Based in silicon valley, california, security brief is a blog by chris louie. his posts discuss current information security affairs

Modern Day Whack A Mole: Russia Attempts to Block Encrypted Messaging App Telegram

Modern Day Whack A Mole: Russia Attempts to Block Encrypted Messaging App Telegram

On March 20, 2018, Russia’s high court ordered encrypted messaging application developer Telegram to hand over its encryption keys to the Russian government or face fines and be prohibited from operating within the country. The high court cited a 2018 anti-terrorism law as the reason for requiring the messaging app to hand overs its keys so the government could read communications sent through its platform to spot and disrupt potential terrorist threats. Messaging applications such as Telegram, Apple’s iMessage, Signal, and WhatsApp use end-to-end encryption where communications are encrypted on the sender’s device and decrypted on the receiver’s device. The messaging platform has no capability or desire to intercept a user’s communications. Russia’s FSB (State Security Service) argued that a user’s communications would only be intercepted in the event of a court order by requesting the decryption keys from the messaging platform. Telegram’s leadership believed the Russian government had a different motive.

Telegram was started by a Russian ex-patriot set on destroying the police state he lived under, so it is no surprise that the company refused the court order to hand over user data and decryption keys. On April 16, 2018, the Russian government began its campaign to block the secure messaging application.

IMG_E046668D66BA-1.jpeg

 

 

In a futile attempt to prevent a complete shutdown, Telegram employed a tactic similar to the wartime operation of a “Human Shield” where a defending country’s military will make their presence near or with civilians making an airstrike’s cost too high due to potential civilian collateral damage. Telegram cleverly hid its IPv4 operating IP addresses within blocks used by Google and Amazon Web Services raising the stakes for the Russian government. If they were to block the IP addresses Telegram uses within those blocks, they would likely block access to many Google and Amazon services. 

Roskomnadzor, the Russian communications regulator and equivalent of the United States FCC, added up to 20 million IP addresses to Russia's official national blocklist with many of those addresses believed to contain the operating servers of Telegram and inflcting a great deal of collateral damage in the process. Amazon-owned Twitch.tv experienced an outage in Russia where Russian gamers could not livestream or watch livestreams on Twitch’s platform due to the IP address block. Alternative messaging app Viber was also caught in the crossfire of the broad IP address block. The irony here is that many Kremlin and high government officials use Telegram for correspondence and are currently in the process of migrating to Viber, a messaging application that presumably complies with the 2018 anti-terrorism law. Telegram’s founder is offering up to one million dollars in bounties for VPN services that allow the continued use of Telegram within Russia. Not surprisingly, Roskomnadzor’s heavy-handed tactics are proved to be less effective than desired as many users in Russia are still reporting they can use Telegram without the use of a proxy or VPN.

This game of Whack A Mole between governments (Whacker) and the tech industry (moles) has been going on for some time and Telegram is just another battle in the war of privacy verses security. In 2015, the US FBI demanded Apple to unlock the iPhone 5s of suspected terrorist Rizwan Farook in the San Bernardino shooting and implant a backdoor in future iPhones so that the FBI could unlock any phone under court order. In response to the government’s request for a backdoor, Apple increased the level of security in its future devices so that under no circumstance could Apple unlock a user’s iPhone. This move represented an escalation of tensions and tactics in the ongoing war and Telegram is just the latest battle, but surely not the last. In 2018, China banned the use of unregistered encrypted VPN providers, presumably because they could not eavesdrop on the communications.

While many in the tech industry are typically against any type of censorship and proponents of free speech, the larger security question that gets raised is “How can you always block one specific application while minimizing collateral damage?” The standard 5-tuple firewall is no longer enough to block modern applications and services. 

In the case of an organization getting hit with numerous DMCA takedown notices, they may want to block the peer-to-peer file sharing BitTorrent protocol. By default, BitTorrent uses ports 6881-6889 TCP, but the protocol can run on any port. Further complicating matters, the peer-to-peer nature of the protocol means that discovering peers that use unblocked ports is a fairly simple process. Applications like BitTorrent and Skype are known as port-hopping applications that will attempt to use any open outbound port to establish a connection. The use of an application-aware (often called next generation) firewall can be leveraged to block an application regardless of what port it uses. In order to reduce collateral damage, the application aware firewall can take identity into account for rule enforcement allowing members of the IT administrators group to use BitTorrent (legally, to download Linux ISOs), but block standard users from using the protocol (to illegally download and share copyrighted content).

block bittorrent.png

 

As long as governments and organizations block and restrict access to a resource, clever users will always find a way to circumvent those controls. The escalating war between governments and the tech industry shows no sign of cooling and will no doubly lead to further innovations in security controls and next generation proxies and VPNs. 

Block BT FW rule.png

 

Footnote:

IP addresses blocked by Roskomnadzor

52.58.0.0/15

18.196.0.0/15

18.194.0.0/15

35.156.0.0/14

In 300 Feet, Exit Right Off of Route 53: Attackers Exploit Amazon's DNS Service to Phish Users

In 300 Feet, Exit Right Off of Route 53: Attackers Exploit Amazon's DNS Service to Phish Users

I Don't IoT: Lessons Learned From Internet Connected Devices

I Don't IoT: Lessons Learned From Internet Connected Devices