Cryptographic Weaknesses in Telegram's MTProto
mtpsym.github.ioI love the „A Somewhat Opinionated Discussion“ section. It‘s great how it discusses the „Don‘t roll your own crypto“ mantra.
Save me a click, did anyone bust a message open yet ffs?
Arm-Chair Quaterbacker response -
"In particular, Telegram encrypts acknowledgement messages, i.e. messages that encode that a previous message was indeed received, but the way it handles the re-sending of unacknowledged messages leaks whether such an acknowledgement was sent and received. "
That ^ bit is indeed of interest. Having this ability could be useful in two ways that immediately spring to mind if I were a 'james bond villain'
I am currently taking a skim through the paper which for the curious is available at https://mtpsym.github.io/paper.pdf (52 pages)
[Edit] Will leave it to those better qualified regarding the math but uhhmm yeah, A good summary is yes, there were somethings that could have been exploited and were patched by the Telegram team and a bug bounty awarded (as noted in the article). The thing I found of interest bit turned out indeed to be in the 'highly theoretical' realm. As in "only on a wet Wednesday when the wind is blowing from the west at a precise angle way"
So no?
The most practical of the four attacks appears to be the message reordering in that it is something that actually could be done and might potentially mean something. The attacker would be unlikely to know the content of the encrypted messages in an instant messaging system to do some sort of meaningful attack. In the case where the messages were not waiting on a server for an offline client the attacker would have the difficulty of having to buffer the messages themselves in a way which would not break communications entirely. IM is fairly interactive end to end most of the time so message reordering is not much of a threat.
Kinda
> We also show how an attacker can mount an “attacker-in-the-middle” attack on the initial key negotiation between the client and the server. This allows an attacker to impersonate the server to the client, allowing to break confidentiality and integrity of the communication. Luckily, this attack is also quite difficult to carry out, as it requires sending billions of messages to a Telegram server within minutes.
Kind of, they detail a MitM attack and a way to extract plaintext from a client but both of them seem very impractical to do.
>An attacker on the network can reorder messages coming from a client to the server.
How do you fix this in a messaging system? What do you do in the common case where a message just gets lost? You can wait for a while for the message to show up but you can't wait forever without permanently breaking the system.
Hardware (Originator) timestamped for ordering on the receivers end at the encrypted package unwrap point plus the SMS solution of "delete/discard any unsent/undeliverable messages after x days?" Does that solve both issues?
I am not sure that the user would enjoy waiting x days for message delivery to start again. Perhaps a late message is never delivered to prevent it from being out of order? I guess my problem is understanding exactly what we are trying to prevent in practice.
As far as I can understand it (and here the authors clearly state that a lot of this is hypothetically possible, darn near impossible in reality to pull off <<Note: Not Impossible to do>>
So - in a theoretical situation you are looking at what is known as a re-play attack.
Ping the same message to all cell numbers in a block (discovering who does and does not have Telegram installed)
Once you have that, ping a message to a group of interest that has an invite only policy.
Ping that message to all in that group of numbers to see who has read/received that message. You now have a list of active in that group list of numbers.
Once you have that - delay some messages so they appear out of order to some (but not all) users in that group.
Create FUD re security (omg, did we just get hacked??? Coz messages are turning up crazy out of order aka WTF?)
Target group falls back to fall-back comms method.
Profit.