity to the observer. There is no protocol-level mitigation; it is an accepted residual risk of co-located physical presence.
The impersonation window after device theft: the attacker can act as Alice with every contact who has not yet received a revocation notice. The window closes contact-by-contact as the notice propagates via BLE gossip — bounded by human movement, not any algorithmic timer. See Key Revocation & Recovery for the recovery model.
Objective B — Extracting the Social Graph
Goal: an adversary learns who is connected to whom.
In pure offline mode, the adversary faces a fundamental structural limit: no central point holds the social graph. Extracting it requires compromising individual devices (each yields one local subgraph) or performing passive BLE presence analysis at scale.
| Layer | Attack | What the adversary learns | Mitigation |
|---|---|---|---|
| BLE passive sniffing | Observe BLE advertisements and connections | Rotating beacon IDs (unlinkable across rotations); that a device is present | MAC + content rotation; no stable identifier in advertisements |
| BLE chipset fingerprinting | Clock drift + RSSI signature analysis with SDR | That this physical device is present — correlatable across MAC rotations | Not mitigable at the application layer; accepted residual risk |
| NFC tap observation | Observe that two devices tap | That two specific devices were in physical contact at a time and place | NFC range is ~4 cm; observation requires close proximity to both parties |
| Feed replication | Intercept feed envelopes during BLE sync | feed_id (stable pseudonym), unencrypted audience, type — not content |
E2E encryption; relay sees only routing hints in clear |
| Server compromise | Compromise a relay or directory server | No global directory exists; relay sees only pubkey hashes and encrypted blobs | No global directory by design |
| Device seizure | Physical access to one device | That device's local subgraph only | No single device holds the global graph |
| Compromised contact | Coerce or surveil a contact | That contact's direct connections to the target — one hop of the graph | Physical-first trust limits the graph to verified real-world relationships |
The chipset fingerprinting leak: a broadband BLE receiver (SDR) with enough data to model a device's clock drift can track that device across MAC rotation events — revealing presence at locations over time. Combined with knowledge of who else was present, this allows partial graph inference. It is the only objective-B threat in pure offline mode that is not patchable at the application layer.
Online mode: when Tor is enabled, the guard node learns the user's IP and that they run a Tor hidden service. A guard-node adversary collaborating with a destination-side adversary can perform traffic correlation — a probabilistic social-graph leak for the online subgraph. This is not unique to Connect; it is the fundamental Tor deanonymisation risk.
The audience field leak: feed envelopes carry unencrypted audience and type fields. A relay or any intermediate node that handles an envelope can see that a specific feed_id sent a direct:{peer_feed_id} entry — a direct social graph edge, visible without decrypting content. This is the most significant structural metadata leak in the feed layer. The audience field is unencrypted by necessity (routing), but direct:{peer_feed_id} arguably should be a one-way hash of the peer ID that the relay cannot reverse. This is an open design question.
Objective C — Reading Message Content
Goal: an adversary reads plaintext content of a message between Alice and Bob.
E2E encryption is the primary defence, and it is independently effective at every layer. A message encrypted with the Double Ratchet is the same ciphertext whether it travels over BLE, WiFi Direct, or Tor — the transport is irrelevant to cryptographic content protection.
| Layer | Attack | Feasibility | Mitigation |
|---|---|---|---|
| BLE radio interception | Passive sniffing of GATT exchange | High — commodity BLE sniffers can capture | GATT data is Double Ratchet AEAD; ciphertext is indistinguishable from random |
| NFC tap interception | Capture the initial key exchange payload | Extremely low — 4 cm range; captured NFC material does not decrypt subsequent messages | X3DH produces a root key; the ratchet proceeds independently from there |
| Relay compromise | Compromise the community WiFi relay server | High — physical access to a Pi is easy | Relay sees only encrypted blobs; no key material ever reaches the relay |
| Key extraction from device | Malware, forensic tool, or seized unlocked device | Moderate — depends on device security posture | Secure Enclave / Android Keystore; SQLCipher with separate PIN; forward secrecy on deleted chain keys |
| Session state corruption | Corrupt ratchet state to force key reuse | Low — AEAD detects tampering; session treated as broken | MAC failure → session broken → fresh key exchange required |
| Feed content interception | Intercept a feed entry at the relay | High — relay handles all entries | content_enc is AEAD encrypted; relay cannot decrypt without the audience key |
| MLS epoch key extraction | Obtain a group epoch key | Low — requires device compromise of at least one member | TreeKEM: compromise of one leaf does not expose other members' keys |
The only practical path to content in offline mode is device compromise — seizing an unlocked device, OS malware, or forced biometric unlock. This is an endpoint security problem, not a cryptographic one. Mitigations: Secure Enclave key storage, SQLCipher database encryption, minimal data retention, duress mode.
