Hackers target Telegram accounts through voicemail backdoor

As politicians should know by now, secure messaging apps such as Telegram can quickly become a double-edged sword.

On the one hand, a growing number of governments are so worried about its security capabilities, they try to ban the app. On the other, politicians who use the app themselves on the assumption of privacy can find their conversations exposed in the media.

The Brazilian Government’s Justice Minister Sergio Moro announced on 5 June 2019 that his smartphone had been hacked, four days before the politically compromising contents of his Telegram chats with a senior prosecutor started turning up as source material for articles in the media.

Since then, it has emerged that other Brazilian politicians, including President Jair Bolsonaro, and Economy Minister Paulo Guedes were also among a total of 1,000 other Telegram accounts targeted, which led to the arrest on 23 July 2019 of four suspects accused of being behind the attacks.

Voicemail… again

We’ll skip the contentious nature of the data hacked in this incident to focus on how the hack took place by exploiting one of the oldest weaknesses in the book – voicemail.

Voicemail? It’s not even part of the Telegram service, so it’s no wonder that some people didn’t see it coming.

Remember, Telegram is already vulnerable to account takeover/reset attacks of the sort that have troubled other services whereby attackers pretend to be a person and get a new SIM with the target’s phone number.

All that’s needed after that is to download the Telegram app and use the SMS verification message to access the user’s account.

Spoofing

But according to the testimony of one of the arrested suspects, Walter Delgatti Neto, there was another, potentially more vulnerable, way to get those verification messages – via voicemail.

Accessing voicemail boxes turns out to be easier than it should be. Some people forget to set four-digit codes and those that don’t can potentially be undone by crooks cycling through the 10,000 possibilities.

Many voicemail systems fight back by checking that the number making an access call belongs to the subscriber, but these numbers can easily be spoofed if the attacker knows the correct number.

If an attacker can access voicemail they can potentially access verification messages, such as Telegram’s, which are sent to voicemail if the hacker’s target is on a call or doesn’t answer three times in a row.

Apparently, news of the weakness has spread on forums, leading to leaks of attacks on other valuable targets, including Puerto Rico Governor Ricardo Roselló, whose position became untenable after his Telegram chats were recently leaked.

Importantly, according to a presentation at last year’s DEFCON convention, Telegram isn’t the only security service that might be susceptible to this weakness. Any service that allows SMS verification to be delivered by voice (which many do) could be at risk.

What to do?

Telegram was recently updated to blunt this sort of attack. Users can now only request a login code via a call if they have two-step verification enabled, which requires a password as well as a code.

Whatever messaging service you use we recommend you turn on two-factor or two-step verification if it’s available, and if you’re a voicemail user, ensure it’s protected with a randomly generated PIN.

Political suicide?

But the biggest mystery of all is why politicians entrust sensitive chats to a proprietary public service.

This is, after all, an app which has had its encryption protocol, MTProto, challenged by doubters, while others point out that users must manually turn on end-to-end encryption through Secure Chat and hope that any data that does end up on Telegram’s servers is securely encrypted.

Most likely, politicians are like almost everyone else  – they work on reputation and assumptions about security and don’t realise that the world is now full of people who will happily prey on their naivety.