Security experts have called the integrity of Telegram Passport into question. The identity scheme, which launched last week, provides a KYC service for ICO applicants, with personal documents protected by end-to-end encryption. Telegram’s decision to roll its own cryptography, however, has seen the communications giant come in for criticism.
Never Roll Your Own
Rolling one’s own crypto is regarded as a big no-no in the infosec industry, as it’s liable to introduce vulnerabilities; just ask IOTA, who learned the hard way that crafting a bespoke algorithm is a recipe for disaster. Jackson Palmer was one of the first to call Telegram out for the practice, shortly after news of Telegram Passport broke, tweeting “You might want to think twice before uploading your identity documents to a service who rolled their own crypto and don’t support E2E encryption by default.”
While Passport does have end-to-end encryption, it is reliant on Telegram’s proprietary algorithm to encrypt the data that’s uploaded – extremely valuable data such as passport and bank statement scans that are sure to form a honeypot for hackers. A new report from Virgil Security has exposed much of the inner workings of Telegram Passport, and based on what its team have turned up, things don’t look encouraging. While hacking the service would not be a formality, even for a sophisticated team, there are enough vulnerabilities to give a determined attacker a possible entry point.
The report concludes: “Cryptography’s most famous anonymous quote says “Don’t roll your own crypto!” Back in 2015, Telegram ran into similar criticism. In 2016, 15 million Telegram users’ phone numbers were revealed in Iran due to a user authentication flaw. Now it’s 2018 and with Telegram’s Passport, the quote has never been more true.”
If Your Telegram Data Is Accessed There Would Be No Way to Tell
One of the problems with Telegram’s system for encrypting and storing user data with Passport is that there is no digital signature used. This is commonly applied to software updates released by project teams, for example, allowing anyone installing it to make sure that the package they’re unbundling is genuine and has not been tampered with. As Virgil Security notes, “The security of the data you upload to Telegram’s Cloud overwhelmingly relies on the strength of your password since brute force attacks are easy with the hashing algorithm chosen. And the absence of digital signature allows your data to be modified without you or the recipient being able to tell.”
Telegram Passport may not be intrinsically flawed, but there are evidently ways in which it could be reinforced for the reassurance of its users, and to enhance Telegram’s own reputation. As news.Bitcoin.com noted when first reporting on the scheme, “some Telegram users will naturally be concerned about entrusting their most intimate details to the platform, even with the promise of end-to-end encryption.” CEO Pavel Durov is a man of few words publicly, having tweeted to his 1.45 million followers less than 2,000 times since joining Twitter a decade ago. If he wishes to fend off fears about the security of Telegram’s encryption methods, he’ll need to break that silence.
Do you think concerns about the security of Telegram Passport are justified? Let us know in the comments section below.
Images courtesy of Shutterstock.
Need to calculate your bitcoin holdings? Check our tools section.