Telegram, the encrypted messaging app loved by terrorists, has been in the news lately. Terrorists have long used existing commercial and public communications infrastructure to send commands and plan operations. This is nothing new. What is causing so much distress is that Telegram provides a secret chat feature that is end to end encrypted.
Encryption, whats in a name?
There are problems with this encryption, but it hasn’t been publicly broken. I’m not a crypto guy so I don’t know the details, however I’ll just quote Dr Matthew Green
— Matthew Green (@matthew_d_green) March 29, 2015
On the other hand, some serious cryptographers did try to win the $300,000 prize from Telegram for breaking the crypto and failed. So it isn’t obviously broken.
Personally, I wouldn’t trust the encryption protection in Telegram against a nation state adversary.
Candygram for Mr NSA
Even if Telegram’s encryption is solid, there are serious problems with the safe operational use of the program.
Telegram requires a working phone number to register, and then uses this as the primary identifier for the account. Users will make security mistakes and register with their personal mobile numbers:
Shumukh thread dump. Bros signs up for Telegram with own phone #. Others tell how to fix his "security catastrophe" https://t.co/WMyzWYJECU
— switched (@switch_d) November 17, 2015
Own the Number, Own the Account
Telegram links an account to a telephone number. The messenger verifies that the phone number is accessible to the user when they register their account (via an authentication code sent over SMS, or via a call.) For an attacker with access to the telco systems (e.g. SS7 injection, or a national telephone operator) hijacking the verification code for the account is straightforward. Simply redirect the SMS/calls to the number to a location that is under attack control/visibility.
This attack has been used a number of times in the wild. At first there were only anecdotal reports from Iran of Telegram accounts being hijacked. Then an account hijacking in Russia was well documented and made public. Clearly, at least some nation states are using this technique to take hijack accounts.
Telegram added an additional security feature to address this attack — a password. If a password is set for an account, then both the authentication sent to the phone number and the password are required to access an account on a new device.
All non end to end encrypted chats are automatically backed up to the Telegram servers. When the user accesses their account from another device, their entire chat history is available to them. This is a security nightmare. It means that an account compromise exposes historical data to the adversary, not just for the duration of the compromise. Storing sensitive data is a dangerous play, always.
Error Prone Defaults
Messages are not end to end encrypted by default. There is no way to opportunistically encrypt an existing session. Instead users must get select a “New Secret Chat” and then start chatting. This is error prone. The most likely case is that people will make the mistake of clicking on the contact they wish to speak to rather than going through the multi step process of setting up a “Secret Chat.” Tools that allow for mistakes encourage operational errors. If it is possible, it will happen.
When registering an account with Telegram, the app helpfully uploads the entire Contacts database to Telegram’s servers (optional on iOS). This allows Telegram to build a huge social network map of all the users and how they know each other. It is extremely difficult to remain anonymous while using Telegram because the social network of everyone you communicate with is known to them (and whomever has pwned their servers).
Contact books are extremely valuable information. We know that the NSA went to great lengths to steal them from instant messenger services. On mobile the contact lists are even more important because they are very frequently linked to real world identities.
Anything using a mobile phone exposes a wide range of metadata. In addition to all the notification flows through Apple and Google’s messaging services, there is the IP traffic flows to/from those servers, and the data on the Telegram servers. If I were a gambling man, I’d bet those servers have been compromised by nation state intelligence services and all that data is being dumped regularly.
This metadata would expose who talked with who, at what time, where they were located (via IP address), how much was said, etc. There is a huge amount of information in those flows that would more than compensate for lacking access to the content (even if, big assumption, the crypto is solid).
Safe Operational Telegram Use
The safest way to use Telegram would be not to. However, if you have no other choice, the best approach would be to use a clean burner phone to communicate with another clean burner phone. Change them regularly.
(Actual operational guidance omitted)
That good, huh?
In summary, Telegram is error prone, has wonky homebrew encryption, leaks voluminous metadata, steals the address book, and is now known as a terrorist hangout. I couldn’t possibly think of a worse combination for a safe messenger.
For a messenger with better encryption and security, use Signal. For better encryption and a yearly subscription, use Silent Circle. For better encryption (probably) and an unlinked identity, use Threema. For an identical interface with better encryption (including soon on iOS) use WhatsApp (no, don’t use WhatsApp, it has problems too, use Signal.)
In short, for better protection, use anything else.
Originally published at grugq.tumblr.com.