Habr User Found Out How to Hack Telegram Passport

The vulnerability allows to steal users' personal data
01 August 2018   904

The user of Habr, one of the largest Russian-speaking IT media, under the nick Scratch was able to find out a vunerability in Telegram Passport, an ID service from the developers of popular messanger. The vulnerability allows to steal users' personal data. It is caused by the encrypting algorithms, which are used by the solution.This is reported by Security Lab.

As reported, in fact, the encryption in Telegram Passport is not end-to-end in the usual sense, but a specially developed algorithm. Encrypted personal data and an almost random cryptographic key, as well as a hash from personal data, mixed with random bytes, are transmitted to the cloud storage. Scratch says that this information is enough to conduct a successful brute-force attack and to steal personal data of users of the service.

This is by no means a "random noise", it has everything necessary, including an encryption key protected by password. And it allows you to get to user data much, much faster than sorting out all possible combinations of AES keys (2 ^ 256). Also, such mechanisms invented by the authors of Telegram as a validation of the key with the help of the sum of bytes, the involvement of the data itself in the formation of the key of their own encryption and the data hash instead of HMAC are also highly questioned.
 

Scratch

User, Habr

The developer described in detail all the algorithms that the service uses to provide encryption, and also described an approximate plan for using bruteforce attack to hack the service. In addition, he cited several services that use "real" end-to-end encryption. Among them - the messengers Signal and Whatsapp.

In addition, the security expert noted that the speed of hacking depends on the length of the user's password. For protection, he proposed to come up with a complex password longer than 8 characters, which, in his opinion, uses a very small number of users.

The tool for fast authentication and storage of user data Telegram Passport officially came out on July 26, 2018. It has already been criticized for security policy by Anton Rosenberg, the former colleague of the creator of the Telegram, Pavel Durov.

Huawei May Use Russian OS Instead Android

Due to US sanctions, popular smartphone manufacturer is negotiating of using Russian OS called Aurora, which is based on Sailfish OS
11 June 2019   487

The Bell has received information from several unnamed sources about the discussion of the possibility of using the proprietary mobile operating system Aurora on some types of Huawei devices.

The movement in the direction of Aurora has so far limited itself only to a discussion of the possibility of using this OS, no plans have been presented. The discussion was attended by the Minister of Digital Development and Communications Konstantin Noskov and the Executive Director of Huawei. The meeting also raised the issue of creating a joint production of chips and software in Russia. The information was not confirmed at Rostelecom, but expressed willingness to cooperate.

Huawei declined to comment on the published information. At the same time, the company is developing its own mobile platform Hongmeng OS (Arc OS), providing compatibility with Android applications. The first release of Hongmeng OS is scheduled for the fourth quarter of this year. Two options will be offered - for China and the global smartphone market. It is alleged that Hongmeng OS has been in development since 2012 and was ready for the beginning of 2018, but was not delivered due to the use of Android as a main platform and partnership with Google.

There is evidence that for testing in China, the first batch of 1 million Hongmeng OS-based smartphones has already been distributed. Technical details are not disclosed yet and it is not clear whether the platform is built on Android code or only includes a layer for compatibility. Huawei has long been delivering its own Android edition - EMUI, it is possible that it is the basis of Hongmeng OS.

Huawei’s interest in alternative mobile systems is driven by restrictive measures introduced by the US Department of Commerce, which will restrict Huawei’s access to Android services falling under a commercial agreement with Google, as well as breaking commercial relations with ARM.

Sailfish is partly a proprietary mobile operating system with an open system environment, but closed by the user shell, basic mobile applications, QML components for building the Silica graphical interface, an interlayer for launching Android applications, a smart text input engine and a data synchronization system. The open system environment is built on the basis of Mer (fork MeeGo), which since April has been developing as an integral part of Sailfish, and packages of the Mer distribution package Nemo. On top of the Mer system components, a graphical stack is launched based on the Wayland and Qt5 library.