 All right, thank you all for coming to our last talk of the day today. Next up we have Vito Ventura who will be speaking about how to hack or snoop at least all telegram messages. Thank you. Good afternoon everyone. There's a little bit about me. I've worked in the industry for quite a while and I've worked in all sides of the industry and one thing I have to say to everybody at a certain point you need to see the light and do research. That's the most fun of it. So moving on to what really matters. SecureIM. So there are several types of SecureIM around. I've picked up a couple of examples. Most of them will share some kind of protocol. So WhatsApp, Signal, we'll use the Whisper protocol. Facebook also uses it on their own chat. Google also uses it on their own private version of chats. Then we have Telegram which is they have their own protocol. Quick question. Is Telegram end-to-end encrypted by default? Who think it is? Great. Yeah. That's it. It isn't. And then we have also, I picked up also Threema because they are zero knowledge SecureIM so you are supposed to be able to set up a session without having to give away your phone number. So they are really innovative on what they do and they are based on an open source library which is the NACL for cryptography. So let's focus on Telegram which is the main talk. So Telegram has a base of 200 million users. It was created by the Vukov brothers after they sold out the face, the version Facebook version. They were kind of, well they sold it. Maybe they were not very happy about it but they did sold it and in the end they ended up creating Telegram. Telegram has a different architecture than the others. So they, although they are not end-to-end encrypted by default, they do have the keys which are spread at several countries in such a way that if you want, if some government wants to get the keys to the crypt data, they will need to go through the legal process on several different countries. So until now they have, they are really proud of the fact that never has, that has never happened before. But in the end, we need to keep in mind that they are not end-to-end encrypted. Telegram is used a lot in western countries, in Iran, in Russia, in all of the ex-USSR countries for several reasons and, but mainly because it's easy, it's really easy to use. Okay? So one thing that also to talk about is that, and this is really important, 200 million users does not mean that you have 200 million added security-educated users. That's not the point. They are not added security-educated. So when we say that this is secure I am and the user should do this, we need to remember that among this room a lot of you knew that Telegram was not end-to-end encrypted by default, but you are subject matter experts. You need to, we need to think that when you, when these kind of applications are created, they are not created for people like us, they are created for people in general and hence they have 200 million users, but these 200 million users are not security experts. They don't know better. And this is important. So before we go into all the technicalities, I want to talk a little bit about all the censorship that has been around on, on Telegram. So there have been several attacks on Telegram from Russia, from Iran, from a lot of countries using different techniques. So there have been attacks that they tried to, to get the tokens for the, for the registration. They have been attacks where they have even done BGP hijacking. So I've, I've published a couple of things on that. So Iran back in 2016 did an attack where they hijacked all the networks from, from Telegram in order to get, to get the messages using the BGP hijacking. So all of this has been happening for a long time. Again, there was also the thing with, with Russia and where Google and Amazon stopped doing the domain fronting. There was a lot of attacks on them. The most recent one was with all that is happening on, in Hong Kong there was an attack on Telegram where the, the Vukov brothers blame China. I don't know if it's, if it's through or not. I don't know who did it. But this is what's happening. So they are really, really, they have been really targeted by governments to stop them. So let's go now into the technicalities. So one of, well first I should do a disclaimer. Everything that I will show here from this point on was sent to Telegram and they didn't get, get any response from them. I don't know why. So one of the things that I also want to mention about Telegram is that on the session management you can clone sessions and you don't need to re-establish them. So on my previous work what I did was I just pick up a token from a, from a desktop session, copy it to another machine and I could see all the messages going on. So as simple as that. And that is being exploited in the wild. So this is an important point. This is session cloning. There's nothing, well it's just like cloning a session on, on a browser. But it's something that is going on and it's not, it's not, they're not doing anything about it. By the way, all of them are subject to this. Signal, WhatsApp, Telegram, all of them are subject to this. They have different responses. They have different ways of dealing with the problem. But all of them are subject to this. So using any of these applications on your desktop, it's a bad idea. Again, non-advocative users, they don't, they are not aware of this. And this is important. So what makes the difference between Telegram and all of the other? It's one specific thing. None of the other applications allows