
Hackers accessed Telegram messaging accounts in Iran – researchers - slizard
http://www.reuters.com/article/us-iran-cyber-telegram-exclusive-idUSKCN10D1AM?sp=alcms
======
grx
Clickbait title. The correct title would be 'Exclusive: Hackers accessed
Telegram messaging accounts in Iran - researchers' which itself already hides
the fact that the problem lies not with Telegram infrastructure, but the
interception of SMS by state telcos.

~~~
tomc1985
If Telegram relies on SMS for its authentication system, wouldn't the SMS
network be part of its infrastructure, if indirectly?

~~~
megalomaniac443
Facebook relies on SMS. Whatsapp relies on SMS. VK relies on SMS. Viber relis
on SMS.

Are we going to say that all of those have been breached too?

~~~
tomc1985
Potentially.

Of course, you won't see it too often in the headlines..

~~~
megalomaniac443
I know that some people here are suspicious of Telegram because they use their
own encryption mechanism, but it's like there's an active campaign against it
by the media. In my country the media has been calling it the "ISIS chatting
app".

~~~
tomc1985
Nothing to do with that. Authentication is an essential pillar of a security
app, and the ability to effectively authenticate is an important component of
opsec. If SMS is compromised (and it is not hard to imagine given how
protective govt is about SMS exploits/sigint) then the authentication aspect
of any app that relies on SMS is also potentially compromised. Weakest link
and all that...

------
oldgun
[https://telegram.org/blog/15million-
reuters](https://telegram.org/blog/15million-reuters) Stay calm and turn on
2-step verification.

------
jlund
When an adversary intercepts a Telegram SMS authentication code, this gives
them pretty much complete access to a user's entire Telegram messaging
history. This is true because messages are not end-to-end encrypted by
default. The Telegram servers will happily return perennially stored
transcripts to any client that is even temporarily considered valid.

This is _not_ true for messaging applications that are end-to-end encrypted by
default and that do not store plaintext on their servers. This isn't a subtle
difference. Lots of comparisons in this thread fall victim to a sort of
implied false equivocation.

Using SMS as a form of authentication may be a quality that Telegram shares
with other popular messaging applications, but it is uniquely susceptible to
all of the associated pitfalls.

------
dmix
Authentication via SMS considered harmful.

~~~
korayal
I wonder why Telegram (and Twitter) doesn't allow the use of third party MFA
providers just like LastPass.

[https://helpdesk.lastpass.com/multifactor-authentication-
opt...](https://helpdesk.lastpass.com/multifactor-authentication-options/)

~~~
r3bl
I'll never understand why LastPass requires you to be a premium user to use
some forms of their 2FA (for example, I can't use my Yubikey if I don't pay
for a premium, and I don't need a premium account for literally anything
else).

------
berns
"Telegram breached", "Hackers break into Telegram", "Iranian Hackers Just
Cracked Telegram". I didn't think any of these nonsense titles would reach the
first page of Hacker News.

~~~
angry_octet
How about: "Iranian citizens pay the price for Telegram's weak security".

"Telegram's exaggerated security claims gave Iranian users false sense of
security, now Iranian secret police have read their messages." isn't quite
concise enough.

~~~
angry_octet
Alternatively: "News of Telegram hack contrary to user's strongly held
beliefs, #offended by suggestion of problems with Telegram."

------
wtbob
Once again proving a) the security of a system, like a chain is only as strong
as its weakest link and b) if something is theoretically broken now it will be
actually broken tomorrow.

------
Aoyagi
_> The researchers said they also found evidence that the hackers took
advantage of a programing interface built into Telegram to identify at least
15 million Iranian phone numbers with Telegram accounts registered to them, as
well as the associated user IDs._

Me thinks that's more important than someone intercepting an SMS - at least in
terms specific to Telegram. Is there more information on this? What evidence
is it?

~~~
codezero
They acknowledge this in their blog post:
[https://telegram.org/blog/15million-
reuters](https://telegram.org/blog/15million-reuters)

It's part of their contacts API, where you submit the numbers you have in your
contacts list and they let you know which numbers already have a telegram
account.

They have since added rate limiting to prevent brute forcing it, but it sounds
like the API itself is still available.

~~~
Aoyagi
Ah, I see, thanks.

------
0xFFC
Iranian here, as programmer and software security hobbyist, I always warned my
friends against telegram. Sadly the local news is government used that bug and
clone 15M person chat record/contacts/public data and etc.

This is pretty _huge_ , this can put many lives in danger, I know people who
are gay and use telegram. If you are any kind of person who government does
not agree with you , from now on , government has your personal communication
record. For example when you applying for regular job(which 90% of jobs in
Iran is related to government , because of state controlled economy)then you
have absolute no chance, even if you are much better candidate than some
stupid person who spend their lives defending government stupid ideas.

P.S. Replace all "government" with "regime". Government in Iran is actually
good (in compare to regime) and Rouhani is our only hope. The problem is
Revolutionary Guard.

