Spying on instant messaging servers: Potential privacy leaks through metadata

Nowadays, digital communications are pervasive and as such, they carry a huge amount of both professional and private information all around the world. Given the knowledge that can be extracted from such information, its confidentiality is of utmost importance for both companies and individuals. Recent news related to massive breaches of privacy by both external actors such as government agencies, rogue teams; and internal actors such as communication services providers (i.e., Google, Apple, Facebook, Amazon, Microsoft) have exacerbated the need for more secure communication technologies. Although message content can be encrypted end-to-end by so-called offthe- record techniques’, message metadata such as sender, recipient, time sent and size can still leak a lot of information about communicating parties. Oblivious RAM (ORAM) systems form a promising new branch of research for hiding metadata from the hosting servers, but they have not yet been deployed in production environments. Due to their complexity and performance penalty, they can currently be used only for very simple client-server applications such as instant messaging (IM). In this context, we show accessing metadata on a messaging server can leak information that could be concealed by ORAM systems. More specifically, we show the differences observed in metadata collection between a classic XMPP server and two ORAM-based servers. In order to assess those systems, we have designed a new attack based on live forensic techniques to retrieve metadata from the RAM of a running IM server. We have used two datasets of instant messages for carrying out this assessment. Our experimental results highlight the leak of metadata from a standard messaging server and can also be used for testing the security of an ORAM-based messaging server.