Regardless of the fact that the messenger designed by Pavel Durov was launched long after its main competitors such as WhatsApp and Viber, it didn’t take it long to acquire the reputation of one of the most secure services. Telegram encryption based on the service’s MTProto protocol made it possible to create an app keeping your messages safe from hacking, thus making the given messenger popular all over the globe.
The security of virtual communication is determined by the Electronic Frontier Foundation (EFF) rating. It provides a regularly updated table where each service is rated from 1 to 7 depending on the level of data security from potential hacking.
Telegram secret chats using end-to-end encryption (E2E) have the maximum score equal to 7, and the one of standard default conversation is equal to 4. As far as standard chats leave traces on the company’s servers, they are considered to be potentially available for third parties snooping.
Until quite recently, WhatsApp and Viber messengers weren’t high in EFF rating – to be more exact, their rates were equal to nothing more than 2 scores. It was the competitive influence of Telegram that made these companies review their security policy. In this regard, it was decided to implement the end-to-end encryption principle, which have become a default one since 2016 and allowed getting 6 points according to EFF. Its essence consists in storing the keys required for message encryption using only one device. In such a way, you need to have physical access to a smartphone to get to information.
The question arises: if this service founded by Pavel Durov holds itself as the most secure messenger, why not just make all chats secret as default which will contribute to establishing a lead in EFF rating? The point is that E2E encryption has some flaw – the secret conversation is available only on a particular device, so its history is stored only on one device as well. It is the company’s policy to keep options open for the users, as a default mode allows you to assess your account from any device.
The MTProto protocol uses two encryption layers which are server-server and client-server ones. Its operation is based on the following algorithms:
As opposed to the Double Ratchet protocol, which is used by WhatsApp and has already managed to obtain approval of the well-known information security experts, the developers of MTProto are in no haste to make their product available for independent audit. On the one hand, it makes the algorithm hackable, but on the other hand, no successful action resulted in message decryption has been currently registered.
The messenger’s founders declare a security guarantee regarding encrypted data transmission. In order to confirm his words, Pavel Durov occasionally holds contests where the competitors are offered to decrypt a conversation between two parties. Prize money is $200,000 but no hacker has still managed to read the encrypted messages. It is fair to say that many experts are skeptical enough about such contests, considering them to be rather a publicity stunt than a real evidence of system security.
Even if to lay it down as an axiom that MTProto actually has the best security parameters among the modern messengers, the intruders are still able to break a userʼs account. At the same time, the protocol itself has nothing to do with this problem.
The security vulnerability lies in the user authorization technique. The given procedure is carried out using a real telephone number where a login verification code is sent via text message. This data transfer technique is based on the SS7 (Signaling System #7) technology, which was being developed 40 years ago and has weak security parameters by today’s standards. In theory, the intruders may be able to intercept an SMS code and break an account. When Telegram is in a standard mode, all messages are stored on its servers, so hackers may get access to the whole conversation of a particular user.
Secret chats are the key to a problem. In case of their usage, a conversation can be read only providing real telephone theft, as all messages are not stored on the server but transmitted only between two devices.