Security experts: ISIS' favorite messaging app is no match for feds

The app's cryptography is like "being stabbed in the eye with a fork," according to one leading cryptographer.

(Image via Twitter)

Islamic State (ISIS) fighters are being told to use Telegram, a popular app used to send end-to-end encrypted messages, to prevent the authorities from snooping on their activities.

A report in The Daily Beast pointed to the Berlin-based service, which was top of the list of apps which ISIS is encouraging its followers to use.


Why the CIA wanting encryption backdoors is a failure of leadership, not intelligence

Analysis: The question shouldn't be if encryption should have backdoors, but why intelligence agencies have begun shifting the blame onto those who push for privacy.

Read More

The app, built by Russian developers who said it was designed to evade Russian's own state intelligence agencies, touts more than 50 million users, in part thanks to its offering of encrypted group chats.

But not everyone is so sure about the app's integrity, particularly in regards to the cryptography it uses to scramble messages from one device to another.

Cryptographer Matthew Green, a professor at Johns Hopkins, said in a tweet that while the app's user experience is "nice," he added that the "crypto is like being stabbed in the eye with a fork."

If you're using an app for its end-to-end encrypted messaging, the user experience means nothing.

The crypto is not thought to be broken -- at least by any member of the public. But security researcher Thaddeus Grugq, known by most as just the "grugq," criticized the app in a blog post on Wednesday, saying he "wouldn't trust the encryption protection in Telegram against a nation state adversary."

"Even if Telegram's encryption is solid, there are serious problems with the safe operational use of the program," he said.

He summed up the app's issues:

"In summary, Telegram is error prone, has wonky homebrew encryption, leaks voluminous metadata, steals the address book, and is now known as a terrorist hangout. I couldn't possibly think of a worse combination for a safe messenger."

"The safest way to use Telegram would be not to," he added.

The yet-to-be-publicly-broken crypto is one thing, but the fact that the app "helpfully uploads the entire Contacts database to Telegram's servers" is a big red-flag for anyone wanting to use the service.

ISIS' push to move to Telegram comes days after Anonymous declared cyber-war against ISIS in the wake of the terrorist group's Paris attacks, which killed 129 people and injured hundreds. Unconfirmed reports circulated Tuesday that the hacktivist group took down more than 5,500 Twitter accounts associated with ISIS sympathizers and associates.

ISIS considers Telegram to be one of the "safe" apps to use to send end-to-end encrypted messages, alongside Wickr and others. But it ranks below the "safest" apps available, such as Silent Circle's apps, as well as Signal, known to be used by whistleblower Edward Snowden.