Homebrew crypto in Telegram hangout app full of holes, say security pros
'Jihadi favourite' cooked up by Vkontakte's Durov Bros
Security experts have poured scorn on claims by developers of the Telegram messaging app – said to be popular amongst the cadres of the so-called Islamic State – that it’s more secure than its rivals.
Telegram, which claims to be "way more secure" than WhatsApp, uses the MTProto protocol developed by the Russian brothers who developed the app, Pavel and Nikolai Durov. The service, which boasts 60 million users, provides Snapchat-style self-destruct timers for encrypted messages. Mobile and desktop versions are available.
However, security researchers reckon the secret chat app is problematic and almost definitely insecure.
“Telegram is error prone, has wonky homebrew encryption, leaks voluminous metadata, steals the address book, and is now known as a terrorist hangout,” OpSec expert The Grugq concludes in a damning assessment of the technology. “I couldn’t possibly think of a worse combination for a safe messenger.”
The home-brew crypto was also heavily criticised by computer science professor Matthew Green. “The UX is nice. The crypto is like being stabbed in the eye with a fork,” he said as part on a discussion on Twitter about the Telegram app.
Offering end-to-end encryption is widely seen by computer scientists as necessary for privacy in the post-Snowden era. WhatsApp (on Android, for now), Apple’s iMessage and various commercial messaging apps offer end-to-end encryption.
But of the messaging options available through Telegram – Messages, Group Chats, Channels and Secret Chats – only Secret Chats offers end-to-end encryption, Christopher Soghoian, a principal technologist at the ACLU, stated in an update to his personal Twitter account*.1
Telegram's technical FAQ, which states that "Telegram has two modes of communication — ordinary chats using client-server encryption and Secret Chats using end-to-end encryption".
The service is running a competition offering "$300,000 to the first person to break Telegram encryption".
Criticism of the architecture of the chat app from some quarters excludes any consideration about software vulnerabilities. Previous problems hardly inspire confidence on that score even before considering a new vulnerability (seriousness currently unclear) is in the pipeline.
Block and tackle
Last week Telegram blocked some "public" ISIS-related channels. More specifically, Telegram shut down the "Nasir" and "Khalifa" channels, which between them boasted 16,000 members, among others. The tool has been used to spread propaganda by the terrorist group, forcing its developers to embark on what may become a whack-a-mole mission.
Telegram said it had "blocked 78 ISIS-related channels across 12 languages" via a statement only available in full to those who have installed the messaging app, as previously reported. It later said that it had blocked another 164 public channels used to spread terrorist propaganda in response to reports of abuse.
“Telegram channels are public broadcasts. They are the opposite of private chats. Please don't mix the two,” said Pavel Durov in a Twitter update. “Our policy is simple: privacy is paramount. Public channels, however, have nothing to do with privacy. ISIS public channels will be blocked.”
The clampdown may not be entirely beneficial from the perspective of Western intel agencies, according to some observers. “‘Channels’ on Telegram aren't encrypted. These were likely a valuable source of intel for govs,” Soghoian notes.
Pavel Durov founded VKontakte (VK), Russia’s answer to Facebook, before leaving the country rather than giving into law enforcement requests for access to discussions taking place on the site, the BBC reports. Telegram is based in Berlin. ®
Sponsored: Becoming a Pragmatic Security Leader