Amir Rashidi, an Internet security researcher who has worked with Telegram users who were victims of hacking, works at the offices of International Campaign for Human Rights in Iran, in the Brooklyn borough of New York, U.S., July 27, 2016. Brendan McDermid/Reuters
SAN FRANCISCO/WASHINGTON (Reuters) – Iranian hackers have compromised more than a dozen accounts on the Telegram instant messaging service and identified the phone numbers of 15 million Iranian users, the largest known breach of the encrypted communications system, cyber researchers told Reuters.
The attacks, which took place this year and have not been previously reported, jeopardized the communications of activists, journalists and other people in sensitive positions in Iran, where Telegram is used by some 20 million people, said independent cyber researcher Collin Anderson and Amnesty International technologist Claudio Guarnieri, who have been studying Iranian hacking groups for three years.
Telegram promotes itself as an ultra secure instant messaging system because all data is encrypted from start to finish, known in the industry as end-to-end encryption. A number of other messaging services, including Facebook Inc’s WhatsApp, say they have similar capabilities.
Headquartered in Berlin, Telegram says it has 100 million active subscribers and is widely used in the Middle East, including by the Islamic State militant group, as well as in Central and Southeast Asia, and Latin America.
Telegram’s vulnerability, according to Anderson and Guarnieri, lies in its use of SMS text messages to activate new devices. When users want to log on to Telegram from a new phone, the company sends them authorization codes via SMS, which can be intercepted by the phone company and shared with the hackers, the researchers said.
Armed with the codes, the hackers can add new devices to a person’s Telegram account, enabling them to read chat histories as well as new messages.
“We have over a dozen cases in which Telegram accounts have been compromised, through ways that sound like basically coordination with the cellphone company,” Anderson said in an interview.
Telegram’s reliance on SMS verification makes it vulnerable in any country where cellphone companies are owned or heavily influenced by the government, the researchers said.
Founder and CEO of Telegram Pavel Durov delivers a keynote speech during the Mobile World Congress in Barcelona, Spain February 23, 2016. Albert Gea/Reuters
A spokesman for Telegram said customers can defend against such attacks by not just relying on SMS verification. Telegram allows – though it does not require – customers to create passwords, which can be reset with so-called “recovery” emails.
“If you have a strong Telegram password and your recovery email is secure, there’s nothing an attacker can do,” said Markus Ra, the spokesman.