The Rise and Fall of Wire Messenger
If you’re part of the infosec community, a journalist who needs to protect their sources, or someone who’s highly concerned about privacy, you’ve probably heard about Wire — the Swiss messaging app that tried to take on Signal, Telegram, and WhatsApp. But if you’re a regular user, you’d be forgiven for knowing nothing about this particular messenger.
Wire hoped to join the ranks of prominent apps focusing on privacy and security, but its road to recognition was a hard one and its rise modest. Its fall, however, was swift and brought on by a single decision. Today, we’ll take a look at a messenger that was punished by the very people who celebrated it.
How It Started
It began with Morten Brøgger, Alan Duric, and crucially, Janus Friis, the co-founder of Skype. After selling Skype to Microsoft, the entrepreneur decided to try his hand at messaging apps. He helped Wire get off the ground, even recruiting numerous employees from Skype. Work on the messenger lasted 2 years, and the app was unveiled in 2014.
The core advantage was apparent right away: this was a product made by professionals with prior experience, not just a team of enthusiasts. The launch took place on all mobile platforms as well as Windows and MacOS — immediately offering end-to-end encryption across the app, plus voice and video calls, as well as file sharing options. Even at that point, it had all the right elements to rival WhatsApp and Viber, not to mention the newcomers — Signal and Telegram.
As time went on, the app added features like group calls, guest rooms that allowed to message outside of the app, screen sharing on desktop, and a sketching option on the mobile versions. This unique functionality was more than enough to make Wire stand out but its core audience didn’t seem terribly interested. The users focused on end-to-end encryption, holding Wire up as the next bastion of communication security.
How It Operated
As the app matured, opinions split. Some, like The Guardian’s Stuart Dredge, were cautiously optimistic while others wondered if Wire might possibly kill off email. Most of this was based on a mixture of security and Wire combining all the things the corporate world loves: conference calls, group chats, file sharing, and more.
What made Wire’s rise steadier and its future easier to imagine is the fact that the company introduced a Slack-like spinoff product, specifically intended for corporate communication. This version of Wire operated on a subscription-based model and could, hopefully, fund further development of the mobile and web versions of the messenger. Although Brøgger, the CEO, admitted that the app is ‘years from profitability’, he also explained that the messenger was growing ‘5 to 7 percent each week’. Given time, this could have made Wire the first profitable messenger in its class.
Wire’s own message encryption protocol Proteus is based on the Signal Protocol while its calls are encrypted using SRTP. The company keeps its code open-source and independently audited, lauded as a major accountability move for its users.
Its course wasn’t perfect, though, as it was revealed the app did store user information in plaintext on its servers — a list of all the people each user had contacted. Wire quickly responded to explain that this was a required concession in order to sync Wire across devices.
Additionally, a vulnerability was found: “the Wire client sends the unencrypted, unhashed password to the central server over TLS, the server hashes the plaintext password with scrypt, and the hash is compared to the hash stored by the server. This process leaks the user’s password to the central server; the server operators (or anyone who compromises the server) could log all of the plaintext passwords as users authenticate.” So those with access to the server would gain the ability to log into the Wire account of a user and access their data or pose as them. Wire’s response was brief and dismissed the issue: “Wire was initially designed to be fully compatible with browsers and this is where this form of authentication comes from.That doesn’t mean it can’t be improved, and we have already looked at alternatives.”
How It Fell
None of the facts mentioned above brought Wire down, though. In fact, for a while, its popularity seemed to be on a steady rise. Included whenever the subject of ‘secure messaging’ was brought up, Wire seemed ready to become the gold standard. Its downfall started with a business deal that many would call shrewd under different circumstances: raising $8.2 million in venture capital from Morpheus Ventures (a huge capital boost for a messenger that didn’t have the benefit of Brian Acton donating $50 million or Mark Zuckerberg financing the whole operation) and moving its headquarters from Luxembourg to the US.
The company went on to confirm that they did change holding companies and would be US-based from then on. This set the more inquisitive users off on a search that lead them to a few discoveries. First on the complaint list was that Morpheus Ventures, the big investor, has its fingers in insurance, big data, and customer data analytics — all industries that are considered predatory. This, coupled with the earlier concerns about Wire storing unencrypted metadata, meant users were worried about the new investors taking advantage of their Wire profiles.
This alone might not have been enough to erode users’ trust, as Wire had a largely clean track record and addressed any issues head on. However, when changes to the privacy policy appeared in November 2018, people didn’t spot them right away. This was by design, according to Wire’s CEO Morten Brøgger: “Our evaluation was that this was not necessary. Was it right or wrong? I don’t know.” It’s a brush-off response to a legitimate concern: when your privacy policy used to staunchly defend user privacy, and promised not to disclose their data, changing it to read ‘ Wire will only access and share your data if necessary or required by law or legal process’ is a total turnaround. Especially when, a little bit after saying “We are in Switzerland, which has the best privacy laws in the world”, your company picks up and moves to the US, which, as you know, doesn’t have the best privacy track record.
All of these factors snowballed and lead to many security experts dismissing Wire and claiming the company had set off on the wrong path. While one may find this a touch too alarmist, it would be unwise to completely dismiss their concerns. For now, Wire can still recover and make a triumphant return. All it needs is a steady direction and a little bit of honesty.
