Alfonso Muñoz and Pablo San Emeterio are two cybersecurity experts who have recently spoken about the security that Telegram offers to users. Both have discussed the issue at RootedCON 2022, the largest cybersecurity event in Spain recently held in Madrid.
Based on your reflection and knowledge about this instant messaging app, WhatsApp’s main competition in the West, we will talk about data privacy and the cryptography used by this tool, as well as the advantages and disadvantages of its use. All in all, we try to answer the question in the headline: Is Telegram as safe as it is said to be?
It is an important issue because today, as everyone knows, messaging applications are massively used by the population, in fact Telegram is playing an important role in communication in Ukraine, while this country is being subjugated by Russia.
The security of millions of data
Instant messaging (IM) applications have become a fundamental pillar in everyday, personal, corporate and even confidential communications. So much so that they are the most installed and are used by almost one in four citizens of the world. Telegram alone has more than 500 million monthly active users .
In this sense, it has been the rise of privacy itself that has meant that many of these technologies have had to be reviewed and updated with encryption protocols and technologies. According to Whatsapp and Telegram, they do not know the content of user conversations due to point-to-point encryption . In the case of Telegram, the application was already born with some encryption. In WhatsApp, however, it was implemented around 2016, so it has historically been considered much less secure.
Despite the privacy of data and specific messages, as Alfonso Muñoz pointed out, “these applications know more about us, for example, because of who we talk to and when we do it, than because of what we talk about.” During his presentation, the enormous problems associated with Telegram’s knowledge of users’ metadata were analyzed.
Among some of the known parameters are, for example, when and with whom a person communicates, even in secret chats, the complete contact list, the IP address, the devices from which the user connects or the version of the operating system that you use, among others. Issues that, in addition to revealing a large amount of information about users, would allow, for example, to draw possible attack plans.
To what extent is Telegram safe?
Telegram is still a tremendously invasive tool from the point of view of privacy, especially due to the enormous amount of metadata it knows about the interlocutors. Furthermore, as Alfonso Muñoz explained in his talk at RootedCON, most of the information and files exchanged only have client-server encryption. With this, Telegram clearly knows most of the information exchanged .
Regarding secret chats, Telegram’s flagship, the server stores encrypted files . Something that, although it may seem positive, also allows Telegram to know a lot of data , such as which people exchange files, when they do it, their size and their names, issues that pose an additional risk in terms of privacy due to information which provide.
In this context, as far as is known and analyzed, the cryptography involved in communications in transit cannot be violated without the collaboration of the company . Unlike what is dictated by advanced cybersecurity protocols or systems, all security therefore depends on the kindness or not of the “operator”, Telegram in this case, which has its servers spread over different parts of the world. For this reason, a large part of its security is really based on the trust placed in the platform itself, which cannot be audited to a great extent when it is closed.
During his presentation, Alfonso Muñoz highlighted the history of Telegram, as well as some of the platform’s bad decisions in terms of cybersecurity, such as the use and configuration of certain cryptographic algorithms. In addition, he also analyzed the many examples that separate it from an alleged relationship with the Russian government as a tool of mass espionage and even bring it closer to the US, although this issue remains an open issue. So much so that there are sources that state that the Russian FSB (Federal Security Service) requested the private keys of the app, with which they could have access to the conversations.
How could we protect our data?
Unfortunately, there is no ideal solution to the privacy problem from a cybersecurity point of view. Among the possible alternatives, not exempt from problems, are, in this order, the Session, Threema, Signal or Wire messaging applications .
In any case, depending on the country and the protection needs, they may be more or less adequate. In his speech, Muñoz even proposed a platform to make comparisons and evaluate which app is best suited based on specific needs and geopolitical situations.
For his part, Pablo San Emeterio, presented in his talk at RootedCON a new series of protection measures that can be added within IM applications to prevent outsiders from eavesdropping on the conversations we have. Specifically, it is about including an extra layer of encryption thanks to the use of introspection and dynamic instrumentation techniques. These techniques allow modifying the behavior of applications and operating systems, in this case the Telegram application. San Emeterio also showed in a practical way how to add this extra layer of security and its usefulness.