Telegram Security Analysis

January 11, 2018

Abstract

Telegram is an instant messaging platform based on the MTProto security protocol. Founded in 2013, the messenger now has over 100 million active users. One of Telegram’s main goals is to protect users from surveillance. The company claims to offer the best security and ironclad guarantees among similar apps. In this article, we review Telegram as a whole, discuss its protocol, and compare it to other products. We also examine a user availability leak that can reveal when two users are communicating with each other.

Introduction

Over the past decade, as more people have gained internet access, instant messaging apps have become increasingly popular. As of May 2017, two out of the five most downloaded Android apps were messaging apps [1]. In recent years, users of communication protocols, including instant messengers, have become more concerned about their security. To address these concerns, many platforms have introduced end-to-end encryption [2, 3]. For example, WhatsApp implemented end-to-end encryption three years ago, and now all communications use this feature. WhatsApp has the largest user base for end-to-end encrypted messaging.

Telegram, another messaging service, was founded in 2013. Despite its youth, Telegram now has over 100 million monthly users, especially in Western Europe. The creators claim Telegram offers the best security among similar products, but user trust is largely based on the app’s origin story and the developers’ reputation. We set out to analyze Telegram’s security [4], as it has faced ongoing criticism from cryptography experts due to some controversial design choices.

This section covers Telegram’s history and user interface. Section 2 describes Telegram’s architecture. Section 3 discusses previously discovered issues. Sections 4 and 5 examine disclosed security vulnerabilities. Section 6 reviews current issues and presents conclusions.

History of Telegram

Telegram stands out among tech startups, earning increased attention and trust from users. It was founded in 2013 by brothers Nikolai and Pavel Durov, who also created the popular Russian social network VKontakte. After facing pressure from Russian authorities to provide special access for government agencies, Pavel Durov left VK, claiming it was under the control of the ruling political party [5]. He then left Russia and founded Telegram to provide a secure messaging tool for ordinary users, protected from government surveillance.

Thanks to Pavel Durov’s popularity in Russia, Telegram quickly gained traction among Russian-speaking users. Telegram also offers a more convenient experience compared to similar products, thanks to its speed and features. The messaging protocol was developed by Nikolai Durov, a mathematician but not a well-known security expert.

Telegram is unique among tech startups because Pavel Durov is its sole sponsor. Telegram has no ads, is free, and its client is open source.

Telegram Functionality

Telegram allows users to exchange text and voice messages and participate in group chats. It also features channels, which users can subscribe to for updates from the channel creator (often a news site or celebrity).

Telegram offers a “secret chat” feature, which is not enabled by default. Secret chats use end-to-end encryption, and messages are deleted after a user-defined period, making them unrecoverable. Telegram’s developers chose not to enable end-to-end encryption by default for convenience: secret chats are device-specific and cannot be continued on other devices. We believe this is debatable. Many users assume their messages are secure, but in reality, they are simply trusting Telegram’s servers.

Users can create accounts and authenticate using a code sent via SMS. After initial authentication, users can configure settings and search for others. Telegram also offers two-factor authentication for those who want to enter a password each time they log in.

Telegram Clients

Telegram has clients for all major platforms, including web apps. Figure 1 shows the desktop and Android versions. Official clients are open source, though some binary blobs (executable files without source code) exist.

The Telegram user interface is fast and convenient. Telegram also offers a command-line interface [6] with nearly full platform functionality, though it is less user-friendly. For example, to add a contact, you would enter:

tg> add contact <phone number> <name> <lastname>

We frequently used the command-line interface during our security research.

2. Telegram Architecture

Like many similar apps, Telegram uses a traditional approach and stores data in the cloud. If an attacker gains control of the server, they can access unencrypted messages and all metadata. Communication between users and the server is based on the custom MTProto protocol.

Users exchange information using the Diffie-Hellman method to create a shared key, which is then used for message transmission. Communication with the server uses a public RSA key embedded in the Telegram client, which is rarely changed.

Telegram’s custom MTProto protocol does not use many traditional messaging approaches. The creators claim this improves performance, but many security experts are skeptical.

3. Known and Fixed Issues

Like all tech companies, Telegram has had and will have security vulnerabilities and non-standard issues indirectly related to security. We will discuss some of these issues and later examine one case in detail.

3.1 Non-Technical Issues

• End-to-end encryption is not enabled by default [7]. As a result, most non-technical users use Telegram without secret chats, assuming their messages are encrypted. Without secret chats, users must trust Telegram’s servers.
• Telegram uses its own cryptographic protocol, MTProto, which has been widely criticized. Security best practices recommend that cryptographic protocol design be left to experts. Those who have analyzed MTProto are also skeptical. Cryptographer Matthew Green commented: “Telegram has 10 million details supporting a single unauthorized Diffie-Hellman key exchange.” [8]
• Telegram initially requests the contact list from the user’s device and stores it on the server. This creates a huge database of contacts that could be targeted in an attack or sold to authorities without user consent. Again, users must trust Telegram’s server security.

3.2 Technical Security Issues

• In 2015, researchers announced a man-in-the-middle attack scheme on Telegram that could be carried out by state authorities. The attack involves generating shared secrets via Diffie-Hellman for two victims with identical 128-bit visual fingerprints. Users comparing fingerprints would not detect the attack. A birthday attack would require only 2⁶⁴ operations. Since then, the number of bits in fingerprints has increased, but the issue remains relevant. To prevent MITM attacks, users must visually compare grids of blue squares—a process prone to human error and user apathy.
• Until 2014, MTProto used a modified Diffie-Hellman key exchange [9]. Instead of generating keys using the standard protocol, the server sent a key XORed with a random nonce. This allowed a fake server to use different nonces for two users, resulting in the same key known to the server. Again, users must trust Telegram’s servers. Although this was fixed, the simplicity of the issue raises questions about the developers’ security expertise.
• Some parts of the protocol use SHA-1 for hashing instead of SHA-256, even though SHA-1 is known to be vulnerable to collisions [10]. Telegram claims SHA-1 is only used where collision resistance is not critical, but a stronger hash function would be preferable. History shows that overlooked vulnerabilities are common.
• Even in secret chats, Telegram’s mobile version allows third parties to view metadata. For example, an attacker can see when users come online or go offline down to the second. Telegram does not require mutual consent to establish communication, so an attacker can connect and gather metadata without the user’s knowledge. The attacker can also determine if two users are communicating by analyzing metadata from both ends. We call this the “availability leak.” This issue is discussed in more detail in Sections 4 and 5.

