Telegram as an OSINT source for the Intelligence Community
Date: 28 Apr 2019 Category :
Telegram which was launched in 2013 is an instant messaging, voice, and video messaging service that is available on IOS, Android, Windows, macOS, and Linux (amongst others). The app provides password access, message burn based on a timer or on conversation termination, cloud storage, and on-request end to end encryption.
Encryption cannot be used for active chats or channels if it was not selected during chat or channel setup. If a conversation or group chat is in progress then encrytion cannot be activated. A new conversation has to be setup and end-to-end encryption explicitly requested.
Open Source or Proprietary
The source code for the desktop and mobile app versions is open source and can be downloaded and viewed. Based on this Telegram uses community feedback to improve the UX and make tweaks to the product roadmap.
The app boasts three layers of encryption including the Telegram homebrew closed encryption protocol MTProto which is the “third layer” of the three layers of encryption in use by the app. More on that later (See “The MTProto Custom Protocol” below).
Account Verification Is Easily Fooled
Telegram implements mandatory “account authentication” as part of the app setup process. It is notionally in place as a nod to community safety. It is described as “a failsafe feature that seeks to prevent bots and automated account creation and to help keep the community relatively safe“. That is a vacuous statement.
For the criminal user there are ways to comply with this mandatory step without divulging any personal details or leaving any breadcumbs of worth. Using a burner number to verify the Telegram account is trivial. A landline number at a spurious location is another option on condition that someone is present to answer the call and collect the code. In the USA account verification can be completed using Google Voice associated with an active Google account. Setting up a fake Google account and collecting the code fulfils the authentication requirement using that method.
Security & Privacy Concerns
For legitimate users Telegram exposes the user to possible theft of their phone number details used during the account verification process which is regularly used by criminals as an attack vector in phishing scams.
Telegram also potentially allows the theft of a users contacts database. As part of the app installation process permission to access a new users contact database is mandatory. The more savvy users can spoof that permission using the right tools but that is not something that Average Joe is going to do. Telegram by extension also posesses the capacity to maintain a social map for and a relationship matrix of all of their user base.
Telegram provides an abundance of publicly available metadata on user activities. Metadata is often even more useful than actual message content for a variety of reasons which we will not cover at this time.
Telegram Fail To Sanction Bad Actors for API Abuse
Telegram also offers access to public API including the Bot API, Telegram API and TDLib, and Telegram Widgets, which allows the creation of games, alerts, data visualizations, the building of custom tools, and it is also used to facilitate payments between users.
“We offer two kinds of APIs for developers. The Bot API allows you to easily create programs that use Telegram messages for an interface. The Telegram API and TDLib allow you to build your own customized Telegram clients. You are welcome to use both APIs free of charge. You can also add Telegram Widgets to your website.”
The Telegram “Privacy and Security” section of their Terms of Service states that all client apps must “guard their users’ privacy with utmost care” and comply with its security guidelines and that Telegram reserves its right to “discontinue” any apps access to Telegram’s Application Programming Interface (API) if those terms are violated.
This API feature has been used by state actors to develop the equivalent of greyware apps at best and spyware apps at worst, both of which monitor user activity to a greater or lesser degree and all of which can identify networks of connected users and extract metadata and in some cases message content including the amendment and deletion of chats and channels.
The Iranian Telegram Greyware Apps
The December 2018 article “Why Did Telegram Warn Users That Iranian Versions of the Telegram App—Talaeii and Hotgram—Are “Unsafe”?” by Center for Human Rights in Iran (CHRI) noted in that piece that:
“There are currently only two Iranian-developed versions of the Telegram app — Telegram Talaeii (“Telegram Gold”) and Hotgram — available on the Iranian app store, Cafe Bazaar. The original Telegram app had a reported 40 million monthly users in Iran before the Iranian government banned it in April 2018.
Iran’s order to block Telegram came after months of unsuccessful pressure on the company by the Iranian Judiciary and state officials to move its servers to Iran and comply with Iranian censorship policies. Hostility to Telegram also increased after protestors used the messaging app during the unrest that broke out across Iran in December 2017/January 2018 to spread word of the street gatherings.
After the original Telegram was banned, many people in Iran began using the two Iranian-made client apps, Telegram Talaeii and Hotgram. As of July 2018, they had a combined 30 million users in Iran, according to Assistant Prosecutor General Abdolsamad Khorramabadi.”
