How to “hack” Telegram

or The Rise of Crypto Bullshit Bingo

We at Telegram love being notified about security-related issues. We believe being open source and having crypto contests helps us provide a better service. That’s why we reward people when they share ideas that allow us to make Telegram more secure.

Last month we paid $5000 to a guy who found a potential vulnerability in Telegram for Android, and this month we’ve transferred $2500 to HackApp for pointing out weak spots in our iOS code. The most valuable input so far came in December 2013 from a person who found an issue in the MTProto design, so we awarded him $100,000. Whenever a potential vulnerability is found, we are the first to admit it — and fix it.

Unfortunately, every activity attracts its parasites. With Telegram’s popularity soaring, some people attempt to promote themselves or their products by attacking Telegram on false grounds.

Last month we received a letter saying that “assuming an intruder had root access to a user’s Android phone, Telegram messages were not secure”.

Naturally, this hardly warranted a response: if an intruder somehow gained root access to your device, there’s no point in discussing any other layer of security — the intruder is already the GOD of your phone and can see everything you see on the screen of your device — and much more. Claiming to find “assuming root access” vulnerabilities is like saying that God Almighty can theoretically (in addition to destroying and creating worlds at a whim) pick a lock of a particular Swiss brand. So this lock is not secure!

While this sounds like a bad joke to any security expert, it didn’t stop our correspondent, who turned out to be the founder/owner/CEO/CTO of a company called Zimperium, from publishing a blog post with a clickbait title “How I hacked Telegram’s ‘encryption’”.

The post claimed that since an attacker with root access can read the device’s disk and memory, Telegram messages should not be stored unencrypted in phone memory — and we should encrypt them. The obvious paradox of this “solution” is that the encryption key will be also stored somewhere on the device (otherwise you wouldn’t be able to render messages on the screen).

So while the idea might sound reasonable to a non-specialist, it can in no way defend one from attackers that already have access to memory and disk on the device. Basically the advice was to encrypt something for the sake of encryption and create an illusion of safety in a “game over” root environment, just to consume a bit more CPU and battery power.

The post concluded with a sales pitch on the benefits of Zimperium software for Android (whose authors live in a world where 98.4% of Android devices can be hacked by school kids).

Of course, respectable media ignored this camouflaged marketing initiative — after some research and fact checking, big newspapers like Forbes had a good laugh. The reaction of the crypto community to Zimperium’s sales pitch was summarized by Eva Galperin, a technologist and analyst for the Electronic Frontier Foundation:

Filippo Valsorda from CloudFlare Security Team tried to explain the situation to people outside the security community:

HackerNews subscribers expressed a rare unanimity:

Reaction on Reddit was even more straightforward:

Given that the blog post published by Zimperium was a botched marketing trick that was rebuffed unanimously by the industry, we decided we didn’t need to make any specific announcement about this “hack”-hoax.

But even if you can’t exploit security bugs, you can still exploit media naïveté and public fears. While security experts and big media predictably dismissed the claim, some smaller newspapers and blogs did buy it. Here are some of the most intriguing titles:

There are many more articles like these, published mainly by small local sites that don’t do fact checking or research. Despite our willingness to reply over e-mail or Twitter and comment on the issue, few of them bothered to get the bigger picture. Zimperium was careful not to show any comments under their original post (although there is an input field for comments designed to create the illusion of an opportunity to reply), so for an unsophisticated reader their article full of buzz-words looks really frightening. As a result, the Zimperium post got about 5K of likes on Facebook and over 3K retweets.

In a world where security firms are shifting their focus from research to marketing, all of us should be wary: the media needs more fact-checking, startups like Telegram need more proactive PR and the public needs to be more careful about the motives behind the reports. Otherwise we’ll be constantly held hostage by businesses that feed on our fears.