As these examples show, Telegram users often have to fully trust the server’s security, which is ironic given Telegram’s original goal of protecting users from surveillance. While many vulnerabilities have been fixed, some should never have existed in the first place.

4. Exploit for Detecting User Availability

As mentioned earlier, Telegram shares availability information with anyone who has a user’s phone number. Suppose Eve adds Alice to her contacts. Telegram does not notify Alice of this event. Eve then regularly receives information about when Alice uses Telegram, while Alice remains unaware.

This leak is easily observed in the Telegram command-line interface. Moreover, Eve can see when Akaki and Hayk come online and go offline. By matching time intervals, Eve can infer that Akaki and Hayk are communicating. The following sections explain how to use this exploit to detect when two users are talking to each other.

4.1 Experiment Setup

To track Telegram usage and communications, we selected 15 active users among international students at MIT, knowing they communicated daily or weekly. We used the Telegram command-line interface to connect to users and a dedicated server to collect metadata, resulting in several megabytes of raw data for analysis.

4.2 Correlation Algorithm

We developed a correlation algorithm that analyzes Telegram usage data for two users and outputs a sequence of matches, each representing a time interval with a probability (always at least 0.5) that the users are communicating.

For each user, we created a sequence of activity intervals sorted by time. The algorithm finds matches between two users based on overlapping intervals.

Two active intervals (see the purple arrows in the diagram) are considered connected if they overlap within a certain gap_time. This accounts for the time it takes to open the app after receiving a message.

By treating each active interval as a node and each connection as an edge, we get a bipartite graph. We look for connected components with at least one edge. Sorting the intervals in a connected component reveals a chain of overlapping intervals during which both users were active. Each connected pair of intervals indicates a certain probability that the users are communicating. A chain of connected intervals greatly increases the likelihood that Alice and Bob are talking to each other.

Each connected component represents a possible communication session (a period of message exchange over a relatively short time). Since a user can leave Telegram open (in which case metadata is not transmitted), we ignore the length of the active interval. The number of active intervals is the most important indicator, as frequent online/offline activity suggests active use.

We introduced a likelihood coefficient to determine how likely a connected component represents communication. An edge in a component that connects to many other nodes is less significant than an edge whose endpoints are not connected to other intervals. Therefore, instead of counting edges, we define the likelihood coefficient as half the number of connected nodes in the component. Thus, a very long active interval overlapping many others does not greatly increase the likelihood coefficient.

Once the likelihood coefficient is calculated, we compute the probability that two users are communicating during the interval using the following formula:

If the likelihood coefficient is zero, the probability is zero. Each unit of the coefficient increases the probability by half. The alpha multiplier determines the impact of the coefficient on the final probability.

5. Exploit Results

After implementing the algorithm, we analyzed the collected metadata. Since we used Telegram while the server was running, we adjusted parameters based on our communication frequency. The best values were: gap_time = 30 seconds, alpha multiplier = 1. With these settings, we tracked all communications without excessive false positives. The results showed a false match rate of about 15%. In other words, sometimes when two users used the app simultaneously, the algorithm produced incorrect matches.

6. Conclusion

In this project, we investigated the Telegram messenger. Telegram gained popularity as an independent company thanks to its creators’ claims, user trust, and good timing (coinciding with the Snowden leaks). If you believe Telegram’s claims, you might think it is highly secure. However, our research shows that Telegram has had serious yet simple protocol issues (such as a modified and vulnerable Diffie-Hellman key exchange) that any knowledgeable security expert could spot.

Using the command-line interface, we were able to connect to some friends and detect their communication intervals. We believe this is a serious personal data leak that could, for example, reveal close relationships within a group.

In summary, Telegram, like all products, has vulnerabilities that users should be aware of. Unfortunately, company statements often lead users to believe their conversations are protected from third parties.

References

1. Android market app ranklist. http://www.androidrank.org/. Accessed: 2017-05-16.
2. Secret conversations in Facebook. https://www.facebook.com/help/messenger-app/1084673321594605. Accessed: 2017-05-16.
3. End-to-end encryption (WhatsApp). https://www.whatsapp.com/faq/en/general/28030015. Accessed: 2017-05-16.
4. Telegram. telegram.org. Accessed: 2017-05-16.
5. Vkontakte founder Pavel Durov learns he’s been _red through media. Accessed: 2017-05-16.
6. Telegram messenger CLI. https://github.com/vysheng/tg. Accessed: 2017-05-16.
7. Operational Telegram. https://medium.com/@thegrugq/operational-telegram-cbbaadb9013a. Accessed: 2017-05-16.
8. Matt Green on Twitter about Telegram. https://twitter.com/matthew_d_green/status/582916365750669312. Accessed: 2017-05-16.
9. Is Telegram secure (Russian). https://habrahabr.ru/post/206900/. Accessed: 2017-05-16.
10. Shattered. https://shattered.io. Accessed: 2017-05-16.

Authors:
Hayk Saribekyan ([email protected]), Akaki Margvelashvili ([email protected])