Thanks to a Ukrainian in occupied Kherson, we now know how Russian occupiers are using Telegram to surveil Ukrainians — and how dangerous its design flaws are.
There's everything you've said -- but it's not only about cloud architecture or encryption, the problem starts with corporate structure. It has always been tied to the Kremlin and likely still is, for complicated reasons:
There is a sea of obfuscation and disinformation and confusion around this topic, but the fact that Telegram isn't banned like every other independent media, enterprise, or person in Russia, and not jailed or declared a "foreign agent" or killed lets you know that the Kremlin and Russian intelligence find it useful. They find it handy not just to spy on everyone, but even to talk to themselves, as their own communications and feedback systems are very shattered now and have always been riddled with compromise. Telegram serves the role of Blue TASS in the Soviet era, the channel where the real news is really posted, available only to elites, so they can know what's going on even in their own propagandized space. Tor, a US government created and sponsored and used system -- which is also why you shouldn't rely on it -- is no different, really; it just has the cool kids' gloss layered over it. An ap that demands you be a zebra to hide the stripes of government agents who need to hide isn't your forest, it's your zoo. Telegram is merely a bigger and uglier and more murderous form of the same problem. You can't stop using it if you are Russian, or following Russia and the war in Ukraine, because it's all there is -- just like you can't stop using the metro or going to the store. It's hard to stay safe in such settings but plan accordingly. To think this problem started only now, or is only about the Donbas or only a thing because you can now prove some wonky piece of it -- is naive to the extreme.
If Ihor deleted earlier messages in a nonsecret chat (for both him and Smoke) , would those messages still be available without getting the auth key from the phone?
You are being wrong on both auth_key_id and PFS. Messages on Telegram are encrypted using temporary auth_key_id and it's not permanent. Even docs say that client should NEVER USE auth_key_id... so this is completely incorrect what is being said in article. On top of that Telegram uses PFS for all chats.
The author built the entire article on two false assumptions. Another user was already told about the protocol. I will talk about the "idiots" for whom the author has the special services of Ukraine. We don't have idiots in SServices, they don't communicate with agents by open channel. And taking screenshots, the author, is very simple - the FSB gave Ihor a second smartphone, with the camera of which he was supposed to take photos of screen. Did the author not think about such an option before accusing Igor and Smoke of idiocy?
We face same issue with WhatsApp in Iran when police arrested protesters they have list of all theri WhatsApp chat thanks the hacker to sell exploit for mobile and app
Let’s mention both of the elephants banging in the room -- one, igor and smoke choosing unencrypted communication over alternatives, also the obvious telegram secret chat. And two, Russian servicemen keeping and then releasing ihor after 11days. Incompetence and carelessness is at both sides.
On the flipside, let’s also ask the question -- what made, for the rashens, ihor a source worth to leave alive and observe, after all? One of the answers (also detailed in this peace) could be the hope to catch some sort of intel eventually. But to have this hope, they needed access and knowledge of not “nothing” and not “everything”, but definitely of “something”. So the clumsiness (maybe deliberate?) maybe blew some hope and life into ihor’s prospects, beyond the 11-day torture.
And for sure, when an incomplete account of an event is further grounded in a chain of assumptions plus some hearsay it might come off as a hit piece. But I think the account here is quite based and rather careful.
It is not completely accurate that one cant take screenshots of the secrets chats without jailbraking etc. I have a new iphone, not jailbroken and i can take screenshots of secret chars. All that hapoens is that a text notification apoears in the chat stating that i took a screenshot. Nothing else, not disabled
Anyone participating in illegal or covert communication should take the time to learn how to properly secure their device and communications the best possible no matter what platform is being used. Physical access to an unlocked phone is game over for most any platform if messages are being retained and stored on the device in any way.
If Telegram is so insecure, why hasn't there been any verifiable hacks of the system to prove it? I see these stories constantly talking about how it can be done, but it seems no one has done it yet. I would think that systems such as Signal and Whatsapp (Facebook/Meta) would hugely benefit from such a public display. Telegram even welcomes such a hack by offering a $300,000 bounty for anyone who can successfully decrypt a secret chat. They also offer a $100 payment for any bug reports that result in a code change. You should go through the Telegram FAQ and their advanced FAQ a little more.
In regards to the Kremlin having some sort of backdoor access, it seems that a pattern of suspect activity regarding OPSEC would have already began to reveal itself considering how much Telegram is used in Ukraine. After all, Russia has not proven to be the sharpest tool in the shed over the past 9 months.
This article seems to be just another conceptual hit piece on Telegram like so many before.
Telegram has perfect forward secrecy, rendering this whole article's premise completely flawed. All that effort to write without checking the API properly?
One quick question: let’s say Igor and Smoke had chosen WhatsApp or Signal to exchange… let’s say they would even have done this before occupation (not the case here), would they be able to use it once Russian forces were controlling the internet in Kherson?
As I know, Russian forbid a lot of apps. Are WhatsApp and Signal working (or allowed) in temporarily occupied territories in Ukraine?
Wouldn’t Ihor be killed just because he used Signal? Or maybe just forced to use Telegram and lost contact with Smoke?
