SMS verification is making Telegram insecure

这篇文章已被翻译至中文:Telegram 的短信验证让你的隐私聊天变得不安全

The world sucks on the second you come to the realization that governments, online advertising companies, your credit card company, and your ISP, are all extremely eager to know what you (and millions and billions of other Internet users) do online. And almost everybody feels that way, even Mark Zuckerburg.

Image from 9to5Mac

Pavel Durov, the founder of VK, too, thought it was a horrible idea, and obviously wanted to help Mark out. He and a few friends made Telegram, an encrypted messaging service, and everybody liked it, even the ISIS.

Screenshot of Telegram.org

I have been a Telegram user since 2015, and it’s still one of the primary messaging tools that I rely on on a daily basis. But this recently caught my attention:

  • China wants to regulate cryptocurrencies.
  • China wants group chat administrators on the Internet to be legally responsible for speech made by group members. As a result, China-based crypto investors decided to delete their group chats on WeChat and opt for the foreign encrypted chat service, Telegram. But hang on for a second! Using Telegram to avoid the Big Brother does not seem to be a perfect idea — and here’s where the problem is.

With a 5-digit SMS auth code, anyone can log into your Telegram account

All you need to log into a Telegram account is

  1. The phone number associated with that account,
  2. An SMS verification code sent to that number, like this:

That being said, as long as someone has the access to your SMS history, your Telegram account can easily be hacked.

Who??

Telegram Web login page
  • SMS communications may be secure, but since the encryption isn’t end-to-end, your security completely depends on how your cell phone carrier encrypts it. If it decides to read your text messages, they are certainly able to do so.
  • The carrier is able to read your private messages and disclose them to the government or private entities.
  • Even if your SMS is completely secure over the transmission, the malware or backdoors on your phone may vouchsafe your auth code, aka the key to your private data, to the hackers. The reason I mentioned the Chinese bitcoiners was that China ironically seems to be the perfect country for your Telegram account to be hacked. This is because,
  1. The Chinese regulator “scans” text messages from local carriers. There are precedents that Chinese authorities censor/filter SMS messages, and Chinese mobile network operators assisted them.

  2. Chinese smartphone manufacturers were reported to send user data to China through a pre-installed application. China might not be (and most likely isn’t) the only country where these happen. If any of these takes place, hackers will be able to log into your Telegram account and see what is on there.

What should I do? Should I stop using Telegram?

There are a few things you can do to protect your privacy:

  • Enable cloud password. In Settings -> Privacy and Security, turn on two-step verification. When 2FA is turned on, Telegram will ask for your password along with the SMS verification code for new login attempts. (@telegram replied to my complaint tweet.)

  • Use secret chats. Secret chat uses end-to-end encryption, chat history does not remain on the server, and messages are destroyed instantly. Even if someone hacks into your account, none of your chatlogs will be available to them.

I took a photo of my phone because the interface cannot be screenshotted.

  • Although we technically shouldn’t trust anyone, use a phone number from a country and a network carrier that you trust. Many countries require cell phone users to register with a real name, and/or submit a passport/ID copy.

SMS is extremely vulnerable

That might be obvious to many of us, but using SMS for two-factor authentication (2FA) is fairly common, although extremely insecure. Sadly, companies like Twitter, Google, Amazon, and Dropbox are still employing SMS 2FA. I am using a physical authenticator key that costs less than 20 dollars from Amazon, and it’s very convenient although many major services haven’t supported it yet.

Telegram is still an awesome tool

I like Telegram. It’s geek-friendly and allows a lot of customizations if you are a developer. However, if you’re concerned about these insecure factors here, I hope the measures above could help. Besides, encrypting your own messages with PGP seems to be a good way to protect your privacy, too.

Questions, concerns, or suggestions? Feel free to reach me on Telegram, or send me PGP-encrypted emails (public key: 8967BA14).

A discussion about this article can be found on /r/telegram.

Share this post to...

Author: Tianyu Fang

Tian is a Boston-based freelance writer. Any thoughts? Contact him on Twitter (@tianyuf) or over email (tianyu # tianyufang.net).