"Harvest now, decrypt later" (HNDL): an adversary who captures encrypted BLE traffic today and intends to decrypt it with a future quantum computer is mitigated by PQXDH (X25519 + ML-KEM-768) for key exchange and AES-256-based AEAD for content (secure against Grover's algorithm at 128-bit effective security). This protection is pre-emptive — it covers traffic captured before a capable quantum adversary exists.
The Sophisticated Adversary
A state-level adversary with sufficient resources can simultaneously pursue all three objectives. This is what they face:
Resources available:
- Physical presence at locations the target visits (BLE chipset fingerprinting)
- Legal access to the community relay if one is used online
- A compromised device (seized, malware, or supply-chain)
- A compromised contact (coercion or infiltration)
Achievable (partial):
A — Impersonation: only via device theft or a forged NFC tap where fingerprint check was skipped
B — Social graph: partial (chipset fingerprint + audience field + compromised contacts)
C — Content: only via device compromise or a compromised contact
Out of reach even for a state-level adversary:
- Past messages with deleted chain keys (forward secrecy is unconditional)
- The global social graph (no server holds it)
- Identity correlation from offline BLE ads without chipset fingerprinting hardware
- Content from the relay (relay sees only ciphertext)
- MLS group keys without compromising a group member's device
The composition of A + B + C requires device compromise. This is the design's intentional concentration of risk: all three objectives converge on the endpoint. The consequence is that endpoint security — Secure Enclave, GrapheneOS, minimal data retention, duress mode — is the highest-leverage investment for users in high-threat environments.
Defences That Compose Cleanly
| Defence | Blocks A | Blocks B | Blocks C | Independent of other layers? |
|---|---|---|---|---|
| Physical-first trust (NFC + fingerprint check) | Yes | Partial | No | Yes |
| Rotating BLE beacon + GATT auth | Partial | Yes | No | Yes |
| Double Ratchet AEAD | No | No | Yes | Yes |
| MLS epoch ratchet | No | No | Yes | Yes |
| PQXDH hybrid key exchange | No | No | Yes (HNDL) | Yes |
| No server / local-only social graph | No | Yes | Yes | Yes |
| E2E feed encryption | No | Partial | Yes | Yes |
| Forward secrecy (chain key deletion) | No | No | Yes (past msgs) | Yes |
| Tor (online mode) | No | Partial (guard node) | Yes | Separate threat surface |
Layer-Boundary Gaps
| Gap | Layers involved | Risk level | Recommended mitigation |
|---|---|---|---|
| NFC tap → BLE temporal correlation | Trust establishment + BLE discovery | Low — requires physical co-presence | Accept as residual; document for high-threat users |
direct:{peer_feed_id} in unencrypted audience field |
Feed format + relay | Medium — graph edge visible to relay | Hash the peer_feed_id in the audience field; recipient can compute, relay cannot link |
| BLE chipset fingerprinting | BLE discovery + hardware platform | Medium for targeted adversary | Not patchable at app layer; recommend GrapheneOS as platform-level mitigation |
| Device compromise collapses all three objectives | All layers | High — single point of failure for endpoint | Secure Enclave, SQLCipher, duress mode, minimal data retention |
| Revocation propagation window (Objective A) | Trust + revocation + BLE gossip | Medium — window = speed of human movement | No algorithmic solution; governance + UX (prompt re-verification of key changes) |
Open Questions
- Is hashing the
peer_feed_idin theaudience: "direct:{hash}"field a viable way to preserve relay routing while hiding the graph edge — and does it break any sync or verification logic downstream? - Can UWB Provisioned STS (physics-based relay resistance, available on recent flagships) close the NFC → BLE temporal correlation gap for high-threat users with compatible hardware?
- Is the
audiencefield the right design point for routing at all, or should routing information be fully separated from the content envelope — the relay receives an opaque routing header; the envelope is completely opaque to it? - Does randomising transmit power per advertisement provide meaningful resistance to the chipset fingerprinting attack, or is the clock drift signature sufficient for fingerprinting regardless of observed power levels?
- Is the duress mode (separate PIN → silent no-op tap) a net positive, or does "this device has duress mode" become a forensic indicator that the user is a person of interest?
- Should a minimum quorum for MLS Remove be required when a compromised device is active in a group, preventing the attacker from submitting conflicting proposals to delay their removal?