Fears for online security continue to mount in Iran following the recent news that a woman was arrested after posting “anti-Islamic” comments on Telegram and reports that hackers had compromised the app’s security and requested secure information from its users.
According to the Telegram’s website, “Telegram is more secure than mass market messengers like WhatsApp and Line,” uses “time-tested algorithms to make security compatible with high-speed delivery and reliability on weak connections” and works “with the community” to continuously update and improve its security.
So how secure is Telegram? Beebom, a site offering tips on software and apps, says Telegram’s “secret chat” is good because it offers end-to-end encryption and a “self-destruct timer” that deletes messages for good after a specified amount of time. Experts view end-to-end encryption as vital for anyone concerned about privacy online.
Recent reports reveal that hackers compromised Telegram accounts, led by a hacking collective called Rocket Kitten. Concerns about the safety of Iranian journalists and activists quickly followed.
Earlier this year, tech journalist William Turton urged readers to “stop using Telegram right now” because “it’s not as secure as the company’s marketing campaigns might lead you to believe.” One of the reasons for this, he says, is that Telegram does not encrypt chats by default. And, as Christopher Soghoian, senior policy analyst at the American Civil Liberties Union, has pointed out, many of Telegram’s 100 million users assume they are using a secure app, but they do not realize that they have to activate another setting before their communication is actually safe. Posting on Twitter, Soghoian said only Secret Chats offers end-to-end encryption. The Group Chats, Messages, and Channels features do not.
Telegram: What's its Appeal?
But it’s some of these features that make Telegram so popular with Iranians. Amin Sabeti, digital security analyst at research and advocacy foundation Small Media, says Telegram is useful for those wanting to promote their content or products, primarily because it has features that other messenger apps such as WhatsApp don’t. “No one knows why Telegram becomes so popular in Iran — even its founder!” he says, but admits the fact that the app is not blocked in Iran probably has something to do with it. “People can use it without using circumvention tools. Before Telegram, Viber was so popular and completely dominated the messenger apps market in the country, but when the government blocked it, people started to emigrate to Telegram. I can bet the moment Iran blocks Telegram another app will become popular.” Telegram also experienced a surge in popularity during Iran’s February 2016 parliamentary elections.
In February, politician and member of Iran’s Filtering Committee Mohammad Reza Aghamiri warned Telegram that the company must comply with Iran’s demands that it use servers inside Iran — or else it would be “removed.” Although it is not clear what Aghamiri meant by “removed,” it could mean authorities plan to employ other tools in addition to filtering to limit Iranians’ access to the app.
Twitter and Facebook are already blocked in Iran. But blocking content is politically costly — and it is often ineffective, as so many Iranians are equipped with VPNs and circumvention tools to bypass the firewall.
Using Apps: the Weakest Link is the User
Tech experts have expressed dismay that Telegram set up its own encryption protocol.
Why, experts ask, did Telegram, which was launched in 2013 by brothers Nikolai and Pavel Durov, feel the need to come up with their own “wonky homebrew encryption” when tried and tested apps like the Signal messenger — used by Open Whisper Systems and WhatsApp — already exist?
“There are certainly problem with Telegram's use of phone numbers as the primary identifier and the use of SMS in order to provide authentication,” says tech expert and researcher Collin Anderson, whose work focuses on the free flow of information and access restrictions, particularly in countries with repressive governments.
“Telegram does provide options that make compromising accounts using telephone interception more difficult, and we do not have evidence that those mechanisms have been breached or bypassed. However, some of these weaknesses are commonplace elsewhere, and Telegram is not alone”.
Telegram and other apps may be flawed when it comes to security, but it’s important to remember that users have a responsibility to protect their own safety online, and to make sure they are staying informed about how secure the apps they use actually are.
“I’m not sure whether Telegram cooperates on the disclosure of identities, but in nearly all information systems the weakest element is the user themselves,” Anderson says.
