Iranian Telegram Accounts Compromised

15 million Iranian Telegram users have reportedly had their phone number and their ID registered with the Telegram encrypted chat app compromised. In a paper to be presented at the Black Hat conference on Thursday, security researchers Collin Anderson and Claudio Guarnieri will outline their findings into the alleged compromise of more than a dozen Telegram accounts and the identification of 15 million Iranian users’ telephone numbers. This, it is claimed, would have jeopardized the communications of activists, journalists and other people in sensitive positions in Iran.

Telegram is an app designed to offer privacy and confidentiality with end-to-end encryption. The company was founded by the Pavel and Nikolai Durov brothers, following Pavel Durov’s sale of VK to the Mail.ru group in 2014. 

According to a report from Reuters, Telegram’s vulnerability lies in its use of SMS messages to activate new devices. “When users want to log on to Telegram from a new phone,” reports Reuters, “the company sends them authorization codes via SMS, which can be intercepted by the phone company and shared with the hackers, the researchers said.”

Telegram itself has been quick to deny any serious problem. It points out that anyone can check whether a particular phone number is registered for any contact-based messaging service, including WhatsApp, Messenger and others. The automated API-based checks that were apparently used in this incident “are no longer possible since we introduced some limitations into our API this year.”

As for the dozen or more accessed accounts, “this is hardly a new threat as we’ve been increasingly warning our users in certain countries about it. Last year we introduced 2-Step Verification specifically to defend users in such situations.” This process would require newly registered phones to use a password as well as the received SMS token. “If you do that,” says the statement, “there’s nothing an attacker can do.”

The suggestion from the researchers is that a mobile service provider may have intercepted connections and provided information to the hackers. The hackers are thought to the Rocket Kitten group, previously described as an Iranian state-sponsored APT group. 

Trend Micro commented in a research paper written in September 2015, “These facts suggest that Rocket Kitten may be engaging some sort of foreign political espionage campaign and may want to find regime-opponents active in driving policy in different ways.”

The concern with this new research is that the group may also be active in seeking political activists and dissidents within Iran; although the researchers have so far declined to comment on whether they believe this particular activity was Iranian government sponsored. Nevertheless, the implication is clear. “‘We see instances in which people … are targeted prior to their arrest,’ Anderson said. ‘We see a continuous alignment across these actions,’” reports Reuters.

The Telegram compromise is a perfect illustration of the encryption quandary for western law enforcement. LEAs want encryption backdoors built into cryptographic systems, so that terrorists have less places to hide their communications. The problem is that such systems are equally used by journalists and dissidents under repressive regimes. If Telegram and other products had an FBI or Metropolitan Police backdoor, hacking groups such as Rocket Kitten would very soon find them.