A security research duo told Reuters that they’ve found evidence of encrypted messaging service Telegram’s users being hacked by a group known as Rocket Kitten.
According to Collin Anderson and Claudio Guarnieri, the attackers compromised more than a dozen accounts held by political activists involved in reformist movements and opposition organizations in Iran earlier this year. They’ve also been able to find the phone numbers and user IDs associated with 15 million accounts in Iran, where roughly 20 million people use Telegram.
The hack is worrying because it allows attackers to read the messages received by the accounts they’ve hacked, as well as their chat histories.
Anderson and Guarnieri note that Rocket Kitten may have breached those accounts by intercepting SMS codes used to authorize new devices and activating them on their own hardware.
They suspect that the hacker group may have colluded with phone companies to steal those codes, which isn’t out of the question in countries like Iran where the government wields power over private service providers.
While not as invasive, the uncovering of 15 million users’ details is just as unnerving. “A systematic de-anonymization and classification of people who employ encryption tools (of some sort, at least) for an entire nation” has never been exposed before, Guarnieri said.
The danger in this instance is that, in case hackers or the government can obtain a decryption key for Telegram, they could figure out who was talking to whom by mapping messages to user IDs and phone numbers.
Although Telegram notes that users can protect themselves by setting up a password for their account, it seems like the company needs to do a lot more to secure their systems and help keep data away from prying eyes.
This isn’t the first time Telegram has been hacked. Last November, a developer demonstrated how a command-line interface tool could be used to open up Telegram metadata and identify who you’re talking to. And in June, a hacker duo showed how an SS7 vulnerability could be exploited to break into WhatsApp and Telegram inboxes.
Concerning the 15 million phone numbers and the SMS code-based intrusions, Telegram said in a blog post:
Only publicly available data was collected and the accounts themselves were not accessed. Such mass checks are no longer possible since we introduced some limitations into our API this year.
However, since Telegram is based on phone contacts, any party can potentially check whether a phone number is registered in the system. This is also true for any other contact-based messaging app (WhatsApp, Messenger, etc.).
As for the reports that several accounts were accessed earlier this year by intercepting SMS-verification codes, this is hardly a new threat as we’ve been increasingly warning our users in certain countries about it. Last year we introduced 2-Step Verification specifically to defend users in such situations.
If you have reasons to think that your mobile carrier is intercepting your SMS codes, use 2-Step Verification to protect your account with a password. If you do that, there’s nothing an attacker can do.
Anderson and Guarnieri will present their findings at the Black Hat conference in Las Vegas on Thursday and publish their complete research later this year.