EDIT: The following post * was not on a rooted or jailbroken device *. In order to access the plain-text secret-chat database containing the messages, we used our implementation of CVE-2014-3153. The claims that the device is rooted / jailbroken are incorrect and misleading.
I will start by quoting CryptoFail blog
“Telegram is an encrypted instant messaging app for iOS and Android devices. Obviously, I wouldn’t mention it on this blog if its crypto was perfect. In fact, it’s far from perfect. It’s almost horrifying.
I’m not sure if it was in response to some good criticism, but Telegram recently announced a crypto contest. Basically, if you can recover an email address that was encrypted with their secure messaging app, you can win $200,000 USD worth of Bitcoin.
Unfortunately, the contest is useless. Neither users nor Telegram developers will learn anything from the contest results. But, Telegram will still be able to point to the contest and say, “Look! No one has won the contest, so our software is secure!” Naive users will believe Telegram, and they will feel safe using dangerously broken encryption.”
I decided to take a closer look at the contest. My intention was to see if I could read encrypted messages without being on-the-wire. I conducted a test using Android OS version 4.4.2.
Telegram claims to be a privacy oriented messaging app capable of encrypting personal and business secrets – only they are not. A critical vulnerability discovered by Zimperium Mobile Security Labs exposes their more than 50 million users who believe the app provides the security to chat freely. Let me explain how we stumbled onto this vulnerability.
The old Crypto contests from Telegram reference breaking its protocol while being in the middle of an encrypted conversation. This is not a sound idea for two reasons:
1. In the real world hackers do not play by the rules.
2. This assumes hackers would try to break Telegram’s encryption in the middle, when you can instead find weaknesses in other protocols which provide more benefits (e.g: GoToFail to bypass SSL encryption on iOS).
The New Crypto contests by Telegram says, “…and this time contestants can not only monitor traffic, but also act as the Telegram server and use active attacks, which vastly increases their capabilities.”
As a result, I am not going to break the encryption simply by avoiding it. I am going to bypass the encryption by simulating an active attack on the device.
The best way to do this is by understanding the anatomy of cyberattacks and the architecture of mobile devices. It did not take me long to install Telegram’s software, find both the encrypted and non encrypted texts that I sent, along with a Database containing all of the above.
Telegram’s website says: “A Secret Chat is a one-on-one chat wherein all messages are encrypted with a key held only by the chat’s participants. By definition, it follows that no third parties can access the decrypted content without access to one of the devices.” This raises 2 questions: First, assuming a user has no physical access to the device and the device was hacked remotely – how easy would it be for the attacker to retrieve the end-to-end encryption deployed by Telegram? Second, if and how are the Telegram’s Secret Chats encrypted on the mobile device?
It’s easier to find a vulnerability in a phone and hack it remotely via URL/PDF/Man-In-The-Middle and other attack techniques that I have discussed before. Once you hack a mobile phone, you need to elevate your privileges in order to gain control of the device. This can be easily done using a Kernel exploit.
If you are new to mobile security, I’ve included some examples below that demonstrate how an individual can perform an attack on a mobile device remotely. This type of hack would be even easier for nation-state actors with even more resources, time and money at their disposal:
1. Client-side vulnerability: Chrome exploit – Pwn2Own Autumn 2013
2. Kernel exploit – CVE-2014-3153 (a.k.a – TowelRoot)
Let’s take a look at what I did. I started by creating secret messages within the Android version of the Telegram app with the intention of finding it non-encrypted somewhere. I assumed that the Secret-Chat messages were encrypted in memory, or at least in the local database. Is that too much to ask for from a privacy and security oriented text messenger?
If you take a screenshot as the attacker, a notification will be sent to both users – so one can assume that security and privacy must be a top priority for Telegram. However, to believe that an attacker will take a screenshot instead of taking complete control of the device is a bit naive.
