This Telegram Exploit Highlights What’s Wrong With Secure Messages And Its Users Today
2 Oct 2019
TL;DR: Stored phone numbers can match with group contacts and expose the user, public secret groups have a common encryption key.
If you’ve been following the news straight from Hong Kong, then you probably heard about the predicament that happened to politically-oppressed Telegram users who also opted to hide their phone numbers.
In case you missed it, let us explain the actions of the government as short as possible.
Authorities simply decided to add thousands of phone numbers to a device and then sync that device with Telegram. That way, they could match stored numbers against the undisclosed numbers in particular groups, therefore exposing the matches.
When The Updates Roll Out Features That Put You Under Fire
“Setting [who can see a phone number] to 'Nobody' will still allow users who saved your phone number in their address book to match your phone number to public group members.” - Telegram
Needless to say, that enables user identification and ongoing targeting.
Activists are in shambles and they will age faster than they would like to thanks to this experience. Well, fighting for your rights was never meant to be a walk in the park.
Here’s another question we can dance around for a minute…
How Do You Expect To Be Safe, If You’re Entering A Public Group?
Would that unfortunate situation even happen if victims hadn’t entered any groups in the first place?
Participants of group chats share one encryption key and not individual keys for each party involved. Private-public key encryption would call for a need to send messages multiple times, dependent on the number of contacts you have, as they are encrypted differently.
More so, to make such chats sufficient, there would be a need to have a chat history stored on some server that would also have access to encryption keys. That means the owner of this server can also read whatever you said.
Something To Keep In Mind
StealthTalk is not a meeting hub for activists because it doesn’t have groups, needs to know your phone number, and provides encrypted calls for only three users at a time.
On the other hand, StealthTalk is probably the best solution for businessmen and their trusted partners and advisors. It acts as a digital soundproof conference room that is designed to provide a truly private space to handle one-on-one business conversations or private three-person conference calls.
For now, you can test the bare-bones version of StealthTalk for 30 days for free.
To find out how consumer-oriented features can undermine top-notch security, we recommend you to read the article “How a Government Standard $160,000 Armored SUV Failed to Protect a Special Agent”.
It is a tragic story, but it shows you why comfort and security are on the different sides of the board.