Hackers obtained the mobile phone numbers of 15 million Iranian users of the Telegram encrypted messaging app, and hacked the accounts of more than a dozen of them, security researchers say.
The accounts were hacked through interception of SMS confirmation codes sent to the associated phone numbers, security researchers Claudio Guarnieri and Collin Anderson told Reuters.
The revelations show once again how use of encryption can pit technology companies against governments. Telegram founder Pavel Durov has in the past sided with Apple CEO Tim Cook against the FBI on the question of whether governments should have access to the contents of smartphones.
In this latest case it was a cyberespionage group said to have links with the Iranian government, Rocket Kitten, which identified 15 million Iranian users of Telegram.
The group did not leak the numbers, Anderson said. He and fellow security researcher Guarneri found the numbers on the Rocket Kitten servers, he said via Twitter.
The two plan to say more about these hacks, and many others directed at Iranians, in a presentation at the Black Hat security conference in Las Vegas on Thursday.
Telegram acknowledged the attacks on its service in a blog post, but played down their significance. "Certain people" had used its public APIs to check whether Iranian phone numbers were used for its service, and had ascertained this for 15 million accounts, the company said, but the content of the accounts could not be accessed through the API.
Information about which phone numbers are associated with accounts has to be public, otherwise users cannot find and message their friends through the service, the company said on its blog.
Checking phone numbers on such a large scale is no longer possible, though, as within the last year the company has placed limits on such use of its API, it said.
The company is aware that Telegram accounts can be hacked by intercepting SMS confirmation codes, but "this is hardly a new threat," it said. Last year it introduced an optional two-factor verification function combining SMS codes and passwords, and has been encouraging users in certain countries to turn this on if they think that their mobile carrier is intercepting their SMS codes.
"If you do that, there's nothing an attacker can do," the company said.
Anderson welcomed Telegram's API changes, but called for it to publish its security advice in the Farsi language to ensure more Iranian users were aware of the need to use two-factor verification.
If you are in Iran and use the mobile app, there are significant risks from government cooperation with telcos, he said via Twitter.
But combining SMS authentication with passwords is not enough to satisfy everyone. The U.S. National Institute of Standards and Technology is considering dropping SMS from its recommendations as a second authentication factor for securing government IT and communication systems. Last week it began circulating a draft guideline to that effect for public comment.