[BreachExchange] What really happened in mass Telegram secure messenger hack

Audrey McNeil audrey at riskbasedsecurity.com
Mon Aug 8 18:40:49 EDT 2016


http://www.zdnet.com/article/what-really-happened-in-mass-
telegram-secure-messenger-hack/

Telegram has fought back against researcher claims that Iranian
cyberattackers have managed to compromise at least a dozen accounts on the
secure messaging service and identified the phone numbers of 15 million
users.

This week, the Reuters news agency reported that the attack was the
"largest known breach of the encrypted communications system."

According to the publication, the cyberattack took place this year by
hackers part of a group called "Rocket Kitten," but the breach was kept
under wraps.

Telegram is used by 100 million people worldwide. According to cyber
researcher Collin Anderson and Amnesty International technologist Claudio
Guarnieri, roughly 20 million people in Iran alone use the service.
Telegram offers end-to-end encryption, which ensures the keys lie only with
the user -- and the company itself cannot access message data.

The researchers said that a vulnerability was found within how the company
uses SMS text messages to sign up new devices to the service. Anderson and
Guarnieri claim that when a user logs into Telegram from a new smartphone,
authorization codes are sent via SMS which in turn can be intercepted by
the phone company and shared with cyberattackers.

This is particularly a problem when communications providers are heavily
monitored or owned by states which want to keep track of their citizens.
This year in Iran, for example, the country's government demanded that
foreign messaging service providers must store Iranian citizen data within
the country -- where law enforcement has easy access.

Once compromised SMS codes have been acquired, the cyberattacker can add
new devices to the Telegram account, they can read chat histories and also
intercept new messages.

In response to the researchers' allegations, Telegram said that "certain
people checked whether some Iranian numbers were registered on Telegram and
were able to confirm this for 15 million accounts," however, the Iranian
accounts "were not accessed." In addition, the only information that was
released through the mass-checks for Iranian numbers was public domain.

Telegram added that such mass checks are no longer possible since the
recent introduction of some limitations into the firm's API this year.

"However, since Telegram is based on phone contacts, any party can
potentially check whether a phone number is registered in the system,"
Telegram says. "This is also true for any other contact-based messaging app
(WhatsApp, Messenger, etc.)."

The company also commented:

"As for the reports that several accounts were accessed earlier this year
by intercepting SMS-verification codes, this is hardly a new threat as
we've been increasingly warning our users in certain countries about it."

To prevent account compromise through SMS messages which may be snooped on,
Telegram recommends that users set up an additional code through a
registered email account when setting up a new device.

In 2015, Telegram and a number of other messaging platforms were blocked
over various lengths of time after refusing to help the government spy on
its citizens. While Telegram is back online in the country, Facebook and
Twitter remain banned.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160808/04b3e36a/attachment.html>


More information about the BreachExchange mailing list