Connect with us

Communication

Is Telegram Really In Trouble?

Published

on

A recent article by Alex Rad (@defendtheworld) and Juliano Rizzo (@julianor) provides details on an alleged weakness in the Telegram (@Telegram) application. GigaOM writer David Meyer (@superglaze) dug into the story, then later had to make some small corrections.

// -- Discuss and ask questions in our community on Workplace.

The researchers have one viewpoint, the company has another, and Meyer has done a good job translating the technical details.Here at Hacked we want to know a bit more as many of us are @Telegram users.

The Cryptographic Research

TelegramRad and Rizzo indicate that they’ve found an MITM, short for Man In The Middle, attack. The O(2^64) is an indication of the effort required for the attack.

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

This past spring, Juliano Rizzo (@julianor) and I came up with a cryptographic attack on Telegram’s MTProto “secret” chat communications that can be performed in O(2^64) time. The attack happens from an active MITM position on Telegram’s servers.

This method of expressing computational complexity is known as Big O Notation, and it is typically taught in a college junior level algorithm analysis class. If you have a list of email addresses you want to search, proceeding alphabetically through all of them would be O(n), indicating the effort would be linear.

If you create twenty-six lists based on first letter this would be what computer scientists call a hash, or if you organized them into a tree structure, you would find both of them have O(log(n)) complexity. Expand your email list by a factor of a hundred and a well-done search will only take a tiny bit longer. Cryptography’s entire basis is finding calculations that can be performed in a reasonable amount of time, but which require many orders of magnitude more effort to reverse.

The O(2^64) is a fixed amount of time to perform the attack. Telegram’s rejoinder to this was that it’s a trillion dollar problem involving dedicating a couple of large nuclear plants to drive the computing machinery required. That’s a pedantic way of claiming that such an attacker is unlikely to exist.

Real World Issues

Outside the bounds of the cryptographic attack, the researchers pointed out a number of other problems with Telegram. These include:

  • Users code in using SMS messages. This ties phone number to device IP.
  • No anonymous mode exists, users de facto geolocate themselves using Telegram.
  • Central server maintains metadata
  • Only private point to point chats are encrypted
  • Central server holds unencrypted messages, waiting for a chance to push them.
  • Secret chats only recently got forward secrecy
  • Authentication happens for every conversation, not per identity

What do these issue mean for day to day use?

As a source of breaking news with stories typically between 300 and 900 words, Hacked isn’t doing anything that would be of interest to the NSA. Our threat model mostly involves cryptocoin bandits trolling writers at our sister publication, CryptoCoinsNews, when their articles interrupt the scam of the week. People write under their own names, the only secrets anywhere in the mix are the cell phone numbers, and maybe the occasional embargoed press release. It would be a nuisance if these things got out, but nobody with the skills to manage such a feat has come knocking.

If you want a lightweight chat type package with both desktop and mobile clients sharing a single identity your choices are pretty limited. Telegram accomplishes this in a smooth, minimalist fashion. As far as a threat assessment, it seems safe to presume that it is just as open as plain text SMS messages, and govern yourself accordingly.

How To Choose

This story was already well handled by Meyer, but there is an overarching theme: What is the threat model for you and your associates? Are you in a position to evaluate solutions? To advocate for their uptake? To support them? To fund them?

The world buzzes furiously over the NSA’s expensive, ineffective, unconstitutional surveillance dragnet, but how many of you actually rise to the level where an agency like that would actually task someone to see what you are doing? Your threats are probably far more pedestrian; fraudsters who want your coins and credit card info, old lovers who “just want to talk”, or maybe your work is enough of a target that a competitor is trying to creep up on you. A little bit of situational awareness and occasionally tidying up goes a long way towards thwarting these threats.

DP5, the successor to the Off The Record protocol the NSA characterizes as ‘catastrophic’ to monitor, is liable to rearrange the chat/message application landscape. A year from now things are likely to be very different, but Telegram isn’t likely to be dislodged from the niche it holds right now.

Images from Telegram, Denys Prykhodov and Shutterstock.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Click to comment

You must be logged in to post a comment Login

Leave a Reply

Communication

San Bernadino iPhone Case: Major Press Agencies Are Suing the FBI

Published

on

The Associated Press, Gannett, and VICE Media are suing the FBI to know more details about the agency’s hack of the San Bernadino killer’s iPhone.

// -- Discuss and ask questions in our community on Workplace.

(more…)

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Continue Reading

Communication

Toward Unbreakable Quantum Encryption for Everyone

Published

on

Hacked recently covered the efforts of the Chinese government to build unbreakable quantum communication networks. According to analysts, quantum communications networks are so expensive that they could have a “recentralizing effect,” enabling states to recover the ground that they have lost to decentralizing digital technologies. But what if ultra-secure quantum cryptography could be made available to everyone at low cost?

// -- Discuss and ask questions in our community on Workplace.

(more…)

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Continue Reading

Communication

The Chinese Quantum Satellite QUESS: Toward Unbreakable Quantum Networks

Published

on

One year ago Hacked covered the race between the US and China to develop “military super-powers” by harnessing quantum science, and noted that Chinese scientists were developing quantum communication satellites that support unbreakable encryption. A few weeks ago, China launched its first quantum satellite.

// -- Discuss and ask questions in our community on Workplace.

(more…)

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Continue Reading

Trending