the home of online investigations

How Russia Works on Intercepting Messaging Apps

April 30, 2016

By Frederic Jacobs

Translations: Русский

A few months ago, I wrote a post on SMS logins following a wave of attacks attempting to take over Iranian Telegram accounts. Recently, there have been new confirmed cases of attacks in both Iran and Russia.

Oleg Kozlovsky is an opposition activist and the director of Vision of Tomorrow Center in Moscow.

In a Facebook post written in Russian, he explains how his Telegram account got hacked.

At 2:25 AM MSK on Friday April 29th, MTS (Russia’s largest mobile operator), disables SMS service on his phone number. After 15 minutes of disconnection, someone tries to log into Oleg’s Telegram account. The process for authorizing a new device to a Telegram accounts simply consists of entering a verification code received by SMS when 2-step authentication is not enabled. At 3:08AM the attacker enters the authorization code and gets access to Oleg’s account. The Telegram login notification reveals that the attacker is using a Telegram command-line interface with an IP of a Tor exit node.

telegram-hack-exit-node

Four minutes later, the same Tor exit node IP address, logs into George Alburov’s Telegram account. It is currently unknown if other accounts were breached that night. Messages logs (excluding Telegram Secret Chats) and contacts information were likely the information seeked by the attacker.

Because Oleg was sleeping during the attack, he only noticed the notification in the morning. He called MTS Customer Support, after consulting with the “expert department”, they told him that the security service was involved and that SMS was indeed disabled from 2:25 AM to 4:55 AM. Oleg’s request for talking the security service was denied.

 SORM, Russia’s CALEA

Given the political activities of both targets, the most probable theory is that the attacker was a Russian governmental agency working in collaboration with MTS under the SORM law.

SORM, standing for Система Оперативно-Розыскных Мероприятий which translates to System for Operative Investigative Activities, is Russia’s CALEA. SORM has been around since 1996 to enable wiretaps of telephone communications. It evolved over the years to allow broader access to electronic communications.

If SMS interception capabilities exist, why would they go through the hassle of disconnecting the SMS service? One possible theory is that they hoped the intrusion would be unnoticed if the targets didn’t receive the text message. This would allow them to proceed to data exfiltration from the Telegram account without the risk of being shut down halfway through. The issue with this theory is that Telegram notifies you on your primary device when a new device is logged in. So despite not having seen the new activation SMS at the time, Oleg could have detected it instantly because of the Telegram notification. Additionally, attackers didn’t log themselves out, remaining visible after Oleg woke up in Telegram’s active sessions. So it remains unclear to me what the advantage was over a regular interception. If they hoped to be undetected, this was really sloppy and unprepared.

Phone numbers for authentication

Most messaging apps and some 2-step authentication providers rely on phone numbers as an authentication factor. Why are so may services using identifiers that are assigned by mostly state-owned companies and that are subject to CALEA-like laws and awfully insecure (IMSI catchers/SS7) for nation state adversaries?

Using phone number identifiers is a significant usability and growth advantage. You can leverage the social graph that people already have on their phone. After signup, they can instantly see who uses the service.

It also enables service providers to not have to store a buddy list unencrypted on servers since the social graphs are in the phone’s address book.
(Note: Some applications like Telegram store a copy of your address book unencrypted on their servers, not using that property.)

But it also turns out that it’s really convenient to rely on someone else key management infrastructure since usable authentication is a hard problem to solve. Most telcos have (insecure) processes to re-assign you your number when you lose your phone or if someone steals your SIM card keys. Those processes rely on providing some proof-of-identity. But that can be spoofed too. Last year, two investigative journalists at Novaya Gazeta were told that their SIM cards were reissued by unknown people.

Those processes clearly fall short. As we cannot solely rely on phone numbers to authenticate, Pavel Durov recommended users from troubled countries to enable 2-step authentication.

I believe that mitigation is a good first step, but insufficient, especially for people in troubled countries. An attacker might also suspect a user to have enabled 2-step authentication and therefore target some of his contacts to access the chat logs.

