Telegram Passport is meant to be a secure way of managing identity documents. It pegs itself as being able to provide a “unified authorization method” that makes supplying services (like ICOs and exchanges) with real world IDs more straightforward.
But there’s a massive spanner in the works: researchers say they have found Telegram Passport to be completely vulnerable to brute force attacks. Software security firm Virgil Security have released analysis, spotted by CoinDesk, that claims certain design choices could compromise users’ passwords.
One of those choices is to use the SHA-512 algorithm to hash (encrypt) password data. As this algorithm was not designed for use with passwords, the research claims, cracking any stolen hashed passwords almost makes economic sense.
It’s 2018 and one top-level GPU can brute-force check about 1.5 billion SHA-512 hashes per second. That means that ten such GPUs (a small cryptocurrency mining farm) can check each and every 8 char password from a 94 char alphabet in 4.7 days! That’s $135/password in the worst-case scenario, using US average electricity costs for the calculation. In practice though, this number can go down to $5/password or even less, given people’s choices of password complexity.
Such disregard for security practices led to a combined 58 million passwords stolen from LivingSocial and LinkedIn a few years ago. “In the case of LinkedIn, 90 percent of the hashed passwords were reversed within a week,” the report highlights.
While Telegram Passport hasn’t been formally recognized as part of its rumored billion dollar private ICO, identification management was included in Telegram’s leaked white paper.
It’s official announcement does make reference to cryptocurrencies. It should also be noted Telegram have made the APIs that power its Passport service open source, enabling such public analysis.
Regardless, if Telegram want to establish itself in the cryptocurrency market, it had better up its game. You would think, too, with its eyes on blockchains, that it would have at least mastered hashing – perhaps LinkedIn can give it a tutorial.
Published August 2, 2018 — 15:08 UTC