I gave Telegram the benefit of the doubt and did not look for the more common mistakes that you can expect to see in non-security oriented programs. I simulated an attack originating from an App / Client Side vulnerability that gains permissions by running a kernel exploit (I used CVE-2014-3153)- as described above. There are cleaner ways to dump the results, but I just wanted to provide a proof of concept (POC). Telegram has a feature called “Secret Chat” with a lock (see above) that feels secure. I dumped the process memory of Telegram and searched for strings that contain the word I sent and received in the picture above.
As you can see – the words Woof, Text, Shlookido, Cookiedo, Tambalul and NotSoEncryptedInMemory are, well… not encrypted in the process memory. Any attacker that gains access to the device can read the messages without too much effort. The Secure-Chat messages can be read in clear-text in Telegram’s memory. This discovery prompted me to check to see whether there is an easier way to access the content of the messages – and I was successful.
While Telegram’s communication was supposed to be encrypted (it was broken as well…)
To complete my research I accessed the shell I received previously from running CVE-2014-3153 to look at the App’s files at /data/data/org.telegram.messenger/ and I discovered a file called Cache4.db in the app’s “files” folder:
I assumed “enc_chats”, “enc_tasks_v2”, enc probably stood for encrypted so I fetched this file and examined it. The file contained our secret messages in plain-text!
One of the most interesting features in the Telegram messaging app is the “Delete” messages function. My next attempt was designed to access and retrieve sensitive information previously deleted by the user. I wanted to retrieve deleted messages directly from the memory or cache4.db files.
I clicked on options->Set Self Destruct to 5 seconds, and I expected the message to be deleted but nothing happened on either phone. It looked like a bug, not a security related issue.
I deleted the message by clicking on options->delete.
An inspection of the cache4.db file showed no signs of the conversation. (A deleted message might be more interesting to an attacker.) After examining the cache4.db file I looked at the memory and was able to find the original conversation after I had deleted it from the memory.
Below is the disclosure timeline that we follow as part of the Zimperium Zero-Day Disclosure Policy. We have made several attempts to contact Telegram’s security team and have yet to receive a response from Telegram for over 30 days. For reference, here is a copy of our policy: 30 days zero-day policy.
1. 17/1/2015 – Vulnerability found
2. 18/1/2015 – Vulnerability responsibly disclosed ZVD-2015-0100, ZVD-2015-0101, ZVD-2015-0102 according to our 30 days zero-day policy – no response from vendor.
3. 23/1/2015 – Asked vendor to comment – no response
4. 3/2/2015 – Asked vendor to comment – no response
5. 6/2/2015 – Asked vendor to comment – no response
6. 23/2/2015 – Vulnerability made public
My conclusion is simple.
While Telegram was founded upon a noble goal of providing privacy to consumers everywhere at no cost, they have fallen short of their objective by focusing purely on data-in-transit versus protecting data-at-rest on the mobile device itself. What is regrettable is that I approached Telegram multiple times and have yet to receive a response. Telegram’s so-called powerful encryption is not protecting users any better than any other page or app that uses SSL. If you are using Telegram because you want to ensure your privacy and the privacy of the messages you are sending, be aware that it will not stop sophisticated hackers from reading your messages. We highly recommended adding additional protection to your mobile device that can detect device-level cyberattacks.
In order to better protect critical communication, I would have expected Telegram (or any messaging software) to encrypt chat strings in memory, as-well as encrypting the conversations in the cache4.db file. Zimperium’s Mobile Threat Defense system detected the entire attack chain that was performed in-order to obtain the content of the secret messages
Zimperium is the leader in Enterprise Mobile Security. The Zimperium Mobile Threat Defense system delivers enterprise-class protection for Android and iOS devices against the next generation of advanced mobile threats. Developed for mobile devices, Zimperium uses patented, behavior-based analytics that sit on the device to protect mobile devices against host and network-based threats wherever business takes them.
Follow me on twitter (@ihackbanme)