Such an attack is significantly mitigated, and deterred, by the adoption of end-to-end encryption. The detection of new devices can be cryptographically enforced and previous message history not accessible to an attacker capable of intercepting an SMS.

I think the lesson from this might be something like:

Always use end-to-end encryption. As the underlying authentication layer can be spoofed, verify fingerprints for important communications.

Frederic Jacobs

Frederic is a security researcher working on encrypted messaging, censorship resistance and blockchains.

Join the Bellingcat Mailing List:

Enter your email address to receive a weekly digest of Bellingcat posts, links to open source research articles, and more.

33 Comments

  1. UKUKRMAN

    Big brother watches everyone in every country….but whereas you have to be a serious concern in most countries….in Russia you just have to be different from the sheep.

    Reply
    • stranger

      Our Ukrainian friends dive like vultures at any fake or conspirocy in order to kick Russia just another time. : )

      Reply
    • Kirill

      UKUKRMAN , that’s the point. I personally don’t see the tragedy in Snowden’s “revelations” given its limits and US record of human rights, civil liberties, authorities’ accountability, lack of political repressions and low corruption. This is a necessary evil in the age of cyber warfare. (though government surveillance should be very cautious and accountable).

      However when I see a much much more massive and politically motivated mass surveillance practices and laws in Russia – that’s completely another story. Especially given who rules Russia, it’s unprecedented corruption and who uses such unaccountable, unconstitutional and excessive powers.

      Reply
      • Researcher

        “US record of human rights, civil liberties, authorities’ accountability, lack of political repressions and low corruption. ”

        I’m… just… laughing. This was a joke, right? I won’t go into your own politics (which I can guess at), I only wanted to mention that if you believe these things are true you need to do more research. If you perceive these things to be the case it is likely only because the powers that be agree with your stance. Nothing more, and really nothing different.

        Reply
        • Researcher

          (correction, they either agree with your stance or they do not believe you have the clout to matter enough if you don’t. Conceivably this may be different but you’d be erring in judgment if you thought for a minute that if you gained any clout you wouldn’t be having problems, whether you know about them or not, in other countries).

          Reply
        • Kirill

          Well, there is no perfect country in the world obviously. However everything can be compared if there are criteria for comparison. In the same way as you can compare old cart and modern car if your criteria is speed. Yes I know, both of them have wheels but you will choose the car obviously.

          The same is with US and Russia. These two countries are completely different in any of the following criteria: nepotism, corruption, freedom of speech, free market, civil liberties, human rights, separation of powers. All these criteria can be compared and it’s laughable to even compare Russia and US on them. Russia is a joke in aforementioned issues.

          I don’t want to offend anyone by making conclusions why someone tries to put equal sign between US and Russia in these particular matters in which Russia was never strong. And I don’t want to say that US is better in any matter. There are other particular things to compare like job unemployment, birth rate, number of nukes, etc.

          I don’t know why to compare Russia with Western countries in matters it simply lacks?
          “Render unto Caesar”

          So no offense, I will not argue further on this matter.

          Reply
          • Kirill

            stranger, you must be using faulty generalization here. Unlawful murder is just one particular case of violation of human rights. Moreover, as I understand, the numbers you provided include all murders including justified (correct me). And you even didn’t compare them with similar Russian numbers.

            Regarding comparing: countries are comparable. Just like apples. It’s an utter nonsense to justify bad human rights record via past history or dependence on oil. Not long time ago Germans were Nazis killing people on the large scale just in the same way as Soviets or Chinese did in their own countries. So why can’t we compare Germany and Russia today?

            Or the United States – they had slavery system in almost the same time frame as Russia had (both officially abolished in 1865 and 1861 respectively). Every country had bad human rights record.

            Moreover, like many countries, Russia has its international obligations on human rights today and own constitution that protects human rights and civil liberties. But it still violates both its intl obligations and own constitution for the sake of ruling elite to remain in power. So there can be no excuse to violating human rights by dictator and its cronies (not single cops) for the sake of remaining in power on a large scale (not single independent cases) in 21 st century.

