Researchers from the University of London and ETH Zurich have documented significant problems with the security of Telegram’s encryption system. While Telegram fixed the four specific security flaws identified by the researchers, they also highlighted underlying problems to Telegram’s general approach to encryption.
This has been a long-standing criticism against Telegram due to its use of a home-grown and closed source encryption scheme called MTProto.
For years, security professionals warned that Telegram’s encryption is based on an unproven algorithm, custom-developed by Telegram itself, rather than on proven industry standards.
Martin Albrecht and Lenka Mareková from the Information Security Group at the University of London, and Kenneth Paterson and Igors Stepanovs from the Applied Cryptography Group at ETH Zürich have now provided a formal analysis of the problem.
Their paper, Four Attacks and a Proof for Telegram, is to appear at the IEEE Symposium on Security and Privacy 2022.
“The results from our analysis show that for most users, the immediate risk is low, but these vulnerabilities highlight that prior to our work, Telegram fell short of the cryptographic guarantees given by other deployed cryptographic protocols such as Transport Layer Security,” Albrecht said.
First the researchers showed four attacks on Telegram’s encryption scheme.
It should be noted that Telegram patched all of these vulnerabilities before the researchers disclosed the flaws.
Researchers assessed that the most significant vulnerabilities relate to the ability of an attacker on the network to manipulate the sequencing of messages coming from a client to one of the cloud servers that Telegram operates globally.
Dubbed the crime-pizza vulnerability, the researchers gave the light-hearted example of sending the messages, “I say yes to”, followed by “pizza”, and then “I say no to”, followed by “crime”.
If the order of the messages “pizza” and “crime” is reversed, it would appear that the client is declaring their willingness to commit a crime.
The second attack was mostly of theoretical interest. The vulnerability allows an attacker on the network to detect which of two messages are encrypted by a client or a server.
However, the researchers stated that other cryptographic protocols are designed to rule out even such attacks as every bit of information leaked could be exploited.
Telegram awarded the researchers a bug bounty for discovering a flaw that could, in principle, allow attackers to recover some plaintext from encrypted messages.
While this seems alarming, it would require an attacker to send millions of carefully crafted messages to a target and observe minute differences in how long the response takes to be delivered.
The flaw was in the implementation of Telegram’s official Android, iOS, and Desktop clients and was patched in June.
“It is mostly mitigated by the coincidence that certain metadata in Telegram is chosen randomly and kept secret,” the researchers noted.
“The presence of these implementation weaknesses, however, highlights the brittleness of the MTProto protocol: it mandates that certain steps are done in a problematic order, which puts significant burden on developers — including developers of third-party clients — who have to avoid accidental leakage.”
The researchers also showed how an attacker could mount a man-in-the-middle attack on the initial key negotiation between the client and the server.
This allows an attacker to impersonate the server to a client, enabling it to break both the confidentiality and integrity of the communication.
“Luckily, this attack is also quite difficult to carry out, as it requires sending billions of messages to a Telegram server within minutes,” the researchers stated.
“However, it highlights that while users are required to trust Telegram’s servers, the security of those servers and their implementations cannot be taken for granted.”
Another caveat is that the researchers only studied the three official Telegram clients and no third-party clients.
“Some of these third-party clients have substantial user bases,” the researchers noted.
They said the brittleness of MTProto is a cause for concern as the developers of these third-party clients could make mistakes in implementing the protocol that causes the timing leaks they found.
“Alternative design choices for MTProto would have made the task significantly easier for the developers,” the researchers concluded.
In other news – Coming up on Durban Gen this August 2021
Coming up on Durban Gen this August 2021: While the Dlamini family is at war with one another, Lindelani decides to take action against Sibusiso. Sne forces MacGyver to take her to L’vovo. Learn more
Source: mybroadband
