On the Cryptographic Fragility of the Telegram Ecosystem
Abstract
Telegram is a popular messenger with more than 550 million active users per month and with a large ecosystem of different clients. The wide adoption of Telegram by protestors relying on private and secure messaging provides motivation for developing a profound understanding of its cryptographic design and how this influences its security properties. Telegram has its own bespoke transport layer security protocol, MTProto 2.0. This protocol was recently subjected to a detailed study by Albrecht et al. (IEEE S&P 2022). They gave attacks on the protocol and its implementations, along with a security proof for a modified version of the protocol.
We complement that study by analysing a range of third-party client implementations of MTProto 2.0. We report practical replay attacks for the Pyrogram, Telethon and GramJS clients, and a more theoretical timing attack against the MadelineProto client. We show how vulnerable third-party clients can affect the security of the entire ecosystem, including official clients. Our analysis reveals that many third-party clients fail to securely implement MTProto 2.0. We discuss the reasons for these failures, focussing on complications in the design of MTProto 2.0 that lead developers to omit security-critical features or to implement the protocol in an insecure manner. We also discuss changes that could be made to MTProto 2.0 to remedy this situation. Overall, our work highlights the cryptographic fragility of the Telegram ecosystem.
People
BibTex
@INPROCEEDINGS{arx2023cryptographic,
copyright = {In Copyright - Non-Commercial Use Permitted},
doi = {10.3929/ethz-b-000620789},
year = {2023-07-10},
booktitle = {ASIA CCS '23: Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security},
type = {Conference Paper},
editor = {Liu, Joseph and Xiang, Yang and Nepal, Surya},
author = {von Arx, Theo and Paterson, Kenneth G.},
abstract = {Telegram is a popular messenger with more than 550 million active users per month and with a large ecosystem of different clients. The wide adoption of Telegram by protestors relying on private and secure messaging provides motivation for developing a profound understanding of its cryptographic design and how this influences its security properties. Telegram has its own bespoke transport layer security protocol, MTProto 2.0. This protocol was recently subjected to a detailed study by Albrecht et al. (IEEE S&P 2022). They gave attacks on the protocol and its implementations, along with a security proof for a modified version of the protocol.We complement that study by analysing a range of third-party client implementations of MTProto 2.0. We report practical replay attacks for the Pyrogram, Telethon and GramJS clients, and a more theoretical timing attack against the MadelineProto client. We show how vulnerable third-party clients can affect the security of the entire ecosystem, including official clients. Our analysis reveals that many third-party clients fail to securely implement MTProto 2.0. We discuss the reasons for these failures, focussing on complications in the design of MTProto 2.0 that lead developers to omit security-critical features or to implement the protocol in an insecure manner. We also discuss changes that could be made to MTProto 2.0 to remedy this situation. Overall, our work highlights the cryptographic fragility of the Telegram ecosystem.},
keywords = {Security and privacy; Security protocols; Web application security; Cryptanalysis and other attacks; Telegram; Timing side-channel; Reply attack; Encrypt-and-MAC},
language = {en},
address = {New York, NY},
publisher = {Association for Computing Machinery},
title = {On the Cryptographic Fragility of the Telegram Ecosystem},
PAGES = {328 - 341},
Note = {18th ACM ASIA Conference on Computer and Communications Security (ACM ASIACCS 2023); Conference Location: Melbourne, Australia; Conference Date: July 10-14, 2023}
}Research Collection: 20.500.11850/620789