Telegram is one of the most popular chat applications in Iran, boasting tens of millions of accounts — but those users may not be as secure as they think. According to researchers Collin Anderson and Claudio Guarnieri, who spoke first to Reuters, dozens of those users have been compromised by an SMS redirection hack. Once performed, the redirection allows attackers full access to a given Telegram account, allowing them to read archived messages and contact lists.
The attack works by targeting Telegram’s account security, rather than the encryption that protects messages between accounts. When a user adds a new device to their Telegram account, the new device is confirmed through a one-time SMS message — but if that SMS is intercepted by an attacker, the account can be cloned to a hostile device, although end-to-end encrypted chats will not be accessible on the new device. Telegram users have the option of adding an additional password to the process, but it’s rare for a user to do so. As a result, anyone who controls phone company networks can effectively clone most Telegram accounts.
In Iran, that power has apparently been used to devastating effect. Activists, journalists, and civil society groups have all been targeted, the researchers said, with the apparent cooperation of the state-controlled telecoms.
While the researchers stopped short of attributing the attacks to the Iranian government, many of the targets seem to have also been targets of national law enforcement. "We see instances in which people ... are targeted prior to their arrest," Anderson told Reuters. "We see a continuous alignment across these actions."
Update 12:35PM ET: Updated to clarify that end-to-end encrypted Telegram chats are not accessible across devices.