 |
| Photo Credit: iStock Photo |
TELEGRAM, The Secure Messaging App is Important for Two Different Reasons. The app is a go-to encrypted communication tool for hundreds of millions of users worldwide, particularly those wishing to reduce government surveillance and restrictions in countries such as Russia and Iran.
The other
issue is that several cryptography experts have challenged Telegram's
encryption scheme's integrity. Recent research from web security firm Force
point to Telegram's bot use has implications for both Telegram users and
detractors.
Telegram bots are small programs that may be embedded in Telegram chats or public channels to execute certain tasks. They may provide customized keyboards, create cat memes on demand, and even collect money and serve as a digital bookstore.
Telegram bots are popular because they are fun
and convenient, and Telegram has enabled them since 2015. They are simply
automated Telegram accounts that you can add to conversations and channels much
like a buddy. But, when studying the bot platform, Forcepoint discovered that
the functionality does not employ the encryption technique used by Telegram to
safeguard its chats. As a result, introducing a bot into a chat or channel
adversely affects its security.
As a result, introducing a bot to a chat or channel reduces
its security and makes it simpler for a third party to intercept
communications.
"This is something that affects you if you operate a
bot or are in a channel with bots," explains Luke Somerville, Forcepoint's
chief of special investigations. "To be honest, we were startled when we
discovered that bot security is so different from how conventional messaging
works."
Telegram bots, in particular, do not employ MTProto,
Telegram's encryption protocol, which provides a framework in which users' communications
to one another are jumbled and unreadable while in transit between a sender's
and recipient's devices.
While academics have expressed various concerns about
MTProto over the years, Telegram insists that it is safe; if you trust Telegram
with your encrypted conversations, you are trusting MTProto.
Telegram's bot platform, on the other hand, is built on the transport layer security protocol, which is used in HTTPS web encryption. TLS is wonderful for a lot of things, but it isn't strong enough to be the only encryption in a secure communication service designed to give advanced security.
As a result, programs such as Signal and WhatsApp utilize the Signal
Protocol, whereas Telegram has MTProto. However, by developing its bot platform
without MTProto, Telegram creates a situation in which bringing a bot to a chat
or channel effectively degrades the experience.
The finding was made in an unexpected method by Forcepoint. Security researchers have previously discovered Telegram bots can command and manage malicious Android applications and even exfiltrate data from Telegram chats using the Telegram bot API.
Because of their tight integration with the app,
bots are a popular piece in attack methods. While investigating one such
malware operation, Forcepoint revealed that Telegram chats with bots have lower
security.
The researchers examined a sample of GoodSender remote
management malware and discovered a mechanism within the code that awaited
orders from a Telegram bot. The virus had two pieces of Telegram identity and
authentication information, known as the bot API token and Chat ID, which are
used to guide bot inquiries to the appropriate conversations. Armed with this
information, the researchers realized they could create API queries that would effectively
replay all conversations between the virus creator and his bot.
The researchers were able to examine how the hacker set up,
tested, and finally began spreading the malware because he made the error of
performing all of his testing and deployment in one bot setup (rather than
masking his traces by utilizing numerous accounts).
While the Forcepoint researchers utilized the Telegram API to eavesdrop on the hacker's bot messages as part of their well-intentioned protection study, they highlight that someone else might use the same approach for evil and look back at an entire discussion in which a bot is present.
Even
if a user does not have the bot API token and Chat ID from a malware sample,
they may be able to extract them in other methods. Both pieces of information
are included in every Telegram message so that bots may determine which data or
service to provide to which conversation.
The thought that a secure messaging service's own
functionality might degrade its encryption technique without alerting the user
is troubling.
"You may set up your own burner Telegram account and
instruct the bot to send these communications to you,"It's a
straightforward procedure, and you can forward all of the bot's messages in
that channel." You will be able to view all of their communications."
Forcepoint has contacted Telegram about the results but has
declined to comment on its discussions with the business. "The fact that
bot traffic is routed through HTTPS is not something to be 'discovered'—it's a
documented characteristic of the system," said Markus Ra, Telegram's head
of support, in a statement.
"This is a common practice in the industry. It should
be noted that Telegram bots only receive messages that are explicitly intended
for them by default." Telegram further claims that obtaining the bot API
token and Chat ID is equivalent to stealing someone's account password—at that
point, an attacker would have full access regardless. The firm could not
explain why bot conversations are only protected using HTTPS rather than
MTProto.
Taking advantage of the less secure Telegram chats and
channels with bots would still necessitate an attacker being able to decode
HTTPS Telegram communications.
To keep your Telegram conversations, secure, avoid using
bots in your chats and be alert when you're in chats or channels that use them.
To make communications really private, limit the number of participants in a
conversation as low as possible. Many cryptographers and security
professionals, including White, believe that the safest approach to utilize
Telegram is to avoid it entirely.
They question if Telegram is completely end-to-end encrypted
(a feature that isn't enabled by default) and are concerned that the
proprietary MTProto protocol would be impossible to fully test. However, the
security disparities between conversations that involve bots and chats that do
not are significant for the app's 200 million users.
YOU MAY LIKE THESE POSTS
WhatsApp New Features update 2021. WhatsApp Added Multi-Device Support Feature
Top 12 Best Football Movies on Netflix. Check out list of Good Sports Movies on Netflix
Elon Musk: Interesting Facts You Should Know
8 Most Expensive Foods in the World
