This Is How Russian Spies Could 'Crack' Telegram
An explosive, but unverified, memo on Donald Trump alleged the FSB has “cracked” Telegram. This is how the spies might be doing it.
A 35-page leaked report on President-elect Donald Trump makes a series of explosive—and mostly unverified—claims, including the fact that the Russian government can blackmail the former reality TV-star with compromising and embarrassing information, such as a tape of Trump watching a group of prostitutes performing a "golden shower" on the bed of a fancy Moscow hotel.
The report, which was first published by BuzzFeed News on Tuesday evening, also alleges that Russian intelligence service FSB, the successor of the KGB, have "cracked" Telegram, a messaging app that markets itself as secure, private, and encrypted.
Read more: The Motherboard Guide To Not Getting Hacked
"His/her understanding was that the FSB now successfully had cracked this communications software and therefore it was no longer secure to use," wrote the author of the report, referring to claims allegedly made by "an FSB cyber operative."
Telegram was founded by Russian entrepreneur Pavel Durov, and has become a popular alternative to other apps like WhatsApp or Signal, especially in countries like Russia or Iran. The app markets itself as a secure, encrypted app, but end-to-end encryption is not enabled by default (users have to open a "Secret Chat" to turn it on) and security researchers and cryptography experts have repeatedly questioned the app's security. Moreover, Iran's government was allegedly able to compromise dozens of Telegram accounts last year.
The report, penned by someone who claims to be a former British spy, doesn't provide any details on how the FSB might have cracked the app—those seven lines are all the report says about Telegram. So it's unclear what it means exactly by "cracked."
Durov challenged the veracity of the report in a message to Motherboard.
"I personally think the report is fake," Durov told me in a Telegram message. "But if it is not, it probably refers to the story on SMS interception by FSB in April 2016."
"I personally think the report is fake."
In that case, Russian cellphone operator MTS allegedly helped Vladimir Putin's government take over the Telegram account of at least two activists, as explained in this detailed technical analysis. The attackers didn't attack Telegram itself, but took over the victims' accounts by disabling their cellphone service, taking over their number, and logging in pretending to be the victim.
This works because by default Telegram (like many other messaging apps) only requires a cellphone number to authenticate the user. This means that someone who has the ability to, so to speak, steal your cellphone number can then impersonate you and log into your Telegram account.
"It's not advanced cryptanalysis. It's not necessary," Frederic Jacobs, a security researcher who studied those attacks, told Motherboard.
To avoid this kind of attack, which was apparently done in Iran and in Germany, Durov and Telegram recommend enabling two-step, or two-factor, authentication. I asked Durov if they saw other similar attacks like the April one in Russia, and he said that there might have been another one, "but since then everybody enabled 2FA."
Without 2FA, however, the FSB (and your own government's unfriendly spy agency), can still do this attack, as nothing has changed in the Telegram app since reports of these kind of attacks surfaced publicly. And given that cryptographers are still finding flaws in Telegram's security, perhaps the FSB has found another way to crack or hack into some accounts, or intercept messages.
The Russian Embassy in Washington D.C. did not immediately respond to a request for comment.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.