An international research team of cryptologists carried out a security analysis of the Telegram messaging platform. Several vulnerabilities were identified in their log. This means that essential data security guarantees are not sufficiently met.
A small team of international researchers analyzed Telegram’s encryption services in detail using only open source code and without an “attack” on the running Telegram systems. The scientists from ETH Zurich and the Royal Holloway College (University of London) uncovered several cryptographic vulnerabilities in the protocol of the popular messaging platform.
Although the immediate risk for the majority of their 570 million users is low, the weak points make it clear that the Telegram system is inferior to the security guarantees of other, often used encryption protocols such as Transport Layer Security (TLS). Professor Kenny Paterson of the ETH Zurich points out that the analysis uncovered four crucial problems that “… could be solved better, more securely and in a more trustworthy way with a standard encryption method”.
First weak point: Committing a crime or eating pizza?
The researchers found that the main weaknesses are related to the fact that attackers in the network can manipulate the sequence of messages that are sent from the client to one of the cloud servers operated by Telegram worldwide. For example, messages could be swapped in a chat process. So if someone can change the order of the messages “I say ‘yes’ to”, “pizza!”, “I say no, to”, “crime”, the “yes” to eating pizza could suddenly turn into a “yes” to become a crime.
Second weak point: Every bit of information is too much
A network attacker can use this weak point, which is more of a theoretical nature, to find out which of two messages from a client or from a server is encrypted. However, encryption protocols are designed in such a way that they also exclude such attacks.
Third weak point: setting the clock
The researchers examined the implementation of Telegram clients and found that three of them – namely Android, iOS and Desktop – each contained code that in principle allows attackers to partially decrypt encrypted messages. Even if this sounds worrying, an attacker would have to send millions of carefully crafted messages to their target and determine the tiniest differences in the delivery time of the responses.
If such an attack were successful, however, it would have devastating consequences for the confidentiality of the Telegram messages and of course for their users. Fortunately, such an attack is almost impossible in practice. And yet you have to take this weak point seriously. Such an attack is mainly thwarted by chance, as Telegram keeps some metadata secret and selects it at random.
–
