This week the Federal Police (PF) carried out some actions to arrest the alleged hackers who had participated in the illegal access to the prosecutors’ accounts and then sent the data to The Intercept.
On the internet, many people shared information saying that the form of attack reported would not be possible, so I stopped to carry out some tests and look for a history of the case.
And I can guarantee that Telegram is safe if you use the available tools, I say this with confidence because for some years I have been offering related services such as interface customization and creation of bots for Telegram.
This form of attack allows the attacker to access much more than Telegram, it allows access to information in other applications that only use the phone number and calls with codes for authentication.
In the case of Telegram, after stealing the account and cloning the victim’s number, the attacker has access to the messages saved on the service.
Update (07/29/2019): Telegram has removed the feature of sending code via phone call, making it impossible to exploit the flaw described below.
And what is Spoofing?
Spoofing is when a person or program manages to pretend to have another identification that can be a phone number, email, IP, etc., for example:
“Jonas” used a way to have the same phone number as “Maria” on his phone and using that number he could pretend to be Maria and commit misdemeanors.
One of the ways to simulate another person’s number in a call is by using a VoIP service, as apparently happened in the case of the supposed “hackers”, which allows you to change the number from which the call originated.
**To understand how spoofing works in this case, it is good to understand the standard login process with Telegram through the interface: **
Access a mobile, desktop or Telegram web App
The person must enter the area code and cell phone number information
First, Telegram sends the authentication code via message on the platform along with a warning
After a while it allows you to request a code via SMS
After requesting the SMS code, it allows you to request a call with the code
And if the user is unable to answer because the phone is busy or out of range, the message goes to voicemail
In the case of the tests we carried out on the Vivo operator, even with the voicemail disabled the message was saved in the voicemail.
With this process, Telegram tries in every possible way to allow the person to authenticate themselves, always offering the most economical way.
This standard process can be considered insecure and is offered by many other services and companies on the internet.
Telegram also offers and recommends the use of 2-factor authentication (2FA) which adds an extra step after authenticating with a code like password ensuring a very high level of security.
But if the Telegram process is safe then what happened?
Network failure\o/ and lack of 2FA
Operators have flaws like the example below and allow access to the Telegram code for example:
If an attacker calls the cloned number using the same number, the operator can redirect the call to the victim’s message box, giving access to the Telegram code or any code available there.
Yes, this flaw allows access to any type of code that ends up in the post box and it is not new… see a video showing this type of attack in 2016, in this case in Italy:
Link: https://youtu.be/CZ9YBdrtr8g
But enabling 2-factor authentication (2FA) by adding a password to the account would prevent the attack as the attacker would have to know the password.
If this was the way used to attack and steal messages from victims related to Lava Jato, then the PF’s security level at the time was very basic, something incompatible with the importance of it and the related processes.
And now how to protect yourself?
Telegram and other similar services allow the activation of 2-factor authentication (2FA), which is essential to guarantee data security as telephone services are not very reliable
So to protect yourself you must activate 2-factor authentication (2FA) and if you do something unethical or illegal, avoid the internet…
More information about 2FA on Telegram: https://telegram.org/blog/sessions-and-2-step-verification and in Portuguese: [https://telegram.org/faq/br#p-como-funciona-a-verificao-em-duas-etapas](https://telegram.org/faq/br#p-como- two-step-verification-works)
Sources:
- What is Spoofing: https://en.wikipedia.org/wiki/Spoofing_attack
- Example of an attack similar to the one reported by the PF: https://www.youtube.com/watch?v=CZ9YBdrtr8g