          • stranger

            One of the reasons US cops don’t hesitate to use guns is the very old American tradition that weapon is allowed and very wide spread. The same statistics shows that at least 42 policeman were shot for the same 2015.
            Also the race related problems between blacks and whites are still there.
            I dont want to give all examples they are wide known.
            In Russia police definitely kills much less people. ‘Nepotism’ is probably much stronger, while in US all is based on the law and law enforcement.
            On the other hand, there is a saying in Russia that ‘strict laws have been always compensated by unnecessity to follow them’. The US approach in Russia would be subjectively perceived as much less personal freedoms perhaps.
            I’m just saying all countries have own specifics based on the history and own troubles.

          • stranger

            Let’s assume Putin is gone, Kasianov becames the president, Khodorkovsky the prime minister. The powers are separated, there is absolute freedom in mass media, Russia announces peaceful course and destroys all nuke weapon.
            Would Russia immoderately become as wealthy as America? Hardly. There is a high prabability that the country would collapse further as USSR did, that the media would become an arena of fighting between oligarchs as it was in 90th, that everything profitable such as natural resource industry would be sold to international corporations for pennies, that the war in Chechnya would reignite, etc.
            Current opposition in Russia is weak not only because it is oppressed by the government, but it is also not popular since it cannot provide any vision or any reasonable plan for development. See also the latest opposition meeting in Vilnus with Kasparov, Kokh, Illarionav and all the color of Russian opposition in immigration, and what did they propose for Russia.
            See also the Khodorkovsky’s former colleagues attempt to sue Russia for 50bil, so that every citizen of Russia including babies and grands owes his friends $300 each. The court in Gaaga recently canceled this decision but they continue fighting in hundreds of courts over the world.
            What way do you propose?

          • Researcher

            stranger – very well put.

            Having had the experience (pleasure?) of living both in former CIS and the United States (among other parts of the world) I myself think that what flies in the US and what flies in Russia, for instance, is very different; I don’t believe that most people get to experience this first-hand so it’s understandable that people in each country cannot generally understand the various differences, subtle and in-ones-face, that exist. Your point about freedom and how one chooses to respond to certain types of laws (and I’d add various other day to day things) is particularly, IMHO, spot-on.

            Kirill – actually I’d choose the horse and buggy if the infrastructure still existed to be able to use it. They’re cheaper, more environmentally friendly, and easier to maintain unless you’re planning on crossing a country — or traversing Siberia. 😉 Either way, no offense taken.

            At least you’re not asserting they should be compared as though they are the same (IMHO people have FAR more respect for other individuals in former CIS for instance), or that one country or the other is unequivocably ‘better’. That said I disagree with quite a bit of what you believe is ‘better’ in the US compared to Russia and I don’t think it’s always apples vs oranges. For instance in all of the time I lived nearer to you, I saw only 2 black people, no hispanics. In years. It’s hard to discuss matters of racial prejudice in that context. We both know it exists somewhat there, but how much of that is purely due to lack of exposure? That’s obviously not why it exists in the US. I could go on but you get my gist.

            To get back to the topic of the original post, and intertwine it with the topic of this thread, the US seems to want to surveil and control the communications of EVERYBODY in the world — and does so. Even if Russia wants to, she couldn’t due to how those communications systems work. And I’ve personally never gotten the impression that Putin wants to surveil every person in the entire world, anyway (correct me if I”m wrong). I think that’s a major difference that needs to be factored into the conversation at hand.

            US *definitely* has historically violated human rights to keep or put who it wants in power *all around the world*, not just in the US. It’s not alone in this. Something to consider as you seem to be making an argument that Russia violates its constitution for the sake of the ruling elite. Oligarchy is hardly exclusively Russia’s. The rich and powerful do this *everywhere* even (and maybe especially) in smaller, poorer countries. Calling Russia out for this is basically pointless.

            I still dare you to find an instance where the *American* security services let someone know they were accessing someone’s communications almost immediately and why (if ever).

  2. Kirill

    Excellent example of dumb but though effective hijacking of user account. Works extremely efficient in troubled countries where mobile operators are under strict government control. And allows government to break into user accounts on foreign Internet services which are not under its control.

