Cyber Security

Trump-Russia Report Casts New Doubts On Telegram’s Security

The popular chat app's founder disputes that it is compromised, but encryption experts urge caution

Cyber Security
Illustration: Tara Jacoby
Jan 11, 2017 at 11:36 AM ET

The bombshell report that alleges the Russian government has worked with U.S. President-elect Donald Trump has also renewed concerns that encrypted chat app Telegram has been compromised by the Russian government.

The contents of the report itself, which include massive unverified claims that Trump worked with the Russian government during his campaign and that it has potential blackmail video of Trump with prostitutes, is unsubstantiated. But the U.S.’s top intelligence officials have circulated and considered it, multiple sources told CNN, and it’s the current subject of an FBI investigation.

One standalone paragraph in the report, published in full by Buzzfeed, says Russia’s Federal Security Service (FSB) compromised Telegram, a popular app that bills itself as a “secure” chat service:  

“an FSB cyber operative flagged up the “Telegram’ enciphered commercial system as having been of especial concern and therefore heavily targeted by the FSB, not least because it was used frequently by Russian internal political activists and opportunists. His/her understanding was that the FSB now successfully had cracked this communications software and therefore it was no longer secure to use,” it reads.

Telegram, which hit 100 million users worldwide in 2016, is widely derided by security researchers compared to other secure chat applications. While it does employ end-to-end encryption, meaning that decryption keys are held on an individual user’s phone, keeping plain messages from being seen even by the company itself, that doesn’t actually apply to group messages. Experts have also long questioned the strength of the encryption it uses.

“I looked at the crypto and I don’t see any obvious ways to break it, but it looks really crummy,” Matthew Green, a cryptographer at Johns Hopkins University, told Vocativ. The compromise described in the report is worded vaguely enough, he said, that it may be a reference to the Russian government cracking users’ phones in a way that didn’t even require Telegram, he said. But it’s also possible, given Telegram’s apparent weaknesses and the capability of Russia’s state-sponsored hackers, “that they have some kind of implant in the app or they’ve compromised [Telegram’s] server in some way,” which would give an attacker access to, at the very least, group chats.

Telegram founder Pavel Durov told Vocativ he didn’t believe the report. “However, if the report is not fake, it probably refers to the story of SMS interception by FSB in April 2016,” he said, referring to two Russian activists who sued their phone provider for temporarily disabling texting on their phones, allowing someone else to temporarily control those phone numbers. That attacker then allegedly downloaded the activists’ Telegram encryption keys, enabling him or her to pose as those activists.

Regardless of whether the FSB has the ability to compromise the app, Green said, people afraid of government interference should choose a chat program with strong security, like Signal or WhatsApp, which uses Signal’s encryption protocol.

“I don’t speak for activists in Russia, but I definitely  think you’re better off using something that’s secure than something that’s not. If you’re acting like it’s secure, it better be secure,” Green said.