Researchers from the University of London and ETH Zurich have documented significant problems with the security of Telegram’s encryption system.
While Telegram fixed the four specific security flaws identified by the researchers, they also highlighted underlying problems to Telegram’s general approach to encryption.
This has been a long-standing criticism against Telegram due to its use of a home-grown and closed source encryption scheme called MTProto.
For years, security professionals warned that Telegram’s encryption is based on an unproven algorithm, custom-developed by Telegram itself, rather than on proven industry standards.
Martin Albrecht and Lenka Mareková from the Information Security Group at the University of London, and Kenneth Paterson and Igors Stepanovs from the Applied Cryptography Group at ETH Zürich have now provided a formal analysis of the problem.
Their paper, Four Attacks and a Proof for Telegram, is to appear at the IEEE Symposium on Security and Privacy 2022.
“The results from our analysis show that for most users, the immediate risk is low, but these vulnerabilities highlight that prior to our work, Telegram fell short of the cryptographic guarantees given by other deployed cryptographic protocols such as Transport Layer Security,” Albrecht said.
First the researchers showed four attacks on Telegram’s encryption scheme.
It should be noted that Telegram patched all of these vulnerabilities before the researchers disclosed the flaws.
Researchers assessed that the most significant vulnerabilities relate to the ability of an attacker on the network to manipulate the sequencing of messages coming from a client to one of the cloud servers that Telegram operates globally.
Dubbed the crime-pizza vulnerability, the researchers gave the light-hearted example of sending the messages, “I say yes to”, followed by “pizza”, and then “I say no to”, followed by “crime”.
If the order of the messages “pizza” and “crime” is reversed, it would appear that the client is declaring their willingness to commit a crime.
The second attack was mostly of theoretical interest. The vulnerability allows an attacker on the network to detect which of two messages are encrypted by a client or a server.
However, the researchers stated that other cryptographic protocols are designed to rule out even such attacks as every bit of information leaked could be exploited.
Telegram awarded the researchers a bug bounty for discovering a flaw that could, in principle, allow attackers to recover some plaintext from encrypted messages.
While this seems alarming, it would require an attacker to send millions of carefully crafted messages to a target and observe minute differences in how long the response takes to be delivered.
The flaw was in the implementation of Telegram’s official Android, iOS, and Desktop clients and was patched in June.
“It is mostly mitigated by the coincidence that certain metadata in Telegram is chosen randomly and kept secret,” the researchers noted.
“The presence of these implementation weaknesses, however, highlights the brittleness of the MTProto protocol: it mandates that certain steps are done in a problematic order, which puts significant burden on developers — including developers of third-party clients — who have to avoid accidental leakage.”
The researchers also showed how an attacker could mount a man-in-the-middle attack on the initial key negotiation between the client and the server.
This allows an attacker to impersonate the server to a client, enabling it to break both the confidentiality and integrity of the communication.
“Luckily, this attack is also quite difficult to carry out, as it requires sending billions of messages to a Telegram server within minutes,” the researchers stated.
“However, it highlights that while users are required to trust Telegram’s servers, the security of those servers and their implementations cannot be taken for granted.”
Some good news for Telegram is that the researchers found that its custom MTProto encryption scheme can provide a confidential and integrity-protected channel if the changes they suggested are adopted.
“The Telegram developers communicated to us that they did adopt these changes,” the researchers stated.
“Telegram awarded a cash price for this analysis to stimulate future analysis.”
However, this comes with significant caveats.
The researchers explained that cryptographic protocols like MTProto are built from building blocks such as hash functions, block cyphers, and public-key encryption.
In a formal security analysis, the protocol’s security is reduced to the security of its building blocks.
“This is no different to arguing that a car is road-safe if its tyres, brakes and indicator lights are fully functional,” the researchers said.
However, in the case of Telegram, the security requirements on the building blocks are unusual and have not been studied in previous research.
“This is somewhat analogous to making assumptions about a car’s brakes that have not been lab-tested,” the researchers said.
Other cryptographic protocols such as Transport Layer Security, which is widely used on the Internet, do not have to rely on these sort of special assumptions, they said.
Another caveat is that the researchers only studied the three official Telegram clients and no third-party clients.
“Some of these third-party clients have substantial user bases,” the researchers noted.
They said the brittleness of MTProto is a cause for concern as the developers of these third-party clients could make mistakes in implementing the protocol that causes the timing leaks they found.
“Alternative design choices for MTProto would have made the task significantly easier for the developers,” the researchers concluded.