There's everything you've said -- but it's not only about cloud architecture or encryption, the problem starts with corporate structure. It has always been tied to the Kremlin and likely still is, for complicated reasons:
https://www.themoscowtimes.com/2017/09/22/the-telegram-lawsuits-explained-pavel-durov-a58989
There is a sea of obfuscation and disinformation and confusion around this topic, but the fact that Telegram isn't banned like every other independent media, enterprise, or person in Russia, and not jailed or declared a "foreign agent" or killed lets you know that the Kremlin and Russian intelligence find it useful. They find it handy not just to spy on everyone, but even to talk to themselves, as their own communications and feedback systems are very shattered now and have always been riddled with compromise. Telegram serves the role of Blue TASS in the Soviet era, the channel where the real news is really posted, available only to elites, so they can know what's going on even in their own propagandized space. Tor, a US government created and sponsored and used system -- which is also why you shouldn't rely on it -- is no different, really; it just has the cool kids' gloss layered over it. An ap that demands you be a zebra to hide the stripes of government agents who need to hide isn't your forest, it's your zoo. Telegram is merely a bigger and uglier and more murderous form of the same problem. You can't stop using it if you are Russian, or following Russia and the war in Ukraine, because it's all there is -- just like you can't stop using the metro or going to the store. It's hard to stay safe in such settings but plan accordingly. To think this problem started only now, or is only about the Donbas or only a thing because you can now prove some wonky piece of it -- is naive to the extreme.
If Ihor deleted earlier messages in a nonsecret chat (for both him and Smoke) , would those messages still be available without getting the auth key from the phone?
You are being wrong on both auth_key_id and PFS. Messages on Telegram are encrypted using temporary auth_key_id and it's not permanent. Even docs say that client should NEVER USE auth_key_id... so this is completely incorrect what is being said in article. On top of that Telegram uses PFS for all chats.
Links to read about it:
https://core.telegram.org/api/pfs
https://core.telegram.org/api/end-to-end/pfs
The author built the entire article on two false assumptions. Another user was already told about the protocol. I will talk about the "idiots" for whom the author has the special services of Ukraine. We don't have idiots in SServices, they don't communicate with agents by open channel. And taking screenshots, the author, is very simple - the FSB gave Ihor a second smartphone, with the camera of which he was supposed to take photos of screen. Did the author not think about such an option before accusing Igor and Smoke of idiocy?
We face same issue with WhatsApp in Iran when police arrested protesters they have list of all theri WhatsApp chat thanks the hacker to sell exploit for mobile and app
Let’s mention both of the elephants banging in the room -- one, igor and smoke choosing unencrypted communication over alternatives, also the obvious telegram secret chat. And two, Russian servicemen keeping and then releasing ihor after 11days. Incompetence and carelessness is at both sides.
On the flipside, let’s also ask the question -- what made, for the rashens, ihor a source worth to leave alive and observe, after all? One of the answers (also detailed in this peace) could be the hope to catch some sort of intel eventually. But to have this hope, they needed access and knowledge of not “nothing” and not “everything”, but definitely of “something”. So the clumsiness (maybe deliberate?) maybe blew some hope and life into ihor’s prospects, beyond the 11-day torture.
And for sure, when an incomplete account of an event is further grounded in a chain of assumptions plus some hearsay it might come off as a hit piece. But I think the account here is quite based and rather careful.
It is not completely accurate that one cant take screenshots of the secrets chats without jailbraking etc. I have a new iphone, not jailbroken and i can take screenshots of secret chars. All that hapoens is that a text notification apoears in the chat stating that i took a screenshot. Nothing else, not disabled
Screenshots of private chats can also be takenwithout malware by taking photos with another (possibly ru supplied?) physical device.
Anyone participating in illegal or covert communication should take the time to learn how to properly secure their device and communications the best possible no matter what platform is being used. Physical access to an unlocked phone is game over for most any platform if messages are being retained and stored on the device in any way.
If Telegram is so insecure, why hasn't there been any verifiable hacks of the system to prove it? I see these stories constantly talking about how it can be done, but it seems no one has done it yet. I would think that systems such as Signal and Whatsapp (Facebook/Meta) would hugely benefit from such a public display. Telegram even welcomes such a hack by offering a $300,000 bounty for anyone who can successfully decrypt a secret chat. They also offer a $100 payment for any bug reports that result in a code change. You should go through the Telegram FAQ and their advanced FAQ a little more.
In regards to the Kremlin having some sort of backdoor access, it seems that a pattern of suspect activity regarding OPSEC would have already began to reveal itself considering how much Telegram is used in Ukraine. After all, Russia has not proven to be the sharpest tool in the shed over the past 9 months.
This article seems to be just another conceptual hit piece on Telegram like so many before.
Telegram has perfect forward secrecy, rendering this whole article's premise completely flawed. All that effort to write without checking the API properly?
Thanks for the article that’s very interesting!
Indeed Telegram is not a secure app!
One quick question: let’s say Igor and Smoke had chosen WhatsApp or Signal to exchange… let’s say they would even have done this before occupation (not the case here), would they be able to use it once Russian forces were controlling the internet in Kherson?
As I know, Russian forbid a lot of apps. Are WhatsApp and Signal working (or allowed) in temporarily occupied territories in Ukraine?
Wouldn’t Ihor be killed just because he used Signal? Or maybe just forced to use Telegram and lost contact with Smoke?