If you’ve had the need to send secure, private messages in recent times, you might have considered using Telegram. However, using such a service means that, if discovered, it’s well known what manner of encryption you’re using, and there’s a third party involved to boot. [Labunsky] walks a different path, and built a covert channel within Telegram itself.
[Labunsky] likens their process to the process used in the film Seventeen Moments of Spring, in which a flower placed in an apartment windows indicates a spy has failed their mission. In this case, instead of a flower in a window, one user blocks another to signal them. By switching the blocked status on and off, messages can be sent, albeit in a slow and convoluted way.
It’s more of a proof of concept than a practical way to message people over Telegram. With that said, it does work, and it might just keep the security services monitoring your chats confused for a few extra weeks. Or, it would, if we hadn’t written an article about it. Perhaps consider using zero-width characters instead.
Funny enough, that might backfire if the block information is logged or otherwise unprotected the way the messages are supposed to be.
I’m having a hard time understanding how this is better than normal cryptography.
The fact both users are connecting to the API and regularly exchanging data with the server means they are both using the service somehow. With traffic encrypted over the usual HTTPS, that’s all someone without access to the server would see even if both users were just chatting through the usual messaging mechanism.
This would most likely fare more poorly than average against statistical analysis of the still-encrypted HTTPS transactions. The synchronized nature of the API calls makes it easy to match sender and recipient and know when a message is sent. The length of the message (with single bit precision) is leaked by the number of API calls involved. And if blocking vs. unblocking users involves transactions with consistently different sizes or latencies, the data itself is exposed too.
To those with access to the server, the users’ periodic synchronized blocking and unblocking would show up like a sore thumb on analytics. It might even be possible to pull the actual bits right out of the global analytics data. If not, a simple log of the users’ API usage would reveal the data easily.
Also, even if normal messages sent between users are handled securely, it’s much less likely blocked status flags are as well protected. The system was most likely not designed under the assumption those flags would contain particularly confidential information.
On top of all this, if the raw data bits eventually are extracted by any of the means above, you have minimally encoded cleartext. There’s no actual encryption even present.
My recommendation is to use tried-and-true algorithms to do end-to-end encryption, so not even the service provider knows your data, let alone anyone in between. There’s a reason certain security paradigms are more common than others. It’s because they’re the ones that have been well-demonstrated to work.
wow! i mean bravo on the effort, but it seems like you would have just as secure communication with PGP over email or just using a one time pad.
… you do realize that the point of the exercise was basically stenography, not encryption? It’s hiding that there WAS communication, not the contents.
nope, i didn’t… lol that’s what i get for posting before my first cup of coffee.
Given that telegram is supposed to be a secure third party communications channel, isnt this worse? It doesnt remove the ability of the third party to know that you are communicating (rapid blocking and unblocking should stand out in the api data). It does seem to be able to add the ability for the user to choose a different encryption algorithm, but that is possible in any messaging algorithm by encrypting the message before you enter it into the application.
steganography
The joy of typos and un-editable comments. Thanks for the correction!
Don’t feel bad. I do the same.
This sort of thing goes way, way back. In the era of very expensive long distance calls, a person-to-person call (placed through a (human) operator) could be made to signal certain things at no cost by the basis for declining the call (“He can’t come to the phone” meaning the person is here safely, “He hasn’t shown up today” meaning the person has yet arrived, etc.). These were occasionally used by friends in college who had to go home to more rural areas.
Even longer than that. The name is Greek and from Herodotus: Histaeus wanted to send a message to Aristagorus, urging revolt against the Persians. Histaeus shaved the head of a slave, then tattooed a message on the slave’s scalp. After the hair grew back, the slave was sent to Aristagorus. The Chinese would write on silk and then put the silk in a wax ball that the messenger swallowed. Decryption was a messy business. Not quite invisible ink, but another trick recorded by Herodotus was Demeratus warning of a Persian invasion. Apparently, they wrote on wax tablets with wood backers. The message was written on the wood and then fresh wax applied so it looked like a blank slate until you removed the wax.
One of my favorites: https://people.apache.org/~jim/NewArchitect/webtech/2001/08/java/index.html
Ah, can’t wait for telepathy to be discovered.
So, “Telegram” not “telegram”. I may be the only one who’s never heard of the Telegram Messenger: https://telegram.org/
(assuming that is what we’re talking about here)
I read somewhere that the Russian government has tried to block Telegram numerous times, and in so doing has succeeded in blocking innocent websites, banks, even its own website, but not Telegram.
Stiritz jokes anyone? ;)
I’ve never heard of
“17 Moments of Spring”
is it worth finding/watching it?
No – but Stirlitz jokes are worth listening to ;)