Somebody logged into Telegram accounts of some Russian opposition activists

Anton Nesterov
Fri Apr 29 11:29:02 PDT 2016

Russian activists Georgy Alburov (member of Anti-corruption Foundation)
and Oleg Kozlovsky (member of Solidarnost movement) found their Telegram
accounts accessed from same NY IP address (which is Tor
exit relay running by The Calyx Institute
) using telegram-cli. They did not have two-factor authentication
enabled (Telegram by default uses one-time passwords received by SMS,
but you can also enable "two-factor authentication" which is asking a
password when you try to login with new device) and they didn't received
the SMS message, so it's looks like SS7 attack. Russian government known
for it's exploiting SS7 vulnerabilities (and those are not really
vulnerabilities which can be easily fixed, those vuls exists because SS7
was designed that way).

MTS, telecom provider used by Alburov and Kozlovsky, commented that SMS
receiving was disabled on their accounts for some time.

I also have some evidence that Russian authorities uses same method for
logging into Facebook accounts (Facebook also have a feature called
"one-time password" which
allows to send SMS with text "otp" to Facebook number and receive a code
which is enough to login into Facebook).

SS7 designed such way so this is not required for attacked to be in same
country as you. It's not required for your telecom provider to
cooperate. All you need is an access to SS7. Security services have it,
private spies have it, and you can have it: there is plenty of companies
selling SS7 access.

So if you use Telegram, enable two-factor authentification.

If you use Facebook, turn on login approvals

If you using any service which allows you to login just with code
received by SMS, find out a way to turn off this or stop using this service.

If you thinking about such feature in your service, please don't do so.

See also:

News report
(in Russian)

Kozlovsky's post with details received from MTS (in Russian)

The Critical Hole at the Heart of Our Cell Phone Networks
which covers some previous SS7 attacks by Russian govt and SS7 design

SS7: Locate. Track. Manipulate great talk by Tobias Engel
on 31c3 about SS7

SS7map map covering SS7 issues

GPG key: 0CE8 65F1 9043 2B11 25A5 74A7 1187 6869 67AA 56E4

More information about the cypherpunks mailing list