News about data breaches hit headlines every day. With that in mind, you took steps to protect yourself better by using a messaging app with end-to-end encryption. And you sat back thinking you are safe. A new report now indicates a text message flaw is responsible for a telegram hack in Iran. If Telegram is “hackable”, how can we be sure all other messaging apps like WhatsApp and Messenger are secure?
Claudio Guarnieri of Amnesty International alongside fellow technologist, Collin Anderson tracked Telegram accounts breaches in Iran and discovered an SMS message is responsible for the hack. Telegram sends an SMS to the user’s phone number on registration. The text contains a verification code that a user is supposed to enter to finalize the registration process. An attacker with the message can access the victim’s account from their devices, thereby obtaining their chat records.
According to the two researchers, a group of hackers called Rocket Kitten is responsible for the hack. In the recent past, numerous reports have come up, tying the group of hackers to the Iranian government. Is the Iranian government using these hackers to spy on citizens? The researcher further speculates that, since the text message is the root source of the hack, the Iranian telephone carriers may have granted the hackers access. Iranian phone carriers have strong ties with the government.
But should we be surprised that the SMS is involved in the hack? Text SMS have proven before to be very vulnerable to attacks. Last week, the National Institute of Standards warned against using SMS in two-factor authentication processes.
In a statement to WIRED, Telegram claimed that their application is similar to any other messaging app. “If someone can access your SMS message, they will access your account. If you have enabled the two-factor authentication, then they require our recovery email or phone number.”
Hacking telegram accounts are not the only thing the group of hackers is accused of doing. According to t the researchers, the hackers accessed more than 15 million phone number using the Telegram public facing app program interface. They used a brute force attack on the API by feeding in many random Iranian phone numbers and recording those that yielded a User ID. A telegram spokesperson explained that “Telegram is an app that uses your phone number as the primary identifier. Anyone with the app can look up if your phone number is registered on Telegram.”
The two researchers will provide more information about the Telegram hacking in Iran at the Black Hat Cybersecurity Conference in Las Vegas coming Thursday.
The telegram hack may have affected 20 million Iranian users. The app is an important communication tool in the country considering the suppressed freedom of Press. The hack is troubling, yes, but it is a reminder that no communication channel is impenetrable.