multiple sessions from the same phone number. So if you try to, if you have a WhatsApp installation on your phone and you try to install another, another WhatsApp with the same phone number, it will not work. So the session will bounce from one side to the other and you will never have two sessions active at the same time established at the same time. This is the same thing with Signal and this is because of the way that the Signal protocol works. Now with Telegram it's different. With Telegram you can in fact have two sessions hooked to the same phone number. So this is one of the main things that allow you to snoop messages. So I will, I will get back to this in the meanwhile. Another thing that I want to say is that there is a two factor, a second factor authentication that when I started to do my, my, my experiments was not enforced on the same device. Later it was enforced on the same device. There was a change somewhere in the, in the time on the different versions. However it's still not enforced by default. Again, the regular user will start using Telegram. It's okay. They use it. There's nothing bad there. So if you don't have the second factor authentication you can literally read all the message on an Android phone without rooting the device. And this is one of the things that this kind of option should be explained to the user and the user should have the choice of opting out or in when they do the first registration. Instead it's just there hidden and it didn't, you need to go and look for it. So how do you actually snoop the messages? Let me just take a little water. Okay. So I want to say that Telegram does when you try to set to register a second session is that it will send you the token using its own channel. So if you have a Telegram installed on your, on your mobile device and you see if you install a second version it will try to send you the token for the second session over its own channel which is the safest way to do it. So one of the first things that you should do when you're trying to do it like this is basically kill the background process. This is just, it's a dirty way to do it but if you do it like this the user won't see the message arriving with the token and he won't notice that it's, that something is going on. Of course if you do this in the morning it will know, it will never know anyway. But okay it's a, it's a one, one, one approach. So then what you need to do actually is to send a request. So all of these pieces of code it's from the actual Telegram client that I changed in order to do the, to do the demo. So instead of coding a whole new thing I just went into the, the Telegram client and just took the code to do what I wanted. So I'm, I'm kind of lazy to code so. So basically what I'm doing is that I'm building a new request for a completely new registration. One of the things that is really important is this line. So this line says, says to Telegram server that I don't want to receive a phone call to register. So if I'm trying to build something that will snoop the messages it will be really odd for the, for my target if he receives a call at 2 a.m. from, from Telegram saying your code is 2134. So that doesn't really work. So what I do is, okay let me put this, allow flash call to false and that when, when the registration request goes to the server it, the server knows that it should not call me. Okay? So this is basically what it does. What it does. The other thing which is interesting and if you are lucky or if you can manipulate the network enough is that if you are on the, the correct build of Android, so with SDK 26 or above it will use something which is called, uh, yeah, create the APP specific SMS token. This is a really specific API and a really fun one if you don't know it. So this pretty much allows any application to receive an SMS code without the read SMS permission. So this is something that Google did so that when you want to build an application and you want to have a confirmation by SMS and that's all you want to do with the SMS you don't actually need to give the read SMS permission to the, to the application. Of course this is fun and it's a security method that was implemented. In this case it's a little twisted because this way I can actually get the token without having the permission to read SMS and I can go all the way through to, to the registration without the user noticing. Again, the server will only actually does this if it cannot deliver the message on their own chat. So if you can manipulate the network enough it will be, it will be easier. If you can't, well, we'll, I will show you how, how we go next. But this is just, uh, well this is a best case scenario. Let's face it. So what you do is that you build a request and then you send it to the server. One, another thing is that the protocol says that you need to, to wait 31 seconds, well 30 seconds before you can request a, a recent. So all of this goes around manipulating the, the request process from Telegram in order to do it without the client ever noticing. So we need to wait 30 seconds because that's the amount of time that the protocol says that you should wait before requesting a new code. So the code is always the same, but instead of being delivered by the regular Telegram channel it will be delivered as an SMS. But you need to request it. So what we want really is to receive the token as an, as an SMS because if I can receive the token as an SMS, in the worst case scenario I need to have the read permission to get the SMS, put the code in and have new, a new, a new session. In