Four cryptographic vulnerabilities in Telegram
An international research team of cryptographers completed a detailed security analysis of the popular Telegram messaging platform identifying several weaknesses in its protocol that demonstrate the product falls short of some essential data security guarantees.
Working with only open-source code and without “attacking” any of Telegram’s running systems, a small team of international researchers completed a detailed analysis of the company’s encryption services. Scientists from ETH Zurich and Royal Holloway, University of London exposed several cryptographic protocol weaknesses on the popular messaging platform.
For most of its 570 million users the immediate risk is low, but the vulnerabilities highlight that Telegram’s proprietary system falls short of the security guarantees enjoyed by other, widely deployed cryptographic protocols such as Transport Layer Security (TLS). ETH Zurich Professor, Kenny Paterson indicates that the analysis revealed four key issues that “…could be done better, more securely, and in a more trustworthy manner with a standard approach to cryptography.”
First, the “crime-pizza” vulnerability
Researchers assessed that the most significant vulnerabilities relate to the ability of an attacker on the network to manipulate the sequencing of messages coming from a client to one of the cloud servers that Telegram operates globally. Imagine the potential damage that could occur in swapping the sequence of messages. For example, if the order of the messages in the sequence “I say ’yes’ to”, “pizza”, “I say ’no’ to”, “crime” was altered then it would appear that the client is declaring their willingness to commit a crime.
Second, the “every bit of information is too much” attack
Mostly of theoretical interest, this vulnerability allows for an attacker on the network to detect which of two messages are encrypted by a client or a server. Cryptographic protocols are designed to rule out even such attacks.
Third, the “adjust your clocks” attack
Researchers studied the implementation of Telegram clients and found that three - Android, iOS, and Desktop - contained code which, in principle, permitted attackers to recover some plaintext from encrypted messages. While this seems alarming, it would require an attacker to send millions of carefully crafted messages to a target and observe minute differences in how long the response takes to be delivered. Nevertheless, if this type of attack were successful it would be devastating for the confidentiality of Telegram messages and, of course its users. Fortunately, this attack is almost impossible to pull off in practice. But, before you breathe a sigh of relief, this type of attack is mostly mitigated by the sheer coincidence that some metadata in Telegram is selected at random and kept secret.
Fourth, the “piggy in the middle” game
The researchers also show how an attacker can mount an "attacker-in-the-middle" type of attack on the initial key negotiation between the client and the server. This allows an attacker to impersonate the server to a client, enabling it to break both the confidentiality and integrity of the communication. Luckily this attack, too, is quite difficult to pull off as it requires the attacker to send billions of messages to a Telegram server within minutes. However, this attack highlights that while users are required to trust Telegram’s severs, the security of Telegram's servers and their implementations cannot be taken for granted.
Security foundations
As is usual in this area of research, the team informed Telegram developers of their findings 90 days prior to making them public, offering the company ample time to address the issues identified. In the meantime, Telegram has reacted to the results and fixed the security issues found by the researchers with software updates.
Cryptographic protocols are based on building blocks such as hash functions, block ciphers and public-key encryption. The industry standard approach is to compose these in a way such that formal guarantees can be given that if the building blocks are secure, the composed protocol is secure, too. Telegram lacked such a formal assurance. Here the research team offers a silver lining to Telegram: They show how to achieve such assurances with only minor changes to Telegram’s protocol. However, a protocol is only as safe as its building blocks and Telegram’s protocol places unusually strong security requirements on those building blocks. The research team describes this as analogous to speeding down the motorway in a car with untested brakes.
So, why are academic researchers digging into the private sector’s open-source code? Kenny Paterson says, “The fundamental reason is that we want to build stronger, more secure systems that protect users. Since the tech industry sometimes evolves at a faster pace than in academia, tech companies offer students an opportunity to work on, and possibly solve, real-world challenges making an impactful contribution to society.”
Royal Holloway professor, Martin Albrecht added, “In this instance our work was motivated by other research that examines the use of technology by participants in large-scale protests such as those seen in 2019 / 2020 in Hong Kong. We found that protesters critically relied on Telegram to coordinate their activities, but that Telegram had not received a security check from cryptographers.”
Further information
Information security research team consisted of:
Professor Kenny Paterson and Dr. Igors Stepanovs, ETH Zurich’s Applied Cryptography Group.
Professor Martin Albrecht and PhD candidate, Lenka Mareková, Cryptography Group, Royal Holloway, University of London.