~~~
NotSammyHagar
Does SSL access to hacker news protect your identity in Iran? And do you think
encrypted messages with telegram with 2 factor auth protects people? I think
not, since they just have to get the messages of the people you chat with, the
weaker link is the other side.

------
hoppa_liza
> widely used in the Middle East, including by the Islamic State militant
> group

I understand the risk associated with rogue people using such a service, but
is not the ability to determine who exactly is using the service counter
productive? I.e. for journalists and personas non grata under oppressive
regimes.

~~~
derefr
Are you sure it's being "determined", in a SIGINT sense? Perhaps ISIS have
made public mention somewhere of their usage of the service. Or perhaps others
(e.g. opposing forces) have just shoulder-surfed some ISIS members using it,
or looked through their phones.

~~~
hoppa_liza
You are right, it totally skipped me. It is very possible that some of their
personnel/phones were captured leading directly to this information.

------
walrus01
Anything that involves SMS, SS7 and the legacy PSTN phone network cannot be
relied upon for anything crypto related... Sending auth keys/codes by SMS,
really? I understand it was a decision made to have the system be easy to use,
but it's foolish in my opinion.

~~~
api
If the crypto is solid the transport is irrelevant. This points to deeper
vulnerabilities. IP networks are no safer than SMS.

~~~
walrus01
I realize this was a use of sending short authentication codes by SMS, but at
160 characters the crypto can't be solid, if somebody decided to implement
proper public/private key over it. So the transport is definitely a problem.

~~~
angry_octet
Signal was originally TextSecure, there was no problem with its message
security. Plenty of meta data problems though. If you still need to send
secure SMS there is a fork at [https://silence.im](https://silence.im).

------
oceaniity
One might suppose that because login relies on the cellular network it's
implicitly part of the app's infrastructure. In that sense the technical
failing of Telegram was relying on one method of authentication (when multi-
factor should be the default). I think it far-fetched to extrapolate that into
'Telegram got hacked', though.

I understand the want to share the article, but a concerted effort to amend
the original title to reflect the actual content would have been appropriate
here, methinks.

Edit: fixed some speling.

------
t3ra
Telegram has had 2FA since years!

------
6127qz17
Newb question: why Telegram does not use Google Authenticator ? Why so few app
use it ? Is it more secure or completely useless ?

~~~
mercora
I do not know why not more services use it but i want to point out that the
Google Authenticator app is just an implementation of [0]HOTP and [1]TOTP.

There is also a free implementation of the same feature set available called
[2]FreeOTP.

[0] [https://tools.ietf.org/html/rfc4226](https://tools.ietf.org/html/rfc4226)

[1] [https://tools.ietf.org/html/rfc6238](https://tools.ietf.org/html/rfc6238)

[2] [https://fedorahosted.org/freeotp/](https://fedorahosted.org/freeotp/)

------
camillomiller
Well, the problem lies more with the de-anonymization of ~15 million users in
Iran, though, which Telegram didn't deny.

------
abstractbeliefs
Strictly, this isn't a breach in Telegram, as it relies on the adversary being
able to own the cell network you're on, but that may not bring much comfort to
many of the people who feel they might need to use Telegram.

What other systems would people suggest to do this initial setup?

~~~
angry_octet
This is precisely a breach of Telegram, they are essentially sending auth keys
to the adversary when the adversary asks them too.

New devices should only be authorised with the use of an authentication token
from an existing client device; one needs to decide if the new device should
have access to old messages. Ideally it would be clear to all parties as to
which devices and identities have joined a chat.

------
mehdix
Only public phone numbers are collected, no account is compromised, according
to Telegram:

[https://telegram.org/blog/15million-
reuters](https://telegram.org/blog/15million-reuters)

------
pmontra
Is there a way to know how many devices are linked to an account and which
devices they are? That would let people check if they've been eavesdropped and
possibly cut off the hacker by removing the extra device. Then add a password.

~~~
spoiler
Yes. It's in the settings screen. You can remove any or all devices (bar the
current one), too.

------
Sami_Lehtinen
Yet in this case all the encrypted secret chats are still kept private.
Because even gaining access to the user account, doesn't allow you to read
messages from secret chats.

------
hsivonen
How does migration to a new phone work with Signal?

------
aussieguy123
This is as bad as a breach

------
a_wang
two step verification would be guard of this Achilles' heel

~~~
sekasi
You mean Two Factor yeah? Because telegram already relies on two step.

~~~
lucastx
SMS is the first factor in the case of Telegram. The 2-step authentication
Telegram provides is through email.

~~~
pietroalbini
Nope, the second factor is a password you must type in after inserting the sms
code.