the best case scenario I will receive it directly and I don't need to do anything. So after the 31 seconds what we do basically, oh so this is the code that I did just to wait the seconds and then do the request. Again, you need to do the request. The request is basically this which is a new packet where you just create an object called recent code. In this code you cannot specify things like I don't want the flash talk. So this is always tied with the initial code. You cannot, at this point for instance, the application specific SMS token will not work anymore because it's now the service in a different state where it's saying, okay I've sent the code, you didn't read it for some reason and now you ask me for another code. Well you ask me for the same code again and I'm delivering the code with an SMS. So the state is it's a little different. So when you send this it's the same code, it will go in and you will receive an SMS with that code. Once you have that code you have a new established session. As I said before you can have two sessions on the same SIM card and you can have clone sessions. So all of this together allow you to basically read all the messages from, from telegram and you can do it, you can do, you can put this on an application whatever you want and it will go through and no one will ever notice it. So you don't need root, at most you need the read permission or you don't depending if you are lucky or not and that's pretty much it. It's as simple as that really. So just to have a little summary, so I created a cycle to kill the background message so that the user wouldn't see it then I do the request, I wait the 30 seconds, I rescind, I send the request for the rescind of the code, I have the SMS code, now I can push it to the server and I will have access. So it's not, it's about abusing the status. One thing you, you need to be careful about is that if you do this, if you try this and if you go wrong you'll start burning a lot of phone numbers. So because of after a while telegram notice that you are playing with them and they will block your phone number. So be prepared to have a huge bunch of SIM cards when you are doing some tests because you'll burn a lot of them. So just a summary, you may want to kill the background, you may need that permission or not depending on how you do it. You have another thing which is great which is the accessibility API from Android. You can pretty much use that to hide, click, change whatever you want and the user will hardly notice it so it's also a very good API to do that kind of stuff. The two-step verification is not active by default. Again, if it is active by default you can always use again the accessibility API to trick the user when he's using its legit telegram API, telegram app, just pop up an overlay and ask for the pin, something like that, it will work. It allows, what you need is something that allows the multiple sessions on the SIM phone number. It does allow it. You don't need to do it on the same device so you could be creating your session from another device as long as you can read the SMS. There's no link between the device and the session. That's when I first said that you can do it on the desktop, that's also true for mobile phones. So you can do all of this on a separate machine and you just need the piece that receives the SMS on the device so that you can create the session. That's the only thing you need. Yeah, you may need or not the read SMS permission and one thing that you don't need is root. So let me see if my video works. I did some editing so that we didn't wait for 30 seconds, it would be too much. So let me just see if this works. Yeah. So, yeah, this is the application. This is running a little fast. So at this point I did the request. I'm now supposed to wait for the 30 seconds. My SMS has arrived. I'm just filling out the code and now I have the session. So what I will do now is that, so Beth is my malicious one. It was not a great name, but anyway, it works. And now I have the two applications. This is the legit one, this is the better one, the one that I did. And now I have a third phone where I'm contacting and sending SMS. And now you will see that the messages will appear on both applications. So you see that I sent a high back from this one and it's already here. And finally, I think I said a low again. So just, of course, this is a crude proof of concept. You can improve it a lot, but it proves what needs to be proved. And now I'm sending another message from my other phone and it will also appear here. Another thing, yeah, as you see, it's on both applications. So I'm receiving all the messages and I can read messages. You see that sometimes it says you're connecting. The reason why it's saying connecting is because, again, I was a little lazy and I didn't stop the cycle that is constantly killing the background process. So it's still trying to kill it and it's trying to reconnect. So as a quick wrap up, instant messaging has a lot of value. And this is not just about how you can stop the messages, it's about the value. This is just the price of exploits running on instant messaging. As you can see, it's extremely high. Also some information disclosure, but for WeChat, Viber, Signal, Telegram, everything is extremely high. So there's a huge value in this kind of attacks. And the reason is obvious. So as I showed you before, all the censorship attempts, all of that leads to this, the higher value of these kind of vulnerabilities. So as a conclusion, security isn't instant messages. It's not just about end-to-end