We can trust Telegram more, but a scandal in Brazil proves it is wrong | Technology

According to EL PAÍS chronicle, One of the great disagreements in the investiture negotiation was by the messaging app used by each party: "You live a surreal moment of the hour, stress and a certain generational leap. We can live on Telegram. Bald on WhatsApp, as almost the whole PSOE, "says the text.

The secretary general of Podemos, Pablo Echenique, barely uses WhatsApp and it took a while to see a message, which caused the last break. As it seems that there is no government, among other things, because of an app, it is time to warn Podemos that Telegram is not miraculous either. Looking forward to the next negotiations, same help.

From its beginnings, Podemos opted for Telegram. The founding of the party and the purchase of WhatsApp by Facebook coincided in early 2014. Then Facebook did not have the bad reputation of now, but Telegram was born in August 2013 and came with the seal of being safer. As it also gave the option of subscribe to channels, It seemed to fit better with Podemos.

For a few months, Spanish politicians have been appearing in Signal

The perception of security of messaging applications varies. For a few months, Spanish politicians have been appearing in Signal, the latest fashion in encryption. Telegram and Signal allow you to see who from your contact list is registered in the application. A journalist with a full agenda of politicians can see how members of all parties appear in Signal, with the apparent hope that nothing will seep there. (Notice: everything can happen.)

The last scandal in Brazil It is proof that messaging apps are as hackable as their weakest link. Judge Sergio Moro sent advice by Telegram to prosecutors of the Lava Jato case to better prop up the case against former president Lula da Silva. The judges must stay out of that process. The Car Wash case prevented Lula from continuing in the last election race, which automatically made current president Jair Bolsonaro a favorite. Once in the presidency, Bolsonaro appointed Judge Moro Minister of Justice.

The Snowden case journalist

A leak to Glenn Greenwald, the journalist who published Edward Snowden's exclusive in the Guardian and that he lives in Brazil, he allowed The Intercept digital media to take out in June a series of reports with the messages and the alleged corruption of Moro.

Last week the Brazilian police arrested four suspects of the hacking, three men and one woman. In your statement, The main defendant, Walter Delgatti Neto, explains how he progressively accessed hundreds of messages on the senior Telegram.

The goal is that the code that will give Telegram access on another device ends up in the voicemail

He started with a local prosecutor who had put him in jail for drug trafficking. The hacking method is relatively simple. After getting the prosecutor's phone number, he entered Telegram and asked me to send him a code to open his messages in the web version. Telegram allows that code to be sent with a call and an audio message to the number provided. The hacker then floods the interceptor's phone with calls and the code ends in the voicemail. Another option is to look in your public agenda or on Twitter when the target says it is about to fly (and will therefore have the airplane mode connected) to launch the operation.

The goal is that the code that will give Telegram access on another device ends up in the voicemail. Then, it's time to hack the voicemail. "The security of a system as robust as Telegram with its point-to-point encryption is as strong as your voicemail pin," explains Martín Vigo, security researcher and founder of Triskel Security. "The messaging applications' hole is not in the voicemail as such, rather it is allowing a sensitive action (such as migrating your account to a new device) to be carried out through an insecure line such as a phone call, "he adds.

According to Delgatti, what he did was to get the ID of the intercepted phone and impersonate it. IP calling technologies allow you to falsify that identifier. It is a common scam method. Once that was done, Delgatti was posing as the prosecutor's number and calling himself. "Certain operators do not ask for the voicemail pin if one calls themselves. It is assumed that the user himself who is trying to access the voicemail and is given access directly. The problem is that they impersonate a user identifier. Calling is very simple and online services offer it to you without the need for any technical capacity, "says Vigo.

Neither pin nor anything

But even if there was a pin, Vigo is a specialist in finding out that figure with a few attempts. In a public presentation What he did with WhatsApp, Vigo showed that even with a password or even when the answering machine asks us to press a key - as Paypal does - it is technically possible to circumvent it.

Telegram, WhatsApp and Signal have a hole that does not depend on their encryption

Once inside the local prosecutor's Telegram, Delgatti saw that there were numbers of more renowned figures. With the same method, he climbed until he reached the minister. There he saw that there was a good political mess and decided to pass the messages to Greenwald, always according to his version.

There are reasonable doubts on whether this version is accurate because the federal police suspect that there are about a thousand people who have been victims of hacking, and Delgatti says that all this has been done in a few months this year. It is difficult for this method to reach such a volume.

But beyond if the path has been this or the swapping sim, Telegram, WhatsApp and Signal have a hole that does not depend on their encryption, but on the voicemail password. The operators are also responsible for the lack of care they put in their mailboxes being well protected. Four-digit passwords usually come from the factory, match numbers on the phone number or be easily guessed (who has not ever put the year of birth?)

We can continue to trust Telegram and take time to see the messages of the acting vice president, Carmen Calvo. But they should also know that someone malicious could have leaked the entire strategy of Echenique, Pablo Iglesias and Irene Montero, in a while.

In addition to using the secret conversation mode for very private messages, where they self-destruct, there are a couple of reasonable solutions that few users use: one, activate the two authentication factors. Messaging apps allow you to activate a password that complements the code sent by phone. No one could then access from outside. Two, have a second phone number for these applications. For example, whoever has one of the two numbers does not see so easily that someone does with the other. They are practices that take time, but examples like the Brazilian will show the way.