Multiple encryption flaws uncovered in Telegram messaging protocol

Vulnerabilities highlight risks of ‘knit-your-own’ crypto

UPDATED An analysis of the popular Telegram secure messaging protocol has identified four cryptographic vulnerabilities.

Although none of the flaws are particularly serious or easy to exploit, security researchers have nonetheless warned that the software “falls short on some essential data security guarantees”.

Standard deviation

Computer scientists from from ETH Zurich and Royal Holloway, University of London, uncovered the vulnerabilities after examining the open source code used to provide encryption services to the Telegram app. The audit excluded any attempt to attack any of Telegram’s live systems.

The researchers found that Telegram’s proprietary system falls short of the security guarantees enjoyed by other, widely deployed cryptographic protocols such as Transport Layer Security (TLS).

ETH Zurich professor Kenny Paterson commented that encryption services “could be done better, more securely, and in a more trustworthy manner with a standard approach to cryptography”.

Catch up with the latest encryption-related news and analysis

The most significant vulnerability among the quartet makes it possible for an attacker to manipulate the sequencing of messages coming from a client to one of the cloud servers operate by Telegram.

A second flaw made it possible for an attacker on the network to detect which of two messages are encrypted by a client or a server, an issue more of interest to cryptographers than hostile parties, the researchers suggest.

The third security issue involves a potential manipulator-in-the-middle attack targeting initial key negotiation between the client and the server. This assault could only succeed after sending billions of messages.

A fourth security weakness made it possible (at least in theory) for an attacker to recover some plain text from encrypted messages – a timing-based side-channel attack that would require an attacker to send millions of messages and observe how long the responses take to be delivered. The researchers admit the attack is impractical while Telegram goes further and categorises it as a non-threat.

"The researchers did not discover a way to decipher messages," a representative of Telegram told The Daily Swig.

In a statement, the firm welcomed the research

The traits of MTProto pointed out by the group of researchers from the University of London and ETH Zurich were not critical, as they didn't allow anyone to decipher Telegram messages. That said, we welcome any research that helps make our protocol even more secure.

These particular findings helped further improve the theoretical security of the protocol: the latest versions of official Telegram apps already contain the changes that make the four observations made by the researchers no longer relevant.

The researchers notified Telegram about their research in April. Telegram has since patched all four flaws, clearing the way for researchers to go public with their findings through a detailed technical blog post.

TLS recommendation

Royal Holloway professor Martin Albrecht told The Daily Swig that the researchers offered lessons for other developers of secure messaging apps – for example, industry standard TLS encryption should be a preferred design choice.

“The ‘mode’ of Telegram we looked at was when messages are encrypted between the client and the server only,” Albrecht explained.

“This is no different from running Facebook Messenger or IRC [Internet Relay Chat] over TLS. Here it makes little sense to not use TLS (or its UDP variants). It is well studied, including its implementations, it does not need special assumptions, it is less brittle than [for example] MTProto.”

MTProto is the encryption scheme used by Telegram.

READ Kaspersky Password Manager lambasted for multiple cryptographic flaws

Telegram already relies on TLS for its security for messages from the server to Android clients, but it relies on proprietary approaches elsewhere.

Whether apps are built using TLS as a foundation or not, an audit by cryptographers is highly advisable.

Albrecht commented: “When we talk about secure messaging apps specifically, i.e messages are encrypted between the parties not just the transport layer between client and server, they should have cryptographers on staff who formally reason about the design. In the future this should get easier with the MLS standard.”

Hong Kong Garden

The research into Telegram was motivated by use of technology by participants in large-scale protests such as those seen in 2019/2020 in Hong Kong.

“We found that protesters critically relied on Telegram to coordinate their activities, but that Telegram had not received a security check from cryptographers,” according to Albrecht.

Albrecht was part of a team that researched what makes the Telegram platform attractive to high-risk users involved in mass protests, who are likely to be targeted by surveillance.

“Telegram does seem to have the advantage of ‘staying up’ in light of government crackdown in contrast to other social networks and seemingly not complying all that much with government requests,” according to Albrecht.

Although mobile messaging apps such as Signal are often recommended and used by the security-savvy, features and utility are more important for mainstream users and go some way to explaining use of Telegram among protesters in Hong Kong and beyond.

“It might be better to compare Telegram to Facebook or Twitter (in terms of features and appeal) than to, say, Signal,” he added.

Telegram may be preferred to Facebook even if the latter is likely better or at stricter when it comes to data governance, Albrecht concluded.

“On the flip side, it is not clear what security policies, processes and safeguards Telegram have in place to, e.g continuously vet their (server and client) code for software vulnerabilities, to prevent their own staff from snooping.”

This story was updated to add comment from Telegram that welcomed the work of the researchers but disputed the impact of one of the admitted vulnerabilities.