WhatsApp-rival Telegram prone to hacking via voicemail backdoor

While telegram has rightly earned its reputation for upholding the right to privacy of its users, recent reports have emerged that it is definitely not safe from targeted hacking. Four people were arrested last week on suspicion of hacking into over 1,000 Telegram accounts, including Brazil President Jair Bolsonaro and ministers Sergio Moro and Paulo Guedes, reports have emerged. The four allegedly used a lesser-known hacking trick to access their target’s Telegram accounts from their phones.

The report published in Naked Security by Sophos says that Telegram is susceptible to account takeover and reset attacks by hackers who are pretending to be that person and get a new SIM with their target’s phone number. The final step is after that is to download Telegram and make use of the SMS verification system to take over the user’s account.

However, Naked Security by Sophos says there is another way the hacking took place – voicemail. This is the reason that many could not protect their accounts as they really did not see Voicemail being exploited since Voicemail is not even part of the Telegram service.

30-year-old Walter Delgatti Neto who is one of the arrested accused reportedly testified that they used voicemail to get those verification messages. Gaining entry to voicemail is relatively easier as many users forget to set four-digit codes and users who do set those codes can be undone by miscreants with all the tools at their disposal if they so wish. While voicemail have processes in place to check if the number of accessing call is of their subscriber, those numbers are easier to be “spoofed” if the hacker knows the right number.

So, the hacker who has been able to gain access to voicemail, they can also gain access to verification messages of Telegram as they are sent to voicemail if the attacker’s victim is on a call or is not able to answer thrice in a row.

As per a presentation at 2018 DEFCON, Telegram is not the sole security service which might be vulnerable to this risk. Any service that lets SMS verification to be delivered via voice is at risk.

How to protect oneself from such attacks?

Seeing the vulnerability, Telegram has recently updated to stop such attacks. Users will now be able to request a login code through a call only if they have enabled the two-step verification that requires a password and code.

Naked Security by Sophos, in its report, advises users that whichever messaging service they use, they should turn on two-step verification or two-factor if it is available. Besides, if the user happens to be a voicemail user, they shoudl make sure that it is protected with a PIN which is randomly generated.