Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Tracking & Law Enforcement

Iranian Telegram Accounts Compromised

15 million Iranian Telegram users have reportedly had their phone number and their ID registered with the Telegram encrypted chat app compromised.

15 million Iranian Telegram users have reportedly had their phone number and their ID registered with the Telegram encrypted chat app compromised. In a paper to be presented at the Black Hat conference on Thursday, security researchers Collin Anderson and Claudio Guarnieri will outline their findings into the alleged compromise of more than a dozen Telegram accounts and the identification of 15 million Iranian users’ telephone numbers. This, it is claimed, would have jeopardized the communications of activists, journalists and other people in sensitive positions in Iran.

Telegram is an app designed to offer privacy and confidentiality with end-to-end encryption. The company was founded by the Pavel and Nikolai Durov brothers, following Pavel Durov’s sale of VK to the Mail.ru group in 2014. 

According to a report from Reuters, Telegram’s vulnerability lies in its use of SMS messages to activate new devices. “When users want to log on to Telegram from a new phone,” reports Reuters, “the company sends them authorization codes via SMS, which can be intercepted by the phone company and shared with the hackers, the researchers said.”

Telegram itself has been quick to deny any serious problem. It points out that anyone can check whether a particular phone number is registered for any contact-based messaging service, including WhatsApp, Messenger and others. The automated API-based checks that were apparently used in this incident “are no longer possible since we introduced some limitations into our API this year.”

As for the dozen or more accessed accounts, “this is hardly a new threat as we’ve been increasingly warning our users in certain countries about it. Last year we introduced 2-Step Verification specifically to defend users in such situations.” This process would require newly registered phones to use a password as well as the received SMS token. “If you do that,” says the statement, “there’s nothing an attacker can do.”

The suggestion from the researchers is that a mobile service provider may have intercepted connections and provided information to the hackers. The hackers are thought to the Rocket Kitten group, previously described as an Iranian state-sponsored APT group. 

Trend Micro commented in a research paper written in September 2015, “These facts suggest that Rocket Kitten may be engaging some sort of foreign political espionage campaign and may want to find regime-opponents active in driving policy in different ways.”

The concern with this new research is that the group may also be active in seeking political activists and dissidents within Iran; although the researchers have so far declined to comment on whether they believe this particular activity was Iranian government sponsored. Nevertheless, the implication is clear. “‘We see instances in which people … are targeted prior to their arrest,’ Anderson said. ‘We see a continuous alignment across these actions,’” reports Reuters.

Advertisement. Scroll to continue reading.

The Telegram compromise is a perfect illustration of the encryption quandary for western law enforcement. LEAs want encryption backdoors built into cryptographic systems, so that terrorists have less places to hide their communications. The problem is that such systems are equally used by journalists and dissidents under repressive regimes. If Telegram and other products had an FBI or Metropolitan Police backdoor, hacking groups such as Rocket Kitten would very soon find them.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

Daniel Kelley was just 18 years old when he was arrested and charged on thirty counts – most infamously for the 2015 hack of...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

CISO Strategy

The SEC filed charges against SolarWinds and its CISO over misleading investors about its cybersecurity practices and known risks.

Cybercrime

A global cyber espionage campaign has resulted in the networks of many organizations around the world becoming compromised after the attackers managed to breach...

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...