The Telegram messaging app has security holes that allows attackers to get a peak at users’ messages by bypassing encryption, according mobile security firm Zimperium.
On its site, Telegram touts the fact that the app is cloud-based and heavily encrypted, and notes that a recently held contest to crack its encryption ended with no winners despite a $300,000 bounty. In the contest, the would-be hackers were able to act as the Telegram server passing info between the users as they attempted to decipher messages sent using the Secret Chats feature.
“All messages in secret chats use end-to-end encryption,” according to the site. “This means only you and the recipient can read those messages — nobody else can decipher them, including us here at Telegram. Messages cannot be forwarded from secret chats. And when you delete messages on your side of the conversation, the app on the other side of the secret chat will be ordered to delete them as well.”‘
However, Zimperium found that by simulating an attack originating from an app/client-side vulnerability that gains additional permissions by running a kernel or root exploit it was possible to uncover Secret Chats that were readable in plain text in the process memory and the Cache4.db file. In addition, it was possible to retrieve the content of a message even after it was deleted.
“How easy is it to elevate privileges on the device in the first place? Very easy,” said Zimperium CTO Zuk Avraham. “Most of the versions out there have existing kernel exploits that are publicly available. We are speaking about more than 90 percent of the market. Obviously sophisticated actors can find their own elevation of privileges vulnerabilities but in most cases you can get the same results while using a publicly available exploit.”
“Once you get code execution on the device (e.g: by installing an app, running a browser exploit or connecting the phone to a malicious charger), the elevation of privileges part is easy if the device has publicly available root/jailbreak – which is the case for most of the OS,” he added.
In a blog post, Avraham noted that the crypto contests by Telegram reference breaking Telegram’s protocol while being in the middle of an encryption conversation. This, he argued, is not a sound idea for two reasons however: in the real world hackers do not play by the rules; and this assumes hackers would try to break Telegram’s encryption in the middle instead of finding weaknesses in other protocols that provide more benefits.
“It’s easier to find a vulnerability in a phone and hack it remotely via URL/PDF/Man-In-The-Middle and other attack techniques that I have discussed before,” he blogged. “Once you hack a mobile phone, you need to elevate your privileges in order to gain control of the device. This can be easily done using a Kernel exploit.”
“I simulated an attack originating from an App / Client Side vulnerability that gains permissions by running a kernel exploit (I used CVE-2014-3153)…There are cleaner ways to dump the results, but I just wanted to provide a proof of concept (POC),” he noted in the blog post.
After running the exploit, he dumped the process memory of Telegram and searched for strings that contained the words he sent and received and found them.
“To complete my research,” he blogged, “I accessed the root shell I received previously from running CVE-2014-3153 to look at the App’s files at /data/data/org.telegram.messenger/ and I discovered a file called Cache4.db in the app’s “files” folder. I assumed “enc_chats”, “enc_tasks_v2”, enc probably stood for encrypted so I fetched this file and examined it. The file contained our secret messages in plain-text!”
Avraham told SecurityWeek Zimperium has reached out to Telegram multiple times during the past 30 days and received no response.
“As part of our official Zimperium Zero Day Disclosure Policy, our intention is to provide vendors with an opportunity to fix the vulnerability so others are not affected by it; however, since Telegram has never responded to us even with an acknowledgement of the issue and proposed date, we have an obligation to make people who are consumers of this app aware of the risks so they can protect themselves,” Avraham told SecurityWeek.
He suggested people using Telegram to send secure texts be careful what they are sending or suspend usage of the app until Telegram resolves the issue.
