Telegram app’s SMS activation used to expose activists and journalists

Telegram, one of the encrypted messaging apps that describes itself as the “more secure alternative” to common messaging apps like WhatsApp, has been targeted by hackers intercepting its SMS activation messages.

Reuters reported on Tuesday that the newly discovered attacks have compromised the accounts of more than a dozen activists, journalists and other people in sensitive positions in Iran.

Independent cyber researcher Collin Anderson and Amnesty International technologist Claudio Guarnieri, who’ve spent years studying Iranian hacking groups, told the news service that over 20 million people use Telegram in Iran.

The company claims to have over 100 million users and reportedly is widely used in the Middle East, including by the Islamic State.

Anderson and Guarnieri have also claimed that the attackers have identified phone numbers of 15 million Iranian users: what Reuters called “the largest known breach of the encrypted communications system.”

Telegram is shrugging off the phone numbers.

The company said in a post that it did, in fact, confirm that the 15 million Iranian phone numbers were registered on Telegram.

But only publicly available data has been collected, Telegram says. The accounts themselves haven’t been accessed. The company said that it’s since made it impossible to do such mass collections of data by limiting its API.

From the post:

Since Telegram is based on phone contacts, any party can potentially check whether a phone number is registered in the system. This is also true for any other contact-based messaging app (WhatsApp, Messenger, etc.).

As far as the SMS vulnerability goes, Anderson and Guarnieri said it lies in the use of text messages to activate new devices. When logging into a new device, Telegram sends authorization codes via SMS.

Those are the messages reportedly intercepted. According to the researchers, the phone company might have intercepted the codes and shared them with hackers: a danger in any country wherein carriers are owned or heavily influenced by the government.

Once the attackers had the codes, they could add new devices to a target’s Telegram account and read both new messages and chat histories.

Reuters quoted Anderson:

“We have over a dozen cases in which Telegram accounts have been compromised, through ways that sound like basically coordination with the cellphone company.”

Telegram said that this is “hardly a new threat,” given that it’s increasingly been warning users in certain countries about it.

The company pointed out that it’s introduced two-step verification (2SV)– what’s also known as two-factor authentication (2FA) —specifically to help users in these situations:

If you have reasons to think that your mobile carrier is intercepting your SMS codes, use 2-Step Verification to protect your account with a password. If you do that, there’s nothing an attacker can do.

The researchers declined to say whether they believe that the attackers are affiliated with the Iranian government, though they did say that some victims were targeted prior to being arrested.

Anderson and Guarnieri believe that the hackers belong to a group called Rocket Kitten that writes its code comments in Persian. Rocket Kitten is believed to be responsible for spearphishing campaigns that target high ranking defense officials, various countries’ embassies, notable researchers, human rights activists, journalists, academic institutions, and scholars, including nuclear scientists.

Anderson and Guarnieri have declined to name the Telegram targets, out of concern for their safety.

And though the 15 million phone numbers are publicly available, the fact that they’re associated with an encrypted messaging app doesn’t bode well for protecting Iranian dissidents or anybody who doesn’t want the government to know how they’re communicating.

Guarnieri:

“A systematic de-anonymization and classification of people who employ encryption tools (of some sort, at least) for an entire nation [has never been exposed before].”

Having said that, Reuters reports that Telegram is used not just by dissidents, but across the political spectrum.

In November, Telegram CEO Pavel Durov – who also created VKontakte, Russia’s version of Facebook, before fleeing the country under pressure from the government – said on his Telegram channel that he’d heard from the Iranian government about a request he’d received for “spying tools.”

The request wasn’t from them, he was told. It was, in fact, fake and “not authorized by any higher authorities.”

From his channel:

I’d like to believe that this is true… It’s easy to misinterpret the situation in markets that have a history of internet censorship.

This is the second time this week that Telegram’s been in the headlines over security.

As we reported on Monday, a data leak in Telegram’s MacOS version wrote text that was cut and pasted into the app into the Mac’s system log. System logs hang around for days and in corporate environments might even be sent unencrypted to a logging server.

As Naked Security’s Mark Stockley said about the vulnerability, it was the kind of thing that can happen when somebody makes a mistake like leaving a bit of debugging code in a production app.

With regards to the more recent SMS text vulnerability, Mark noted that it illustrates an important truth about software: namely, that “even super-secret-sauce-software is still software, it’s still made by people, used by people and subject to flaws. It might be better than the next best thing, but that’s all it can ever be, better.”

If you’re a Telegram user, make sure to turn on 2SV. On your device, go to Settings – Privacy and Security – 2-Step Verification.

2SV/2FA isn’t invulnerable, but it is better.