Telegram encryption vulnerabilities found by researchers
A team of cryptographers has discovered flaws in the encryption protocol used by the Telegram messenger app. The Telegram encryption vulnerabilities are detailed in a research paper to be presented at the IEEE Symposium on Security and Privacy next year.
Note: This article has been updated to include a statement from Telegram.
About the research
The researchers are an international team from the UK and Switzerland. Martin Albrecht and Lenka Mareková work at the University of London; Kenny Paterson and Igors Stepanovs at ETH Zurich.
In the introduction to their research paper, they say why they decided to take a closer look at Telegram’s encryption. They note that Telegram uses a proprietary encryption protocol (MTProto) that has not been very well studied by cryptographers. This despite the fact that Telegram is popular with “higher-risk users” like activists and protesters. As the researchers put it, even though so many people around the world depend on it, “the security that Telegram offers is not well understood”.
Telegram does offer an end-to-end encrypted (E2EE) chat feature, but the researchers chose to focus on the encryption used in the platform’s “cloud chats”. Cloud chats are encrypted between users and Telegram’s servers, but are not encrypted end-to-end. Significantly, Telegram’s default for individual chats is cloud chat, not E2EE chat. In addition, there is no E2EE option when using the app’s group chat functionality.
What they found
All told, the research team uncovered four distinct vulnerabilities:
A flaw that could allow an attacker to alter the order of messages sent from a user to Telegram’s servers (and thus to change the order of the messages as they would appear to a chat participant on the receiving end).
A vulnerability that could disclose information about the acknowledgement messages sent between a user and a Telegram server (although the researchers say that this type of “attack” is mostly of academic interest).
A flaw that could allow an attacker to send maliciously crafted messages to a target and theoretically produce a “leak” of unencrypted message data if certain other conditions were met.
A flaw that could allow an attacker to pretend to be a legitimate Telegram server, thus completely undermining the privacy and security of the chat.
Do these Telegram encryption vulnerabilities put users at risk?
Although the above vulnerabilities sound scary, there is actually quite a bit of good news here.
First of all, it would be extremely difficult for a bad actor to exploit the more serious vulnerabilities discussed above. In particular, the “data leak” and “server impersonation” attacks would require sending millions or billions of messages to the target. This makes such attacks impractical. And according to Albrecht, while the message reordering attack “can be easily done in practice” the “impact … will be relatively low in most situations”. It should also be noted that Telegram, for its part, says that these vulnerabilities never presented anything more than a highly theoretical risk to users. See their statement about the research (and their subsequent updates, discussed below) for full details.
Secondly, the research team reported all four Telegram encryption vulnerabilities to the app’s developers back in April. Telegram says that they addressed the vulnerabilities in recent updates. These were issued as Telegram version 7.8.1 in Android, 7.8.3 in iOS, and 2.8.8 on desktop. (Needless to say, if you’re a Telegram user, now would be a good time to update your app!)
Lastly, the researchers say that their work doesn’t just highlight the flaws in Telegram’s encryption. It also shows how Telegram could make their encryption secure.
What’s the bigger picture?
There are several important takeaways from this research.
For developers and companies, the lesson should be that encryption isn’t easy to do well. For that reason, trying to do it on your own is almost never a good idea! Telegram is a well-resourced organization that specializes in encryption, and their proprietary crypto protocol still had weaknesses. If you have encryption needs, it’s best to go with a well-established, well-tested cryptographic library. It’s also important to get expert help from professionals to make sure you’re implementing that library correctly.
For everyday users, this research underscores the importance of running thoroughly vetted technology. This is especially true when your security and privacy is at stake. As we’ve seen in everything from IoT devices to messaging applications, security vulnerabilities are far too common — and are often the result of poor development or a lack of testing and outside review.
Finally, for Mac users, this offers yet another great illustration of why third-party research is so crucial to macOS security. In this case, cryptographers found weaknesses in Telegram’s code — weaknesses which Telegram’s own developers hadn’t seen. In much the same way, the macOS security research and malware research communities play a vital role in keeping Mac users safe. Thankfully, Apple seems to realize this, and has been opening the door more and more to third-party researchers in recent years.