On SMS logins: an example from Telegram in Iran
Most mobile messaging apps these days use SMS as a login technique. It’s really convenient because it doesn’t require the user to remember yet another username or identifier and telcos are taking care of the identity management such as re-assigning the phone number to you if you lose your phone.
SMS are trivial to intercept for your telecom provider. And in almost all countries, they are actively cooperating with the state to help intercept text messages and phone calls. But it’s not only your telecom provider, devices like IMSI catchers provide a cheap and efficient way of intercepting text messages for a local adversary.
Applications such as Telegram messenger, not only allows a user to signup with an SMS, but also enables them to log in to see previous messages. The application stores your messages, content and contacts as they disclose in their privacy policy:
We store messages, photos, videos and documents from your cloud chats on our servers, so that you can access your data from any of your devices anytime and use our instant server search to quickly access your messages from waaay back.
An attacker, that can intercept a single SMS is therefore capable of reading your messages from “waaay back”.
Attacks like that are not just theoretical. Let’s take a recent example, Iran.
Telegram has gotten a huge amount of signups in Iran and according to Durov, its founder, Iranian users constitute up to 20% of their user base.
When Telegram was getting some traction over the summer (June 2015), Iranian users started getting unsolicited login messages to sign into the Telegram website, which were believed to be related to a Telegram interception program operated by Iranian intelligence. Check the replies to this tweet:
کیا این پیام رو امروز از #تلگرام گرفتند؟
#ریتوییت
#اسپم #امنیت #Iran pic.twitter.com/xxEJBZbWSf
— Nariman (@NarimanGharib) June 20, 2015
Over the past few months, there has been a lot of chatter about the relationship between Telegram and Iran. It is widely known that Iran blocks services that blinds their intelligence branches and that are unwilling to cooperate. Durov repeatedly came out claiming that they were not collaborating with Iran outside of blocking porn and jihadi channels (for public content), which they are doing worldwide.
@persianbanoo @SinaKK We shut down porn / ISIS channels based on the reports from users. @telegram never does political censorship.
— Pavel Durov (@durov) January 13, 2016
More recently, some popular Telegram channels promoting political poems or ideologies have been shut down. Iranian activists asked Durov about why those political channels were suspended.
Mr @durov can you explain why you closed the PDKI channel in @telegram? :)
#Censorship #Telegram #PDKI #Iran pic.twitter.com/wvUrCes7fT
— Kevin Miston (@KevinMiston) January 11, 2016
یک روز از خواب پا میشی، می بینی رفتی به...
کانال تلگرامم حذف شد/ کردند؟! pic.twitter.com/C5KMj99jhg
— فاطمه اختصاری (@fatemeekhtesari) January 12, 2016
After investigation, Telegram said that the channels were not suspended, but deleted by their owners.
@KevinMiston @durov Investigation showed: The owner deleted his account on Jan 10, so all his channels became unavailable. Nothing blocked.
— Telegram Messenger (@telegram) January 11, 2016
These are probably just a few examples of hacked channels. Unlike surveillance, censorship can be observed. It’s only because Iran started deleting popular channels that it became clear that they were hacking into Telegram accounts but how many activists got arrested over Telegram discussions that were intercepted? That is significantly more difficult to evaluate.
Further investigation of some of the cases:IRI hacking into accounts,not censorship.Tnx @telegram 4 being responsive
https://t.co/QGk7picBcF
— Reza Ghazinouri (@ghazinouri) January 13, 2016
Despite good intentions, it’s becoming clearer that a good number of activists who trusted the application that branded itself as the “safest” messaging app are getting their account hacked and channels deleted.
Countries like Iran tend to be blocking applications that blinds their intelligence as they get popular. Repeated claims by the authorities that they wouldn’t block Telegram should already have sounded suspicious. If a single SMS enables you to get access to a user’s account and data, you designed your system with a backdoor that any serious adversary can exploit.
Does this affect only Telegram?
No, other services where you only need to send an SMS to log in are affected by this. But unlike Telegram, a lot of other messaging applications don’t store your messages and content server-side.
This is a reminder for all users of messaging apps in risky environment, verify fingerprints.
SMS activation in most messaging apps can be compared to your server sign in for Jabber when using OTR. It is just your login to the message server, unless you verify fingerprints, you are still at risk of interception.
Mitigations:
- Enable 2-Step authentication (and verify active sessions while you’re at it) and only use “secret chats”.
- Or just move to an application that won’t store plaintext messages on their servers if you’re operating in such a risky environment.
Note on two-factor authentication
Because of the weaknesses of the SMS protocol, it’s generally safer to setup two-factor authentication with a YubiKey or TOTP (such as Google Authenticator). Unfortunately, many services don’t let you opt-out of SMS fallback for second factor authentication.
Disclosure: I have previously worked on encrypted messaging software.
Update I: Telegram clarified that one of the mentioned channels was deleted because of inactivity.
@CDA @Ammir @KevinMiston This channel got deleted because it was created by an inactive account that was set to self-destruct by its owner.
— Pavel Durov (@durov) January 14, 2016
It is also important to note that some other accounts could also have been compromised by malware since some samples are looking for activation SMSes.
Update II: I posted in April 2016 an update after new cases emerged in Russia and Iran.