Multiple encryption flaws uncovered in Telegram messaging protocol

Vulnerabilities highlight risks of ‘knit-your-own’ crypto

An analysis of the popular Telegram secure messaging protocol has identified four cryptographic vulnerabilities.

Although none of the flaws are particularly serious or easy to exploit, security researchers have nonetheless warned that the software “falls short on some essential data security guarantees”.

Standard deviation

Computer scientists from from ETH Zurich and Royal Holloway, University of London, uncovered the vulnerabilities after examining the open source code used to provide encryption services to the Telegram app.

They found that Telegram’s proprietary system falls short of the security guarantees enjoyed by other, widely deployed cryptographic protocols such as Transport Layer Security (TLS).

ETH Zurich professor Kenny Paterson commented that encryption services “could be done better, more securely, and in a more trustworthy manner with a standard approach to cryptography”.

Catch up with the latest encryption-related news and analysis

The most significant vulnerability among the quartet makes it possible for an attacker to manipulate the sequencing of messages coming from a client to one of the cloud servers operate by Telegram.

A second flaw made it possible for an attacker on the network to detect which of two messages are encrypted by a client or a server, an issue more of interest to cryptographers than hostile parties, the researchers suggest.

A third security weakness made it possible for an attacker to recover some plain text from encrypted messages – a timing-based side-channel attack that would require an attacker to send millions of messages and observe how long the responses take to be delivered.

The fourth security issue involves a potential manipulator-in-the-middle attack targeting initial key negotiation between the client and the server. This assault could only succeed after sending billions of messages.

The researchers notified Telegram about their research in April. Telegram has since patched all four flaws, clearing the way for researchers to go public with their findings through a detailed technical blog post.

TLS-as-standard

Royal Holloway professor Martin Albrecht told The Daily Swig that the researchers offered lessons for other developers of secure messaging apps – for example, industry standard TLS encryption should be a preferred design choice.

“The ‘mode’ of Telegram we looked at was when messages are encrypted between the client and the server only,” Albrecht explained.

“This is no different from running Facebook Messenger or IRC [Internet Relay Chat] over TLS. Here it makes little sense to not use TLS (or its UDP variants). It is well studied, including its implementations, it does not need special assumptions, it is less brittle than [for example] MTProto.”

MTProto is the encryption scheme used by Telegram.

READ Kaspersky Password Manager lambasted for multiple cryptographic flaws

Telegram already relies on TLS for its security for messages from the server to Android clients, but it relies on proprietary approaches elsewhere.

Whether apps are built using TLS as a foundation or not, an audit by cryptographers is highly advisable.

Albrecht commented: “When we talk about secure messaging apps specifically, i.e messages are encrypted between the parties not just the transport layer between client and server, they should have cryptographers on staff who formally reason about the design. In the future this should get easier with the MLS standard.”

Hong Kong Garden

The research into Telegram was motivated by use of technology by participants in large-​scale protests such as those seen in 2019/2020 in Hong Kong. “We found that protesters critically relied on Telegram to coordinate their activities, but that Telegram had not received a security check from cryptographers,” according to Albrecht.

Albrecht was part of a team that researched what makes the Telegram platform to high-risk users involved in mass protests, who are likely to be targeted by surveillance.

“Telegram does seem to have the advantage of ‘staying up’ in light of government crackdown in contrast to other social networks and seemingly not complying all that much with government requests,” according to Albrecht.

YOU MAY LIKE Threema, the European rival to Signal, wins pivotal privacy battle in Swiss Court

Although mobile messaging apps such as Signal are often recommended and used by the infosec-savvy, features and utility are more important for mainstream users and go some way to explaining use of Telegram among protesters in Hong Kong and beyond.

“It might be better to compare Telegram to Facebook or Twitter (in terms of features and appeal) than to, say, Signal,” he added.

Telegram may be preferred to Facebook even if the latter is likely better or at stricter when it comes to data governance, Albrecht concluded.

“On the flip side, it is not clear what security policies, processes and safeguards Telegram have in place to, e.g continuously vet their (server and client) code for software vulnerabilities, to prevent their own staff from snooping.”

RELATED Encryption issues account for minority of flaws in encryption libraries – research