Wednesday, June 28, 2017

IM Telegram Replay Attack - Android

Hopefully, readers will have had the opportunity and time to read about WhatsApp here at the trewmte.blogspot:

WhatsApp network forensics - http://trewmte.blogspot.co.uk/2017/06/whatsapp-network-forensics.html
Whisper Signal WhatsApp - http://trewmte.blogspot.co.uk/2017/06/whisper-signal-whatsapp.html

So it's time to move on to the next instant messaging app known as Telegram. It is relevant to mention this app at this time as it appears the Russians are targeting this app as well -
http://www.bbc.co.uk/news/world-europe-40404842 - and the thought must be what will they discover by way of a flaw or vulnerability or do they what they are already?
 
The IM Telegram Replay Attack - Android uncovered from the following research published in Tomáš Sušánka thesis can be found here:  https://www.susanka.eu/files/master-thesis-final.pdf .
 
As a primer, a replay attack is an attack where an attacker sniffs data sent by the application and then resends them at a different time with a malicious intent. Unlike WhatsApp where all accounts are controlled by source; Telegram relies upon some third party developers to implement security updates that Telegram has informed them about; if developers don't update after that many devices using Telegram could be unsafe even today potentially enabling attacks across networks.
 
Deobfuscator.cpp file
 
To gain a background understanding to IM and security related issues the thesis considers other IM apps, including WhatsApp, and noted security issues with them.
 
One interesting comment noted in a paragraph in the conclusion reveals the influences foreign policy subjects itself on software developers regarding censorship: "We have scrutinized the code base of the official application for Android and concluded that the state of the application is at serious odds with the documentation. This concerns mainly the undocumented obfuscation method Telegram uses. The MTProto traffic is encrypted one more time with the key and IV prepended to the data. This has no effect on the data security and is easily debunked by the deobfuscation program we have implemented. When the Telegram team was confronted with these claims, they noted the method is used to circumvent some of the less sophisticated methods of censorship in certain countries."
The author's research relating to apparent Telegram vulnerability, that has been published, he has also provided his background research e.g. source code etc., (so you better get it before it goes) https://www.susanka.eu/files/master-thesis-cd.zip :
 
CD's directory structure is:
-  data
- Telegram source code
-  src 
- Telegram Deobfuscator
- Telegram Extractor
- Trudy Go module
- LaTeX source codes
- diagrams
source codes
- text
- appendices
- thesis.pdf
Excellent research and discovery!
 

No comments: