By Lily Hay Newman for Wired
YOU’RE TRYING TO protect yourself from the hacks and data breaches that make headlines every week. Great! Maybe you even switched to an encrypted messaging service thatspecifically touts its strong data protections. Smart! Or was it? In today’s security climate, apparently no good deed goes unpunished. Reuters reported today that more than a dozen Iranian Telegram accounts, the messaging app “with a focus on security,” have been compromised in the last year thanks to an SMS text message vulnerability. That may not sound like many, but the whole idea of Telegram is that no one can read your messages at all. Any breach at all is troubling. Additionally—and perhaps more alarmingly—the hackers were able to access the phone numbers of 15 million Iranian Telegram users.
Amnesty International technologist and researcher Claudio Guarnieri and independent security researcher Collin Anderson traced recent Telegram account breaches in Iran to the SMS messages Telegram sends to people when they activate a new device. The texts contain a verification code that Telegram asks people to enter to complete a new device setup. A hacker with access to someone’s text messages can obtain these codes and enter them to add their own devices to the person’s account, thus gaining access to their data including chat histories.
The researchers think the Iranian hacking group Rocket Kitten is behind the Telegram breaches, based on similarities to the infrastructure of past phishing attacks attributed to the group. There is widespread speculationthat Rocket Kitten has ties to the Iranian government. “Their focus generally revolves around those with an interest in Iran and defense issues, but their activity is absolutely global,” says John Hultquist, who manages the cyber espionage intelligence team at the security firm FireEye, of Rocket Kitten. In the case of the Telegram attacks, the researchers also suggested that SMS messages may have been compromised by Iranian cell phone companies themselves, an industry that also has potential ties to the government.
That SMS is involved is no surprise. It has increasingly fallen out of favor as a “factor” in multi-factor authentication, because it can be compromised in a number of different ways. The National Institute of Standards and Technology even denounced SMS for two-factor in draft recommendations last week.
Telegram said in a statement to WIRED that it is “much like any SMS-based app. If someone has access to your SMS messages, they will get access to your account. If you have two-factor authentication enabled on Telegram, and they have access to your recovery email and SMS, they will get access to your account.”
In addition to concerns about SMS, the researchers also noted that the hackers were able to access 15 million phone number/account combos using Telegram’s public-facing application program interface. The hackers brute-forced the API by entering millions of Iranian mobile phone numbers and collecting those that returned a user ID. “Since Telegram is based on phone contacts, any party can potentially check whether a phone number is registered in the system. This is also true for any other contact-based messaging app (WhatsApp, Messenger, etc.),” a Telegram spokesman wrote. It has since patched the ability to use the API for “mass checks.”
Guarnieri and Anderson will present a broader talk about government-sponsored hacking in Iran at the Black Hat cybersecurity conference in Las Vegas on Thursday. The pair will also publish a full report on the Telegram hack and other research later this year with the Carnegie Endowment for International Peace.
Telegram has about 100 million users worldwide and 20 million in Iran. The service has become an important tool for collecting and disseminating information in Iran. It is used by activists, journalists, and citizens more broadly to work around stringent government media control. The roughly 12 people directly targeted in this hack were people like that. “The individuals that are targeted [in these Telegram hacks] are individuals who are human rights activists, they’re opposition figures, they’re individuals tied with people who are currently in jail or under house arrest or these sorts of things,” Anderson said. “The fact that they’re going after these individuals shows that this is part of a larger understanding of the opposition environment inside of the country.”
The hackers also cast a wider net, though, by using Telegram’s API to confirm the phone numbers and usernames of 15 million out of roughly 20 million Iranian Telegram accounts. Though anyone can look up whether a particular individual is a Telegram user, as the company points out, collecting this information on such a large scale creates a different type of security concern, cataloging the majority of the service’s users in addition to targeting a particular few.
How Serious Is This?
The Telegram hack is deeply troubling. It is a reminder that even if a communication platform’s encryption is sound there can still be ways to compromise accounts. For people without extensive cybersecurity knowledge or access to resources, this could mean misplaced trust in these types of services.
The takeaway for everyday people is that SMS two-factor authentication is not trustworthy, and if you depend upon your encrypted messages staying encrypted, do not use it.
Anderson says this also illustrates that there is an “information gap” between companies and users. No matter how much detail a company like Telegram provides about how to secure an account, it may be useless to people in another country if they don’t read English well. Meanwhile, when a country is ruled by a repressive regime it’s much less likely that there are privacy-focused communication services available in local languages. Services offering strong encryption do shield citizens from many types of surveillance, which is vitally important to free speech in many places. This hack underscores that even security-focused platforms have limitations, and that it is difficult to convey and guard against those shortcomings.
First appeared at Wired