Encryption Fails: When to Freak Out and When to Chill

After Edward Snowden began spilling secrets about the incredible reach and hacking powers of the NSA and its ally spy agencies, encryption has gone mainstream. There are now countless encryption ​apps that claim to protect their digital communications.

That's great. But there are so many options now that it's hard to figure out who to trust with our encrypted conversations. That's why the Electronic Frontier Foundation (EFF), along with ProPublica, put out a scor​ecard that tries to make it easier to choose among these apps.

However, when someone claims to have hacked one of these apps or encryption systems, it's easy to freak out.

On Monday, Zuk Avraham, the CTO of security firm Zimperium, wrote a blog post with an ominous title: " How I Hacked Telegram'​s 'Encryption.'" In the post, he claimed to have bypassed the encryption of the popular messaging app Telegram, which boa​sts 50 million users.

But Avraham actually didn't bother to break the encryption protocol that protects Telegram's "Secret Chat" messages as they travel from one user to another. He went straight to attacking the place where the messages end up and live: the cellphone.

Technically that Telegram attack is a step above kleptonalysis. They skipped the keys and went straight to stealing the plaintext.

— the grugq (@thegrugq) February 23, 2015

For his experiment, Avraham took control—gaining "root" privileges—of an Android phone running Telegram exploiting a couple of known Android vulnerabilities. That's how he found out that Telegram, which was launched last year by Pavel Durov, the Russian tech wiz kid who founded the social network VKontakte, doesn't encrypt the database containing the archive of "Secret Chat" messages, and that the messages are also available, unencrypted, in the phone's memory, as he explained in his post.

"I would be very hesitant to use this app," Avraham said. "Having a clear-text database containing all the conversations is absurd from a privacy oriented app."

The catch, however, is that Avraham didn't really "hack" or "break" Telegram's encryption—although it's important to note that respected crypto experts have doub​ted its quality in the past.

tl;dr for people outside the InfoSec community: there is no Telegram "hack". Pure smoke. I might not like Telegram, but it's not been broken

— Filippo Valsorda (@FiloSottile) February 23, 2015

Eva Galperin, a technologist and global policy analyst for the advocacy group the Electronic Frontier Foundation, said her first reaction to the blog post was "a lot of eye rolling."

"If you tell me that you can break encryption by compromising the endpoint you haven't really broken encryption at all," she told me. "It's like haha! I can get into your house with the key! Gotcha!"

In other words, perhaps you don't need to freak out over this. The problem isn't Telegram here.

"If you assume that the attacker has root access—no app can be secure," Markus Ra, a spokesman for Telegram, said, dismissing Avraham as a "charlatan" and his post as just an "a rather standard 'use my product' ad that exploits a misleading heading to attract attention."

(Thomas Chopitea, an information security researcher, confirmed to Motherboard that the exploit described by Avraham is an issue that potentially affects every Android app.)

Yet, as EFF's technologist Peter Eckersley told Motherboard, Telegram should do a better job at "encrypting the messages in storage, and overwriting the ciphertext or keys when deletion occurs."

Ra said that Telegram already overwrites "everything" when a user deletes a message, and he also said that Telegram iOS users will now be able to encrypt their message database using a passphrase after an update the company pushed on Tuesday, and will soon offer this feature to Android users as well. (This feature is already enabled by default in TextSecure, a well-known and respected messaging encryption app.)

We actually _are_ overwriting everything when deletion occurrs. (I think Peter may have been confused by one of Z's claim sabout memory and thought we don't do that for keys and messages deleted from DB – we do.)

The lesson here, after all, is that nothing is bulletproof and that encryption is hard.

In 2013, for example, a security researcher showed that a programming flaw, which another researcher defined as a "rookie mistake," made​ it trivial for a hacker to decrypt group chats in Cryptocat, a popular and easy-to-use chat web application. Nadim Kobeissi, the creator of Cryptocat, was quick to fix the flaw and his app is now among the best ranked in the EFF's scorecard.

Even big companies have shameful crypto fails on their records. Last year, researchers revealed that a simple coding error in Apple's implementation of SSL encryption—the widespread system that protects connections between a user and a server—bypassed the entire security system and left users' connections vulnerable to eavesdropping. This became known as such as the infamous "g​otofail" bug.

This particular case involving Telegram shows that messaging apps need to be aware of the fact that data needs to be secure not only while travelling through the internet, but also when it's on the phone.

"As users move towards securing their communications in transit, the security of their device and their data at rest—often called 'endpoint security'—only becomes more important," Michael Carbone, a technologist at human rights organization Access, told me.

In other words, don't freak out too easily, but be aware of what an app does and doesn't do before trusting it with very sensitive stuff. And keep in mind that if someone can break into your phone, then almost all bets are off.

UPDATE 2/24/2015: This story has been updated to add a clarification from Telegram's Ra, claiming that the app does overwrite deleted messages.