Amnesty International technologist Claudio Guarnieri and independent researcher Collin Anderson have added their voices to the growing global mistrust for the widely used system of SMS verification via codes sent by SMS which can easily be accessed by telecom service providers.
The researchers talking to Reuters reported an inherent security flaw in SMS text messages which major apps like WhatsApp, Telegram and Facebook Messenger use to verify phone accounts. Earlier this year, hackers breached dozens of accounts on Telegram, Iran’s most popular chat app with 20 million users. Furthermore, hacker group Rocket Kitten, suspected of having ties to the Iran government exposed 15 million Iranian Telegram account numbers.
SMS verification code hack
The hackers did not directly attempt to breach Telegram’s air-tight encryption nobody has yet broken. Rather they exploited a vulnerability; the dependence on the one-time SMS sent to mobile numbers to verify a new device. This SMS vulnerability is present in most chat apps that ask for your phone number to verify accounts. Secret chats in Telegram are not affected by this exploit as the chats are only accessible on origin and destination devices.
In countries experiencing unusual state control, such as Iran, intercepting SMS text messages isn’t complicated. Iran owns and controls a large percentage of the telecom industry. The researchers nonetheless declined to confirm whether Rocket Kitten, who targeted individuals critical of the Iran government, were politically motivated.
The hackers also used a Telegram API flaw to identify the 15 million Iranian phone numbers. While Telegram has since patched the flaw, it allowed the hackers to search millions of phone numbers to identify those using Telegram. This is no longer possible according to a post on Telegram’s blog.
Quotable: “We have over a dozen cases in which Telegram accounts have been compromised, through ways that sound like basically coordination with the cellphone company.” Collin Anderson, Independent Researcher
“If you have a strong Telegram password and your recovery email is secure, there’s nothing an attacker can do.” Markus Ra, Telegram spokesman.
How to Secure your Telegram account
The so-called ‘massive’ attack on Telegram as the media has reported is basically a general SMS vulnerability all apps dependent on phone numbers have. Telegram actually does have well documented measures in place to mitigate this flaw. Dignited wrote about 7 great Telegram security features we suggest everyone on Telegram have. To fully benefit from this added security, one shouldn’t go for half-measures especially or those living in oppressive governments.
If at all we have any Iranians reading this write-up, it would be wise to look up these security features. On top of this, they should have 2-step authentication set up on their emails. Or better yet, to change the password first, review security settings and turn on 2-step authentication. Technology being what it is, is fundamentally flawed, but there are ways of fire-walling our information as best we can. These are some features you need to beef up security on Telegram.
Telegram Security Features
- Set device pass code lock
- Set 2-step authentication
- Use secret chats
- Change public username
- Log out other accounts
- Set self destruct timer
2 thoughts on “SMS verification flaw compromises dozens of Telegram accounts, here’s what to do about it”
Great story but I’d update “In countries experiencing unusual state control” which is misleading. This type of attack is possible in almost every country.
A short explanation: http://www.theregister.co.uk/2016/05/10/ss7_mobile_chat_hack/
A detailed explanation and demo video, also reporting from direct contact that most German networks know of this problem for years but have chosen not to fix it. https://media.ccc.de/v/31c3_-_6249_-_en_-_saal_1_-_201412271715_-_ss7_locate_track_manipulate_-_tobias_engel
Thank you for pointing out the oversight. You’re right. It doesn’t take much for any government to exploit this hack