    You simply can’t rely on your phone as proof-of-identity. On SMS, to be precise: there is a better way to use phone as proof-of-identity. Is to use mobile application-based verification process rather than SMS-based. For example, Google’s device verification process using confirmation code sent to Android device without relying on SMS.

    If SMS is still a proof-of-identity for some reason, there is a good advice to those from troubled countries, in particularly from Russia: DO NOT use Russia issued phone numbers on Internet services. It is still possible to order foreign operator SIM card via Internet. And keep your number ABSOLUTELY private. With foreign SIM and not disclosed phone number it would be harder to:
    (1) identify your phone number in first place (if you or the Internet service doesn’t provide it to anyone of course),
    (2) disable your SMS services to (not sure if it’s true while you are in roaming in bad country)
    (3) get access into your incoming SMS (not sure if it’s true while you are in roaming in bad country)
    If (1) is true (2) and (3) really don’t matter. Correct me if I’m wrong.

    Reply
    • Researcher

      You wrote: “It is still possible to order foreign operator SIM card via Internet.”

      But this has no mitigating abilities and if anything it stands out more. Any time a SIM is in roaming mode it just uses a domestic service to handle the calls (and sticks out even more. And that’s not even mentioning the differing rules on civil liberties based on whether you’re considered foreign or domestic.

      The only way to correct these sorts of problems is to overhaul the laws that allow this level of intrusiveness to exist — on anyone and everyone, individually and in bulk — and not by trying to skirt around them because quite frankly it’s impossible to do so at this stage; there’s always a way around it for any country to use given sufficient technical sophistication (which is pretty cheap nowadays).

      Reply
      • Kirill

        The advantage of using SIM (or virtual number) from the operator in other country is that domestic authorities will not identify your phone number in the first place. Without identifying your phone number they will not be able to sniff your SMS in roaming or disable SMS service on your phone like it’s described in this article. Provided, of course, that neither you nor Internet service will disclose your phone number so it can be used by authorities.

        On the contrary, domestic phone number is issued by local mobile operator which shares your personal details with local authorities allowing them to identify your phone number even if you didn’t disclose it anywhere. Local authorities are able to identify every domestic phone number you have.

        Given that it’s possible that Internet service will disclose your phone number to authorities I wrote that it is “much harder” to perform such attack as described in the article, not “impossible”. However if Internet service voluntarily discloses your personal information, there is no need for such SMS-based attack on your private data.

        Reply
        • Researcher

          If it worked that way then I’d agree with you but it doesn’t work that way (in Russia or any other country). While it’s *possible* they may not know it belongs to a Russian citizen, at least initially, generally speaking I wouldn’t count on it. And if they thought it didn’t you’d still be subject to the laws of Russia and its security services, probably under a closer microscope than if they believed you were — especially if your call patterns led them to be suspicious (true for not only Russia, here, btw).

          That said if it were something you wanted to pursue, you *might* be better — for a short time — with a SIM from a country that makes use of internal passports. But that’s only to deal with the specific thing you mentioned. You’re still going to have the problems I mentioned though — and those SIMs are STILL going to stick out like you wouldn’t believe, especially if you aren’t in, say, Moscow or St. Petersburg. Regardless your telemetry is CONSTANTLY recorded and if you keep that phone on for any period of time when you’re at home they’re just going to know who you are and where you live anyway. And think it’s odd if you’re a Russian who doesn’t regularly travel or do business in the country for which that SIM is registered. And regardless of THAT they can still very easily do the same things as long as it’s using the same network. And unless you’re replacing your phone repeatedly, you’ll just give yourself away with the IMEI/IMSI anyway.

          Without getting into any details or encouraging skirting the police, there are other ways to gain some anonymity. Starting with, probably, not using mobile in the first place.

          Reply
  3. stranger

    Most probable theory is that Kozlovsky invent scaring fairytales because otherwise nobody would notice him while Belingcat started to promote Russian opposition ‘activists’.