Iranian authorities are of course well known for doing everything they can to undermine secrecy online, especially when it comes to people expressing views it disagrees with, or independent journalists. Iran’s security agencies and members of the Revolutionary Guards make regular attempts to compromise activists’ and journalists’ online accounts, whether it’s Facebook, Twitter, Instagram or Gmail. Often they use social engineering, studying the online behavior of their targets, or phishing, the practice of setting up fake websites to gather information about people.
Amin Sabeti says the Iranian government will continue to do this “because it is the most efficient and fruitful method [of gaining access to personal information] and also cheap. Sending fake emails to try to hack various accounts or pretending to be an employee of BBC Persian or Manoto and trying to interview people are the most popular methods”.
“If you want to say hello to your relatives, then it can be a useful tool,” says Sabeti. “But if you are activist or working on a sensitive info, then you should be careful about it. The main reason comes back to this point that Telegram hasn't been transparent about its activities and relationship with the Iranian government. I would say if you are worried about possible surveillance by intelligence services or governments, then it would be better to use Signal or Wire.”
Sometimes authorities issue direct threats, including via text message. “When I received the text message,” a journalist told IranWire after being threatened in July “I replied, ‘And you are?’ The reply was, ‘This is your last warning. Our next step is taking action.’” The sender then forwarded the previous text message again.
“Google and Facebook accounts are routinely compromised by Iranian actors, despite strong security assurances and no cooperation with the Iranian government,” says Collin Anderson. “Instead, Iranian state-aligned actors can compromise identities and infiltrate networks through impersonation, phishing and malware – social engineering, con-artistry rather than safe cracking. Very few users have any training or expertise on keeping their identities safe online, and even those who should know better make mistakes – this is a classic scenario. So, Iranian authorities don't need to undermine the security principles of the system in order to target and investigate particular users.”
Rocket Kitten Attacks
Collin Anderson and Claudio Guarnieri presented their research on Iran’s “soft war for internet dominance” at August 2016's Black Hat conference in Las Vegas. As Telegram’s popularity has grown among Iranians, so too has interest in compromising its security. A collective called Rocket Kitten has been launching comprehensive phishing malware attacks on human rights activists and academics since 2014, and a a pattern of “spearphishing campaigns” fitting key focuses and activities of Iran’s security agencies has begun to emerge. In 2016, beginning in April, phishing attacks included requests for Telegram “conversation request codes” — login passwords provided by text messages to the user.
As Anderson and Sabeti point out, protecting security online is a constant challenge, and can be hugely complicated. “But if we are talking about the security of smartphones, people must be careful about apps they install on their phones,” says Sabeti. “They shouldn't download apps from third parties and always download from Google Play, App Store or Cafe Bazaar.”
And while staying informed about security is key, it’s also important not to lose sight of what the Iranian government is trying to convey — whether through arrests or via more complex attempts to control the internet. “Take the situation from another angle – strategic communications,” says Collin Anderson. “What does the Iranian government want to convey to the public and establishment? That Telegram is not a free space to express opinions verboten offline. The announcements of arrests provide an opportunity to chill the use of communications tools for critical purposes through imposing a fear of retaliation and removing the perception of invincibility. No one has claimed that this person was a deeply-technical individual running a vital public channel that was found through strong forensics methods. Rather, this was a person that was derisive of the establishment, of which there much be an order of magnitude more for each individual arrested. Sounds like a pariah to me.”
Prior to the 2016 hacking scandals that have led the media to worry about the safety of Iranian activists and journalists, Telegram made international headlines in November 2015 after Iran arrested more than 20 administrators of Telegram groups for posting “immoral content.” Responding to the news, Telegram’s founder Pavel Durov said that Iranian authorities had demanded the app provide them “with spying and censorship tools.” A couple of weeks later, he said the demands had come from a “fake” source and were not from Iranian officials. He says the government denied they had demanded the spying tools.
You can read about the latest methods to target journalists and activists here.