Is Telegram Really In Trouble?
A recent article by Alex Rad (@defendtheworld) and Juliano Rizzo (@julianor) provides details on an alleged weakness in the Telegram (@Telegram) application. GigaOM writer David Meyer (@superglaze) dug into the story, then later had to make some small corrections.
The researchers have one viewpoint, the company has another, and Meyer has done a good job translating the technical details.Here at Hacked we want to know a bit more as many of us are @Telegram users.
The Cryptographic Research
This past spring, Juliano Rizzo (@julianor) and I came up with a cryptographic attack on Telegram’s MTProto “secret” chat communications that can be performed in O(2^64) time. The attack happens from an active MITM position on Telegram’s servers.
This method of expressing computational complexity is known as Big O Notation, and it is typically taught in a college junior level algorithm analysis class. If you have a list of email addresses you want to search, proceeding alphabetically through all of them would be O(n), indicating the effort would be linear.
If you create twenty-six lists based on first letter this would be what computer scientists call a hash, or if you organized them into a tree structure, you would find both of them have O(log(n)) complexity. Expand your email list by a factor of a hundred and a well-done search will only take a tiny bit longer. Cryptography’s entire basis is finding calculations that can be performed in a reasonable amount of time, but which require many orders of magnitude more effort to reverse.
The O(2^64) is a fixed amount of time to perform the attack. Telegram’s rejoinder to this was that it’s a trillion dollar problem involving dedicating a couple of large nuclear plants to drive the computing machinery required. That’s a pedantic way of claiming that such an attacker is unlikely to exist.
Real World Issues
Outside the bounds of the cryptographic attack, the researchers pointed out a number of other problems with Telegram. These include:
- Users code in using SMS messages. This ties phone number to device IP.
- No anonymous mode exists, users de facto geolocate themselves using Telegram.
- Central server maintains metadata
- Only private point to point chats are encrypted
- Central server holds unencrypted messages, waiting for a chance to push them.
- Secret chats only recently got forward secrecy
- Authentication happens for every conversation, not per identity
What do these issue mean for day to day use?
As a source of breaking news with stories typically between 300 and 900 words, Hacked isn’t doing anything that would be of interest to the NSA. Our threat model mostly involves cryptocoin bandits trolling writers at our sister publication, CryptoCoinsNews, when their articles interrupt the scam of the week. People write under their own names, the only secrets anywhere in the mix are the cell phone numbers, and maybe the occasional embargoed press release. It would be a nuisance if these things got out, but nobody with the skills to manage such a feat has come knocking.
If you want a lightweight chat type package with both desktop and mobile clients sharing a single identity your choices are pretty limited. Telegram accomplishes this in a smooth, minimalist fashion. As far as a threat assessment, it seems safe to presume that it is just as open as plain text SMS messages, and govern yourself accordingly.
How To Choose
This story was already well handled by Meyer, but there is an overarching theme: What is the threat model for you and your associates? Are you in a position to evaluate solutions? To advocate for their uptake? To support them? To fund them?
The world buzzes furiously over the NSA’s expensive, ineffective, unconstitutional surveillance dragnet, but how many of you actually rise to the level where an agency like that would actually task someone to see what you are doing? Your threats are probably far more pedestrian; fraudsters who want your coins and credit card info, old lovers who “just want to talk”, or maybe your work is enough of a target that a competitor is trying to creep up on you. A little bit of situational awareness and occasionally tidying up goes a long way towards thwarting these threats.
DP5, the successor to the Off The Record protocol the NSA characterizes as ‘catastrophic’ to monitor, is liable to rearrange the chat/message application landscape. A year from now things are likely to be very different, but Telegram isn’t likely to be dislodged from the niche it holds right now.
Images from Telegram, Denys Prykhodov and Shutterstock.