Despite a Lucrative ICO for Telegram, Vigil Security Finds Multiple Weak Points in New ID Verification App
Telegram recently hosted an initial coin offering, which resulted in raising $1.7 billion in funding. After the publishing of their new app, many security researchers in the crypto industry suggest that it is not as user-friendly as it should be.
Virgil Security took to a blog post to explain the weak areas in the new app, which is called Passport. Even though Virgil Security emphasized the way that Telegram has integrated open source API, they took issue with the storage and encryption of stored data. Alexey Ermishkin, who wrote on the blog, said,
“Their commitment to openness gives security practitioners the opportunity to review their implementation and, ideally, help improve it. Unfortunately, Passport's security disappoints in several key ways.”
Interestingly enough, Telegram has never actually announced their ICO or acknowledged that it was even a reality. Multiple documents were leaked, which led industry leaders to determine that the company wanted to compete with other crypto services in the industry, like filesharing and encrypted browsing. Additionally, Telegram wanted to reintroduce blockchain-based payments within their chat app, which is a popular service.
The security required for payments and identity verification is similar, which is part of the reason that Telegram created Passport while still in the early stages. The ability to disrupt digital identification is something that the cryptocurrency industry has wanted to do for a while, so Telegram is taking the opportunity to get a head start for consumers. In a promise in the blog post, Telegram says that “your identity documents and personal data will be stored in the Telegram cloud using end-to-end encryption. It is encrypted with a password that only you know, so Telegram has no access to the data you store in your Telegram passport.” The same post also says that the identification data will be stored in a decentralized way, which is part of the technical whitepaper.
As stated above, one of the big issues that Virgil Security sees is the way that passwords are encrypted. When Telegram discussed the launch of Passport, they also revealed a lot of information about how the system functions, which included the use of SHA-152 for hashing passwords. They say, “It's 2018 and one top-level GPU can brute-force check about 1.5 billion SHA-512 hashes per second.”
The research also says that the passwords could cost as little as $5 each to crack, though it could cost more for consumers with harder keys to crack. Virgil Security addresses the fact that, before this attack could start, the hacker would need to start by infiltrating Telegram as a whole. Co-founder Dmitry Dain of Virgil Security said, “To access the password hashes, the attack would have to be internal to Telegram. The ways that could happen are numerous — insider threat, spearphish, one rogue USB stick, etc.” As more users decide to upload their data, Telegram becomes more enticing as a target.
Virgil Security’s other issue has to do with the fact that none of the identifying documents are signed. Blockchain technology enables users to sign data cryptographically, which means that it is easier to verify the person that uploaded it and who it belongs to. However, the data with Telegram and Passport has no cryptographic signature to protect users, which means any of the data can be changed without any notification to the owner.
The post by Virgil Security notes, “Now, when people see ‘end-to-end encrypted,’ they believe that their data will safely be sent to a third party without worries of it being decrypted or tampered with. Unfortunately, Passport users will have a false sense of confidence.”
Though Telegram has not responded to requests for commenting on this risk of a security breach, there’s still time and technology available for Telegram to strengthen security measures for users.