The secure messaging app Telegram is significant for two very different reasons. One is that the app is a go-to encrypted communication tool for hundreds of millions of users around the world, particularly those looking to duck government surveillance and censorship in countries like Russia and Iran. The other is that many cryptography experts have cast doubt on the integrity of Telegram’s encryption scheme. A new report from the web security firm Forcepoint, about Telegram’s use of bots, has implications for both Telegram’s users and its critics.
Telegram bots are small programs that can embed in Telegram chats or public channels and perform a specific function. They can offer customized keyboards, produce cat memes on-demand, or even accept payments and act as a digital storefront. Bots are popular on Telegram, because they’re fun and convenient, and Telegram has supported them since 2015. They are essentially automated Telegram accounts; you can just add them to chats and channels as you would a friend. But while researching the bot platform, Forcepoint realized that the feature doesn’t incorporate the encryption algorithm Telegram uses to protect its chats. As a result, adding a bot to a chat or channel undermines its security, potentially making it easier for a third party to intercept messages.
“This is something that affects you if you are operating a bot or are in a channel with bots,” says Luke Somerville, head of special investigations at Forcepoint. “I’ll be honest, it surprised us when we realized that the bot security is that different than how normal messaging works.”
Specifically, Telegram bots don’t use MTProto, Telegram’s encryption protocol, which creates the framework in which users’ messages to each other are scrambled and illegible while in transit between a sender and recipient’s devices. While researchers have raised various concerns about MTProto over the years—Telegram maintains it is sound—if you trust Telegram with your secure communications, you’re trusting MTProto.
“A bot would dramatically undercut the security properties of a chat.”
Kenn White, Open Crypto Audit Project
But Telegram’s bot platform relies instead on the Transport Layer Security protocol used in HTTPS web encryption. TLS is great for a lot of things, but isn’t robust enough to act as the only encryption in a secure communication service meant to provide advanced protection. That’s why apps like Signal and WhatsApp use the Signal Protocol, and Telegram has MTProto. By building its bot platform without MTProto, though, Telegram creates a situation where introducing a bot to a chat or channel essentially downgrades its encryption.
Forcepoint made the discovery in an unexpected way. Security researchers have previously found Telegram bots that command and control malicious Android apps, and even exfiltrate data from Telegram chats through the Telegram bot API used by developers. Bots’ deep integration into the app make them a popular pawn in attack strategies. While researching one such malware scheme, Forcepoint accidentally discovered that Telegram chats that include bots have reduced security.
The researchers probed a sample of remote management malware dubbed “GoodSender,” and identified the mechanism within the code that awaited commands from a Telegram bot. The malware included two pieces of Telegram identification and authentication information—called the “bot API token” and “Chat ID”—that are used to direct bots’ queries to the right chats. Armed with these details, the researchers realized that they could crafts API requests that would essentially replay all the communications between the malware author and his bot. Because the hacker made the mistake of doing all of his testing and deployment in one bot setup (instead of covering his tracks by using multiple accounts), the researchers were able to study how he had set up, tested, and eventually started deploying the malware.
While the Forcepoint researchers used the Telegram API to snoop on the hacker’s bot communications as part of well-meaning defense analysis, they emphasize that someone else could use the same technique for ill and look back at a whole conversation a bot is present in. And even someone who doesn’t have a chat’s “bot API token” and “Chat ID” from a malware sample could still potentially extract them in other ways. Both pieces of information are embedded in every Telegram communication, so bots can know which data or service to send to which chat.
The idea that a secure messaging service’s own feature could downgrade its encryption scheme—without giving any visual cue to the user—is concerning. “You can create your own burner Telegram account and tell the bot to forward you these messages,” Somerville says. “It’s relatively trivial to do, and you can forward all the messages in that channel that the bot has had access to. You’ll be able to read all the messages they’ve exchanged.”
Forcepoint has been in touch with Telegram about the findings, but wouldn’t comment on its interactions with the company. “That bot traffic goes over HTTPS is not something to be ‘discovered’—it’s a documented property of the system,” Markus Ra, Telegram’s head of support, said in a statement. “This is an industry standard. Note that by default, Telegram bots only receive messages that are specifically meant for them.” Telegram also argues that grabbing the “bot API token” and “Chat ID” is akin to stealing someone’s password to an account—at that point an attacker would have full access anyway. The company did not offer an explanation of why bot communications are only secured with HTTPS and not MTProto.
Taking advantage of the lesser protection on Telegram chats and channels that include bots would still require an attacker to be able to decrypt HTTPS Telegram traffic. In Forcepoint’s case, the researchers got around it by essentially obtaining the keys to the kingdom in the malware sample they were working on. In general, a relatively sophisticated adversary would have to be targeting you to become a “man in the middle” of your HTTPS communication. But the reason secure communication platforms require more advanced encryption in the first place is precisely that it can sometimes be possible to skirt HTTPS.
“In a situation where certain chats only use TLS because of bot functionality, a bot would dramatically undercut the security properties of a chat,” says Kenn White, director of the Open Crypto Audit Project. “Using a protocol that’s not part of the core protocol for a convenience integration would provide none of the integrity or benefit of that main protocol. That would be an intentional design tradeoff that dramatically undermines security guarantees.”
To keep your Telegram communications safe, don’t add bots to your chats, and be aware when you’re in chats and channels that include them. And to keep messages really secret, always minimize the number of people in a chat to reduce exposure. Many cryptographers and security engineers, though, including White, say that the safest way to use Telegram is just not to use it at all. They doubt whether Telegram is fully end-to-end encrypted (a protection that isn’t on by default anyway) and worry that the custom MTProto protocol is difficult to fully vet. But for the app’s 200 million adherents, the security differences between chats that include bots and chats that don’t are important.
“For bot developers there’s not an awful lot they can do about this themselves other than warning people that the potential for this sort of attack exists,” Forcepoint’s Somerville says. “It’s unfortunate—it’s a design decision.”
Updated January 17, 2019 8:50am ET and 11:50am ET to include comments from Telegram.