encryption. So Telegram protocol for on-the-wire communication has never been broken. Just like Signal has never been broken, sorry, the communication on-the-wire has never been broken. But that's not the only point that you need to secure. The end point is a problem also. And that's where sometimes some of them are lacking security. And, well, Telegram is not safe by default. And if you have any questions? All right. Thank you, Vitor. We'll take Q&A up here by me. Can you come up to the mic, please? Hey, great talk, by the way. Thank you. Some of these sessions include a notification from when the message has been checked. Sorry, can you repeat that? Some of the, some of the notifications from when the messages have been read or checked. Yeah. If you're viewing those directly on the second session, will that show? No, it won't. They won't notice that the message has been read on the other side. Thank you. Okay. Other questions? Come on up to the mic, please. You mentioned that other secure messaging apps also have to contend with the session hijacking. Could you give a brief overview of what they have done that makes them different from Telegram? Or if they are? Sorry, I had a hard time listening. Sorry. What are other messaging apps like Signal doing that can prevent the session hijacking issue that Telegram? Okay. Yeah. So, what's up, for instance, they have some kind of notification that allows the user to know that the session has been hijacked. However, I did, in September last year, I did a post about that, and they denied that that is a security feature, so they didn't fix the work around that. So, they have a way to notify users, you can bypass it, but because they didn't consider it a security feature, they didn't fix it, so they didn't consider vulnerability. One. Signal, they actually, there's a race condition which is really hard to bypass, so they also have the same problem, but they handle it a little bit better. Telegram, yeah, they don't handle that, that, that, that, that's, that's good. So, all of, of the three, Signal is the one that handles it, handles it better, but still it's vulnerable. So, I play with Telegram a little bit, and so if I start a secure messaging conversation with you on my phone, that doesn't show up on, say, if I set it up on the desktop, I would have to start a new session. So, how does this proof of concept work and that? So, that's about it, when you start secure sessions, they will secure chats, they will end to end on the device. So, that doesn't cross here, these are the regulations. However, the interesting fact is that, if I create a secure session with my new session, the user will never know. So, I can impersonate you in all the way, and the, the, my victim will never know that I'm talking with your target and the other way around. So, you can impersonate anyone that you want, and they will never know. They don't have a way to know because there is absolutely no information going back to them. Other questions. So, always use secure, secure chats. Yeah. Does this show up in the Telegram session manager? So, if you go to your settings, you can see all active sessions. Yeah, it will show there, but it will show there has a session from the same device. So, for, again, for a regular user, that's not something that you'd consider weird because it's on the same device, it's just another copy of itself. So, it would show up as a duplicate on the same device. Yeah, exactly. Interesting. You covered the three, but you didn't mention Threema, have you done much experimentation or compare those to say signal? So, I have Threema there because they are a zero knowledge secure I am, and that's a really good fact. I did look into their protocol, but I didn't do any testing. But Threema has the advantage, the good side is that you don't need a phone number to initiate any session. So, it's a zero knowledge, absolutely zero knowledge, not like any of these. And, well, that can be better from the privacy point of view. But I haven't tested the protocol, definitely. Still have a little more time? If you have any further questions? All right. One last, oh, one more. You come up. Guy Garwai is in the back of my head. Thanks for the talk. What are some secure, more secure options other than Threema? Well, let's, so even telegram, if you use it with the right sessions, settings, it will be more, it will be more secure, just like signal or any of the others. So, one of the things I would say is, don't use desktop apps. You have your phone, use the ones that you have on your phone. Don't root your phone, don't jailbreak your phone. When you have, you're using telegram, use the secure, the secure chats. Those are end to end. You won't be able to see them on the web browser, but you have your phone, right? Use the two fact authentication all the time. Disable and re-enable sessions whenever you need. All of those features will keep you more safe. It will give you more trouble to use, but that's always the trade-off between privacy and usability. Because as I said, none of these have been broken on the wire. So as long as your device is safe, you should be okay. But an Android device, if you install software that comes from the wrong side of the table or unsafe software, well, you know, it's Android. All right, we have time for one more question. What about the safety of the web app? Not just using it on your phone, like through the browser or using it on the browser or on your computer. Don't use the web app. That's when it's simple. All right, thank you, Vitor. Okay, thank you, everyone.