A group of Iranian hackers identified the number of 15 million Iranian users and compromised the security of a dozen accounts on the Telegram service, an encrypted messaging app. The company denies the Iranian breach, while security activists name it the largest known hack of an encrypted communication system.
Reuters consulted cyber researchers Collin Anderson, from Amnesty International, and Claudio Guarnieri, who studies Iranian hacking groups. They state the hackers intercepted SMS confirmation codes to jeopardize communications of activist, journalist and other people in sensitive position inside Iran, where at least 20 million people use the service.
Telegram sends SMS confirmation codes either to sync an account to a new device or to activate a fresh login. With the right algorithm, hackers can add new devices to a person’s Telegram and read that user’s chat and future messages.
The_ Trojan_ Horse.hack
Telegram’s vulnerability, according to Anderson and Guarnieri, lies in the reliance of SMS text messages to sync an account into a new device.
The company’s confidence on SMS verification makes it weaker in any country where telecom companies are monopolized or influenced by the government. Such is the case in Iran, where the state and military-owned Telecommunication Company of Iran are the biggest carriers of Internet and phone service in the country.
“WE HAVE OVER A DOZEN CASES WHERE TELEGRAM ACCOUNTS HAVE BEEN COMPROMISED, THROUGH WAS THAT SOUND LIKE CENTRAL COORDINATION WITH THE CELLPHONE COMPANY,” said Collin Anderson in an interview with Reuters.
The hackers, the researchers said, belong to a group known as Rocket Kitten, although it is unclear whether or not the government employed them. They did not leak the info, but the researchers did found the numbers on Rocket Kitten servers.
The company acknowledged the hack on their blog but diminished its range and assured the accounts linked to the breached phone numbers cannot be accessed. They also say the interception of SMS confirmation codes “is hardly a new threat.”
— United for Iran (@united4iran) August 4, 2016
Either way, a better way to ensure Telegram’s user’s security would be to use the optional two-factor identification function, which combines password, SMS, and an email recovery service.
Security versus privacy is always a valid consideration
Telegram advertises itself as the fastest and safest communication app available because all data is encrypted from start to finish (end-to-end encryption). Other messaging systems, such as Facebook’s Messenger and Facebook- owned WhatsApp have been slowly implementing similar capabilities.
The service currently has more than 100 million active subscribers, is widely popular in the Middle East, Latin America and Southeast Asia and rises as the 9th most used messaging app in the world.
— JetRuby (@jetrubyagency) August 4, 2016
And while Facebook and Twitter are banned in Iran, Telegram is the preferred app amongst political groups. But this new revelation shows, again, how encryption technologies and governments don’t get along too well.
Telegram founder Paver Durov sided with Appel CEO Tim Cook back on February on the question of whether authorities should have access to the contents of mobile devices.