    Reply
  4. Researcher

    One should bear in mind that it’s not just ‘troubled countries’ where this happens. Unless one knows that every country is technically a ‘troubled country’, just about, or can be manipulated by one.

    I’m not sure I’d consider Russia any more of a troubled country than any of the countries that the US, UK, Australia, Germany, etc, has a foothold in. And I think it’s disingenuous to suggest otherwise. Actually in most of the countries you’ve mentioned it’s merely more noticeable.

    Which isn’t to say SORM isn’t a civil liberties issue. I just think it’s a mistake to point solely at Russia. Actually, in the US and Western Europe people would NOT be given the ‘luxury’ of even knowing about it happening, and they certainly wouldn’t be told it had to do with their security services.

    Sorry. Just needed to point this out.

    Reply
  5. Researcher

    For what it’s worth, if you want privacy, and you have a nation-state adversary problem — OR ANY adversary problem — the WORST thing you can do is use any sort of application that uses your phone number as an identifier (or stores anything server side but honestly if you’re using the phone you’ve already ‘lost’).

    Reply
  6. droopy

    Apart from this, telegram is buggy to multiple attacks. Plenty of bugs and exploit i have of telegram. If 2 devices are on same credentials, the fastest will reply.

    More then 50 exploits of telegram i have and sold them to goverments

    Reply
  7. stranger

    There are several ways to intersect somebody’s SMS. If everything that Kozlovskiy is saying is true, it is also a question who was interested to hack his Telegram. The opposition is preparing primaries (or something is going on… i’m not sure what it is exactly) before the parliament elections this autumn. Recently some compromat was published for one of the top opposition leaders Kasyanov, for example. That all might be an interval fighting inside opposition or FSB is trying to discredit them, or more probably some youth pro-government organizations, or it is all together.

    In case the plotter has an access to the victim phone, if it was somebody from their circle, it may be easier. There is Trojan malware which can be installed to the phone. There is also a special MTC service called ‘SMS Pro’ to read online, redirect, copy to another number or completely reroute SMS messages. The service may be turned on/off from the phone or MTC online account. The MTC online account might be hacked. Also MTC help desk is usually asking only maiden mother name or sometime passport info to identify a caller and turn on/off any services on his/her behalf.

    The ways which don’t require access to the phone include: A Special Services, FSB request, as assumed in the article, i may be wrong, but it should be provided technically by the equipment of the service operator itself and FSB can only request them to disclosure or watch somebody and may need to provide some reason for that…

    Reply
  8. stranger

    …That is also very possible to find an employee of MTC who has an access to user’s SMS log internally. In contrast to sound records, all SMS are stored in the database, and are accessible by the MTC web site and other external clients, they are comparably easy to access. Employees might be able to see them, though it is risky because employees may be audited when entering the system and trying to get access to other’s SMS. But there are also system developers and administrators. As far as I know the MTC billing system is domestic, if they have not yet changed it, with possibly security flaws. So it is possible to find friends of friends of friends, or somebody for a fee, who develops and supports this system or employees of MTC who serve the users requests. There are actually tons of ads on the Internet – ‘will get SMS for any number for a fee’ – with most of them probably fraud, but some may be able to do what they promise.

    Provided that it all was exactly as Kozlovskiy described.

    MTC officially answered they didn’t turn off SMS of the oppositioners intentionally, but didn’t exclude a ‘virus attack or an access via web interface’. If it was an internal employee or a hack they would have hardly admitted that publically. If FSB i don’t know.

    So the only way to hide, as was said, is probably to register a phone to another person and tell nobody your phone number, use it only for SMS authentication at websites and don’t call anybody.

    But comparing Russia with Iran and calling it a troubled country based only on that case, is may be childish at best. Will keep an eye anyway, may be something will follow.

    http://detektiv-arbat.ru/detective-story/kak-prochitat-detalizatsiyu-teksta-chuzhikh-sms

    Reply
  9. skeptic

    I am afraid that what you see in Russia may happen in United States. I mean, in Russia you see an experiment, and if it succeeds….

    Reply

Leave a Reply

  • (will not be published)