In response to a rising chorus of concerns by internet security experts, Telegram, issued a warning to users of the Iranian-made versions of Telegram that the apps were “unsafe”
“Warning! The app you are using was not made by Telegram and is unsafe. We can only guarantee your safety if you use official Telegram apps” said a message that appeared when users first logged on to the apps on December 15, 2018.
The Center for Human Rights in Iran (CHRI)
The Center for Human Rights in Iran (CHRI) welcomed this move by Telegram. Five months before the company issued the warning, and again a week before the advisory was issued, CHRI had reached out to Telegram urging it to inform users that the Iranian government can access and monitor private user activities on the modified Telegram Talaeii and Hotgram apps.
“Now that Telegram has deemed these apps ‘unsafe,’ the natural next step would be discontinuing their access to Telegram’s servers since they violate Telegram’s own Terms of Service” said Amir Rashidi, an internet security researcher at CHRI.
In 2018, three Iranian internet security researchers reported in statements that were cited by Iranian media—including by the mainstream newspaper Hamshahri and tech site Digiato—that Telegram Talaeii is capable of various security violations.
These include: stealing Telegram identity verification codes that could be used to access users’ Telegram accounts, expelling admins and deleting their channels without the user’s knowledge and sending and receiving lists of all the people users communicate with along with their usernames.
Talos Security Intelligence and Research Group
Digital security experts at the Talos Security Intelligence and Research Group, which is owned by US tech giant Cisco, have also pointed out security flaws in both the apps.
“Once installed, some of these Telegram ‘clones’ have access to mobile devices’ full contact lists and messages, even if the users are also using the legitimate Telegram app” said five Cisco Talos experts in a jointly-authored blog post published November 5, 2018.
“We declare with high confidence that these apps should be classified as ‘greyware.’ It is not malicious enough to be classified as malware, but is suspicious enough to be considered a potentially unwanted program (PUP)” they added.
Now that Telegram has publicly acknowledged that the Iranian-made client apps are “unsafe,” discontinuing their access to Telegram’s servers would help ensure that the Iranian government does not use Telegram to spy on Iranian citizens. But to date Telegram have not done so.
The MTProto Custom Protocol
As already stated Telegram boasts three layers of encryption including the custom MTProto Protocol.
The protocol work as follows. Before a message (or a multipart message) is transmitted over a network using a transport protocol, it is encrypted in a certain way, and an external header is added at the top of the message that consists of a 64-bit key identifier auth_key_id (that uniquely identifies an authorization key for the server as well as the user) and a 128-bit message key msg_key.
The authorization key auth_key combined with the message key msg_key define an actual 256-bit key aes_key and a 256-bit initialization vector aes_iv, which are used to encrypt the message using AES-256 encryption in infinite garble extension (IGE) mode. Note that the initial part of the message to be encrypted contains variable data (session, message ID, sequence number, server salt) that obviously influences the message key (and thus the AES key and iv).
In MTProto 2.0, the message key is defined as the 128 middle bits of the SHA-256 of the message body (including session, message ID, padding, etc.) prepended by 32 bytes taken from the authorization key. In the older MTProto 1.0, the message key was computed as the lower 128 bits of SHA-1 of the message body, excluding the padding bytes.
Multipart messages are encrypted as a single message.
A More Positive Use Case from Echosec
When using open source intelligence for public safety and organizational security, Telegram is a data provider that is not to be overlooked. With visualization tools like Echosec, users can identify and extract critical data including Telegram data in real time by performing keyword and username searches in both the core Echosec platform, as well as Beacon, Echosec’s dark web search tool.
The example below shows someone posting credit card numbers and other personal information, all associated with that person’s username. (All personal information has been obscured)
The following is another piece of Telegram data accessed with Echosec. It is an example of individuals sharing bundles of hacking tools that can be used to attack people and organizations all over the world.
With Echosec and Beacon, security teams and public safety organizations can build a complete online picture of conversations happening online. These data tools help users extract key information from all corners of the internet.
Echosec is a web based data discovery platform that helps organizations detect online data for threat intelligence. Aggregating and mapping content from hundreds of sources including social media, blogs, news, and the Dark Web, Echosec gives users instant visibility into any place on earth through a digital window. Echosec uses machine learning technology to recognize Images and keywords so users get notified when specific content is posted.