Experts have found a way to monitor Telegram users through a hidden label.
The dispute over the privacy of Telegram went beyond the usual question of encryption of correspondence. Symbolic Software’s new 89-page report claims that the MTProto protocol reveals 64-bit auth_key_id to passive networking observers, and by this option the device can potentially be recognized after restarting the application, changing the IP address, connecting via VPN and moving between networks.
The document was prepared by cryptographer Nadim Cobasesi from Symbolic Software by order of Global Network Solutions, Inc. The materials of ISTORIics and OCCRP quickly drew attention to conclusions outside of the professional discussion: journalists linked the review with the previous investigation of the network infrastructure of the messenger.
The authors focused on auth_key_id, the author’s authorization key identifier in the title of each MTProto message. The client uses the parameter so that the server can select the desired key to handle the encrypted message. The contents of the correspondence on one auth_key_id can not be read, but the report indicates a different risk: a stable tag in network traffic can connect the activity of one device in different networks and places.
According to the researchers, Telegram customers for Android and desktop systems transmit MTProto via conventional TCP connections, and not via HTTPS or TLS. Port 443 can create the visibility of secure web traffic, but in the intercepted packages, the authors did not find a TLS-hroad craving, certificate exchange and transport encryption. After removing the simple obfuscation auth_key_id remains visible in the MTProto header.
The passive observer, according to the authors, does not need to hack encryption, replace certificates or interfere with the connection. A provider, enterprise network administrator, Wi-Fi operator in a hotel, mobile operator or other route member can record auth_key_id along with the IP address, time of connection and traffic nature. After the initial binding of the identifier to a known person, the observation log is able to show where and when the specific device appeared.
The special conclusion concerns Secret Chats and Perfect Forward Secrecy. End-to-end encryption protects the content of secret chats, and PFS reduces the risk of decrypting old messages when compromising the keys. But the authors of the report believe that both measures do not close the observation of auth_key_id, since the leak, according to the researchers, is below the content level: in the title MTProto, which is transmitted along with any type of chat.
The researchers also claim that auth_key_id did not change in tests when relaunching an application, changing an IP address, moving between Wi-Fi and VPN, connecting to other servers inside the data center, and observing for several days or weeks. The authors separately stipulate an important limitation: auth_key_id itself tracks the device, and does not immediately establish the identity of the user. To connect with a particular person, you need a separate moment of comparison, for example, the entrance through the network, where the person is already known.
Symbolic Software offers to oblige all MTProto connections to use transport layer encryption, such as TLS. The authors believe that user settings do not remove the risk, since the problem is associated with the transport architecture, and not with the choice of chat mode.
Telegram did not agree with the conclusions. In response, the company stated that auth_key_id changes regularly, does not contain user data, does not disclose the contents of messages, recipients and personal information. Telegram also claims that an observer who is able to see auth_key_id already receives more reliable network signals for tracking: IP address, names of connected servers, DNS queries and the nature of traffic.
The company specifically rejected allegations of access by third-party contractors to user data and infrastructure. Telegram claims that it owns servers, manages the network through internal engineering commands and uses a zero-trust model in which physical access to the equipment does not give access to user data, application traffic, encryption keys and internal systems.
The main dispute does not rest on the possibility of reading correspondence, but in the appearance of network metadata. Symbolic Software considers autth_key_id a stable label for long-term monitoring of the device when accessing the network route. Telegram insists that the parameter regularly changes, does not disclose private data and does not add to the third-party operator of capabilities that the owner of the network infrastructure does not yet have.
The dispute over the privacy of Telegram went beyond the usual question of encryption of correspondence. Symbolic Software’s new 89-page report claims that the MTProto protocol reveals 64-bit auth_key_id to passive networking observers, and by this option the device can potentially be recognized after restarting the application, changing the IP address, connecting via VPN and moving between networks.
The document was prepared by cryptographer Nadim Cobasesi from Symbolic Software by order of Global Network Solutions, Inc. The materials of ISTORIics and OCCRP quickly drew attention to conclusions outside of the professional discussion: journalists linked the review with the previous investigation of the network infrastructure of the messenger.
The authors focused on auth_key_id, the author’s authorization key identifier in the title of each MTProto message. The client uses the parameter so that the server can select the desired key to handle the encrypted message. The contents of the correspondence on one auth_key_id can not be read, but the report indicates a different risk: a stable tag in network traffic can connect the activity of one device in different networks and places.
According to the researchers, Telegram customers for Android and desktop systems transmit MTProto via conventional TCP connections, and not via HTTPS or TLS. Port 443 can create the visibility of secure web traffic, but in the intercepted packages, the authors did not find a TLS-hroad craving, certificate exchange and transport encryption. After removing the simple obfuscation auth_key_id remains visible in the MTProto header.
The passive observer, according to the authors, does not need to hack encryption, replace certificates or interfere with the connection. A provider, enterprise network administrator, Wi-Fi operator in a hotel, mobile operator or other route member can record auth_key_id along with the IP address, time of connection and traffic nature. After the initial binding of the identifier to a known person, the observation log is able to show where and when the specific device appeared.
The special conclusion concerns Secret Chats and Perfect Forward Secrecy. End-to-end encryption protects the content of secret chats, and PFS reduces the risk of decrypting old messages when compromising the keys. But the authors of the report believe that both measures do not close the observation of auth_key_id, since the leak, according to the researchers, is below the content level: in the title MTProto, which is transmitted along with any type of chat.
The researchers also claim that auth_key_id did not change in tests when relaunching an application, changing an IP address, moving between Wi-Fi and VPN, connecting to other servers inside the data center, and observing for several days or weeks. The authors separately stipulate an important limitation: auth_key_id itself tracks the device, and does not immediately establish the identity of the user. To connect with a particular person, you need a separate moment of comparison, for example, the entrance through the network, where the person is already known.
Symbolic Software offers to oblige all MTProto connections to use transport layer encryption, such as TLS. The authors believe that user settings do not remove the risk, since the problem is associated with the transport architecture, and not with the choice of chat mode.
Telegram did not agree with the conclusions. In response, the company stated that auth_key_id changes regularly, does not contain user data, does not disclose the contents of messages, recipients and personal information. Telegram also claims that an observer who is able to see auth_key_id already receives more reliable network signals for tracking: IP address, names of connected servers, DNS queries and the nature of traffic.
The company specifically rejected allegations of access by third-party contractors to user data and infrastructure. Telegram claims that it owns servers, manages the network through internal engineering commands and uses a zero-trust model in which physical access to the equipment does not give access to user data, application traffic, encryption keys and internal systems.
The main dispute does not rest on the possibility of reading correspondence, but in the appearance of network metadata. Symbolic Software considers autth_key_id a stable label for long-term monitoring of the device when accessing the network route. Telegram insists that the parameter regularly changes, does not disclose private data and does not add to the third-party operator of capabilities that the owner of the network infrastructure does not yet have.
