This particular issue doesn't open private message content—these are public groups. But it demonstrates what can happen when the authorities can compromise the privacy within secure platforms. And that's where this is a reminder of what's at stake in the broader encryption debate, and why passions on the subject run so high.
Related: U.S. may outlaw messaging encryption used By WhatsApp, iMessage and others"Need help from @telegram," tweeted local software engineer Chu Ka-Cheong. "We and multiple teams have independently confirmed a serious vulnerability that causes phone numbers to be leaked to members in public groups, regardless of the privacy setting. Telegram is heavily used in #hkprotest, it put HKers in immediate threats.”As reported by Reclaim The Net, the vulnerability made public on a popular Hong Kong discussion forum, exploits public access groups, where users in the group have selected to keep their phone number private. If the authorities add thousands of phone numbers to a device and then sync that device with Telegram, they can match stored numbers against the undisclosed numbers in the group, exposing the matches. A telco can then reveal the real identities associated with those numbers.
Chu Ka-cheong, Director at Internet Society Hong Kong Chapter, told ZDNet that the privacy of a phone number used with Telegram "has always been an issue," given that Telegram (as with other secure messaging apps) uses phone numbers as identifiers. "But not until today have we been aware that setting [who can see a phone number] to 'Nobody' will still allow users who saved your phone number in address book to match phone number to public group members. This surprised every one of us."A similar compromise was reported by Reuters in 2016, when "Iranian hackers compromised more than a dozen accounts on the Telegram instant messaging service and identified the phone numbers of 15 million Iranian users, the largest known breach of the encrypted communications system." That attack focused on SMS activation messages rather than synchronised contact lists.
There is currently no workaround for protesters, except switching Telegram accounts to anonymous burner phones that can't be traced. And that introduces a whole set of new logistical challenges.
Telegram pointed out to ZDNet that the platform limits the number of contacts that can be synchronized, and "once you get banned from importing contacts, you can only add up to five new numbers per day." But clearly this is the Chinese state we are talking about, and the fact there is a vulnerability gives an opening to exploit.
What a No-Carrier Phone Could Look Like
"We have suspected that some government-sponsored attackers have exploited this bug and use it to target Hong Kong protesters," Chu warned. "In some cases posting immediate dangers to the life of the protestors."
The implications of this issue extend beyond Hong Kong. The aspiration for government agencies to crack message platform encryption is widespread, and this year we have seen significant debate prompted by U.S. and U.K. lawmakers making those aspirations public. Agencies do not like being unable to "lawfully intercept" message exchanges between persons of interest. Related: WhatsApp and other encryption under threat after 'Five Eyes' demand accessThe encryption debate has been gaining ground in recent months, and the rhetoric from government strongly suggests a shift from exploratory "in principle" discussions to execution options. End-to-end encrypted messaging is a genuine issue for law enforcement. As the world has shifted from traditional (and crackable) SMS and email messaging to "over the top" IP platforms like WhatsApp, iMessage, Signal and Wickr, investigators have "gone dark," with no ability to access discussions even with a court order in hand.
The secure messaging industry and privacy lobbyists argue that once such a backdoor is introduced it can be exploited—keys can be found. They also argue that not all governments can be considered "good guys," so who grants access. "Deciding who gets this kind of [intercept] technology means we're in the business of determining who's good and who's bad," Wickr CEO Joel Wallenstrom told me earlier this year.
This Telegram vulnerability is an accident, not a backdoor, and it reveals identities not content. But it's timely given that wider encrypted message debate. Once platforms are weakened, once backdoors are introduced, there are serious technical players who will leverage those weaknesses in some of the darker corners of the world.
Hijacking WhatsApp without Hacking