At Telegram, we love receiving notifications about security-related issues. We believe that being open source and having encryption contests helps us provide a better service. That’s why we reward people when they share ideas that allow us to make Hack Telegram Admin Group more secure.
Last month we paid a guy $ 5000 who found a potential vulnerability in Telegram for Android, and this month we transferred $ 2500 to HackApp for pointing out weaknesses in our iOS code. The most valuable input so far came in December 2013 from a person who found a problem with the MTProto design, for which we awarded him $ 100,000. Whenever a potential vulnerability is found, we are the first to admit and fix it.
Unfortunately, every activity attracts its parasites. With the popularity of Telegram increasing, some people try to promote themselves or their products by attacking Telegram for false reasons.
If I had root access …
Last month we received a letter saying that “assuming an intruder had root access to a user’s Android phone, Telegram messages were not secure.”
Naturally, this hardly justifies an answer: if an intruder somehow gained root access to your device, there is no point in discussing any other layer of security – the intruder is already the GOD of your phone and can see everything he sees on the screen of your device – and much more. Claiming that “assume root access” vulnerabilities are found is like saying that Almighty God can theoretically (in addition to destroying and creating worlds at will) choose a padlock from a particular Swiss brand. So this padlock is not secure!
While this sounds like a bad joke to any security expert, it didn’t stop our correspondent, who happened to be the founder/owner / CEO / CTO of a company called Zimperium, from publishing a blog post with a clickbait title. ” How I Hacked Telegram’s ‘Encryption’ ”
How I“ Hacked ”Telegram’s Encryption
The post claimed that since an attacker with root access can read the device’s disk and memory, Telegram messages should not be stored unencrypted in the phone memory, and we should encrypt them. The obvious paradox of this “solution” is that the encryption key will also be stored somewhere on the device (otherwise it could not display messages on the screen).
So while the idea may seem reasonable to a non-specialist, in no way can he defend one of the attackers who already have access to the memory and disk of the device. Basically, the advice was to encrypt something by e The good of encryption and creating an illusion of security in a “game over” root environment, only to consume a bit more CPU and battery power.
The post concluded with a sales pitch about the benefits of Zimperium software for Android (whose authors live in a world where 98.4% of Android devices can be hacked by schoolchildren).
Marked as shit
Of course, the respectable media ignored this camouflaged marketing initiative; After some research and fact-checking, the big newspapers like Forbes got a lot of fun. Eva Galperin, a technologist, and analyst at the Electronic Frontier Foundation, summed up the crypto community’s reaction to Zimperium’s sales pitch:
“If you tell me that you can break the encryption by compromising the endpoint, you really haven’t cracked the encryption at all. It’s like haha! I can enter your house with the key! Got it! “
Filippo Valsorda from the Cloudflare security team tried to explain the situation to people outside the security community:
“ For people outside the InfoSec community: there is no such thing as a Telegram hack. Pure smoke. Maybe I don’t like Telegram, but it hasn’t broken. “
HackerNews subscribers expressed rare unanimity:
“Unfortunately, this is clickbait, their attacks require root access to the device.” (Eugeneionesque)
“End-to-end encryption does nothing when an adversary controls one end. I’d say this guy is trying too hard to promote his “Zimperium Mobile Security” brand here… ”(moe)
“… this isn’t really a vulnerability. It’s “if you fully control the device that sends/receives encrypted messages, you can read the messages.” There is literally no way to defend against this attack. “(IshKebab)
” Yeah … it doesn’t feel like a true vulnerability … it feels like just filling in the “vulnerability” counter “(theonewolf)
” … is not basically a game to end the root on the devices? Would the suggestions that the author hardly encrypt things in memory and on disk just add an extra step for the attacker to find the key? “(tree shape)
” The attack vector was not even via the Telegram app, it depends on whether you have access to disk or memory. “(dusty fresh) The
reaction on Reddit was even simpler: the
post should be marked as “shit” (BearsDontStack)
I like “hacks” with steps to reproduce like the following:
1) Hack the whole Gibson and get root/admin
2) … this could be literally anything …
3) You see !? The app mentioned in # 2 is outright stupid! (Scroll)
Since the blog post posted by Zimperium was a botched marketing stunt that was unanimously rejected by the industry, we decided we didn’t need to make any announcements specific about this “hacking” hoax. Shitty
bingo at work
But even if you can’t exploit security bugs, you can still exploit media naïveté and public fears. common media action dismissed the claim, some smaller newspapers and blogs accepted it. Here are some of the more intriguing headlines:
“Encryption in Telegram Messenger is completely broken
Vendor does not respond to responsible vulnerability disclosure” (Softpedia)
“Telegram encryption undermined, ‘no better than SSL’
Mobile app encryption Telegram’s end-to-end security credentials are questioned after the researcher accesses the plain text messages. ” (SC Magazine)
“Telegram’s cross-platform messaging flaws allow hackers to bypass encryption and access user messages.
Is Telegram safe? Not anymore! “(TechWorm)
There are many more articles like these, published mainly by small local sites that do not fact-check or research the facts. Despite our willingness to respond by email or Twitter and comment on the subject, few of them bothered to get a bigger picture. Zimperium was careful not to display any comments below their original post (although there is a comment input field designed to create the illusion of an opportunity to reply), so for a lesser reader sophisticated, your article full of buzzwords looks really scary. As a result, Zimperium’s post garnered around 5,000 Facebook likes and over 3,000 retweets.
In a world where security companies are changing their approach to research to marketing, we all need to be cautious: the media needs more fact-checking, startups like Telegram need more They are more proactive public relations and the public must be more careful about the motives behind. the reports. Otherwise, we will be constantly held hostage by companies that feed on our fears.