On the Cryptographic Fragility of the Telegram Ecosystem

Telegram is a popular messenger with more than 550 million monthly active users and a large ecosystem of different clients. Telegram has its own bespoke transport layer security protocol, MTProto 2.0. This protocol was recently subjected to a detailed study by Albrecht et al. (IEEE S&P 2022). They gave attacks on the protocol and its implementations, along with a security proof for a modified version of the protocol. We complement that study by analysing a range of third-party client implementations of MTProto 2.0. We report practical replay attacks for the Pyrogram, Telethon and GramJS clients, and a more theoretical timing attack against the MadelineProto client. We show how vulnerable third-party clients can affect the security of the entire ecosystem, including official clients. Our analysis reveals that many third-party clients fail to securely implement MTProto 2.0. We discuss the reasons for these failures, focussing on complications in the design of MTProto 2.0 that lead developers to omit security-critical features or to implement the protocol in an insecure manner. We also discuss changes that could be made to MTProto 2.0 to remedy this situation. Overall, our work highlights the cryptographic fragility of the Telegram ecosystem

On the Cryptographic Fragility of the Telegram Ecosystem

Telegram is a popular messenger with more than 550 million active users per month and with a large ecosystem of different clients. The wide adoption of Telegram by protestors relying on private and secure messaging provides motivation for developing a profound understanding of its cryptographic design and how this influences its security properties. Telegram has its own bespoke transport layer security protocol, MTProto 2.0. This protocol was recently subjected to a detailed study by Albrecht et al. (IEEE S&P 2022). They gave attacks on the protocol and its implementations, along with a security proof for a modified version of the protocol. We complement that study by analysing a range of third-party client implementations of MTProto 2.0. We report practical replay attacks for the Pyrogram, Telethon and GramJS clients, and a more theoretical timing attack against the MadelineProto client. We show how vulnerable third-party clients can affect the security of the entire ecosystem, including official clients. Our analysis reveals that many third-party clients fail to securely implement MTProto 2.0. We discuss the reasons for these failures, focussing on complications in the design of MTProto 2.0 that lead developers to omit security-critical features or to implement the protocol in an insecure manner. We also discuss changes that could be made to MTProto 2.0 to remedy this situation. Overall, our work highlights the cryptographic fragility of the Telegram ecosystem

Revelio: A Network-Level Privacy Attack in the Lightning Network

The Lightning Network (LN) is a widely-adopted peer-to-peer network that not only addresses Bitcoin's scaling problem but also enables private payments. LN uses a sophisticated onion encryption and routing scheme to ensure the anonymity of the payer and the payee, as well as the secrecy of the payment amount. Recent work has shown that an application-level attacker can hijack payment routes and use the resulting central position to deanonymize the sender and the receiver of a payment. However, these attacks are visible or require a significant fraction of parties to collude. This paper presents a stealthier, passive network-level attack exploiting the joint centralization of the LN at the application and at the network layers. Five autonomous systems can thus see the traffic of up to 80% of all observable communication channels and infer ongoing payments -- even though the traffic is encrypted, and many participants use Tor to hide themselves. The comprehensive view allows the attacker not only to estimate the value of a payment but also to effectively reduce the anonymity size of its endpoints. We show that this deanonymization attack, which we call Revelio, is practical in today's topology of LN and its underlying infrastructure: Our attack perfectly deanonymizes the senders or the receiver in almost one-third of tested payments

Cardiovascular risk profiles: A cross-sectional study evaluating the generalisability of the glucagon-like peptide-1 receptor agonist cardiovascular outcome trials REWIND, LEADER and SUSTAIN-6 to the real-world type 2 diabetes population in the UK

Aims: To determine the proportion of UK patients with type 2 diabetes (T2D) who meet the cardiovascular (CV) or combined CV/core eligibility criteria of the CV outcome trials (CVOTs) of UK-marketed glucagon-like peptide-1 receptor agonists (GLP-1 RAs) showing CV benefit (dulaglutide in REWIND, liraglutide in LEADER and injectable semaglutide in SUSTAIN-6).Materials and Methods: Adults with T2D on/before June 2018 were identified from the UK Clinical Practice Research Datalink GOLD primary care database and linked to Hospital Episode Statistics data (Protocol 19_262). Patient CV and clinical data were evaluated against the CVOTs’ eligibility criteria. Data were analysed descriptively.Results: The study cohort (N=33,118 patients with T2D) had a mean (SD) age of 66.0 (13.3) years and 56.6% were male. Almost two-thirds (64.5%) of the study cohort met the CV criteria for REWIND, versus 43.0% for both LEADER and SUSTAIN-6. The proportions of the study cohort who met the CVOTs’ criteria of ‘established CV disease’ and ‘CV risk factors only’ for REWIND were 22.4% and 42.1%, respectively, versus 38.7% and 4.3%, respectively, for both LEADER and SUSTAIN-6. The proportion of patients satisfying both CV and core criteria was 44.4% for REWIND, 13.3% for LEADER and 13.5% for SUSTAIN-6. Study findings remained consistent when restricted to GLP-1 RA users.Conclusions: REWIND captured a trial population more representative of the real-world T2D population in the UK than LEADER or SUSTAIN-6 with regard to both CV and combined CV/core eligibility criteria