Telegram accounts from Iran were reportedly breached recently, as the messaging app that prides on its superior security was compromised due to an SMS vulnerability.
Twelve accounts were said to be exposed and, albeit it might not sound like a lot, it delivers a strong blow to Telegram's claim that nobody gets to read a user's messages. What is more, the hackers allegedly got hold of the phone numbers of 15 million Iranian Telegram users.
The Kitten Hack
Claudio Guarnieri, a researcher and technologist with Amnesty International, and Collin Anderson, a freelance security researcher, explained what happened. They pointed out that the recent security flaw in Telegram has to do with the SMS messages the app sends to users as they add a new device.
What happens is that Telegram sends a verification code within an SMS to your phone, and you have to input it to wrap up the setup of the new device. A hacker who has access to your text messages has the free hand to get the codes and use them to gain access to your data, including full chat conversations.
Based on their modus operandi, it looks like the hackers are part of a group dubbed Rocket Kitten. The group, who references Persian-language in their code, is known for their previous attacks that rely on standard "spear phishing campaigns." Insiders familiar with the matter are linking (PDF) Rocket Kitten to the Iranian government.
"Their focus generally revolves around those with an interest in Iran and defense issues," says John Hultquist, who leads FireEye, a cybersecurity firm.
Guarnieri and Anderson refused to speculate whether or not the hackers were connected to the Iranian government. The researchers did mention that among the victims of the Telegram hack were political activists who stood up for reforms and were part of organizations opposing the current rulers of Iran.
To Text Or Not To Text
Not only were the Telegram accounts hacked by cybersecurity specialists, but it is also highly possible that SMS messages were spoofed thanks to the cooperation of Iranian phone carriers, which were also said to be close to the government.
Security researchers have pointed fingers at the SMS vulnerability for some time. With the mounting success of multi-factor authentication, the SMS is rapidly losing ground as a security check method.
Telegram underlines that it functions in a similar way to any SMS-based app. People who have access to another's SMS messages can easily log into their Telegram account.
The hackers went beyond using SMS to find out specific targets. They also managed to unveil 15 million phone numbers or accounts by tapping into the public-facing application program interface of the app.
Although not subtle at all, the brute-force method of inputting millions of Iranian mobile phone numbers into the API and collecting those that were associated with a user ID worked seamlessly.
The fact that the app works with phone contacts means that anyone can use the public API to see whether a phone number is linked to a Telegram account or not. The same is true for a number of contact-reliant messaging apps, such as Messenger or WhatsApp.
"Certain people checked whether some Iranian numbers were registered on Telegram and were able to confirm this for 15 million accounts. As a result, only publicly available data was collected and the accounts themselves were not accessed," Telegram explains in a blog post. "Such mass checks are no longer possible since we introduced some limitations into our API this year."
In Q1 2016, Telegram counted about 100 million global users, with one-fifth of them in Iran. The service is one of the main tools for collecting and distributing sensitive information in the country. As the country is under strict government media control, various categories such as journalists, activists and citizens use it to communicate freely with each other and the outside world.
"The individuals that are targeted are individuals who are human rights activists, they're opposition figures," Anderson said.
The Telegram hack is a strong memento that despite some platforms sporting communication encryption at high standards, there are always backdoors and means of compromising them. Services such as Telegram are a great way for citizens to shy away from surveillance, which is vital for keeping the free speech fight going in many countries.