Over the weekend, a clip from a current interview with Telegram’s founder Pavel Durov went semi-viral on X (beforehand Twitter). Within the video, Durov tells right-wing persona Tucker Carlson that he’s the one product supervisor on the firm, and that he solely employs “about 30 engineers.”
Safety specialists say that whereas Durov was bragging about his Dubai-based firm being “tremendous environment friendly,” what he mentioned was truly a crimson flag for customers.
“With out end-to-end encryption, enormous numbers of susceptible targets, and servers situated within the UAE? Looks like that will be a security nightmare,” Matthew Inexperienced, a cryptography professional at Johns Hopkins College, advised information.killnetswitch.
Inexperienced was referring to the truth that — by default — chats on Telegram aren’t end-to-end encrypted like they’re on Sign or WhatsApp. A Telegram consumer has to begin a “Secret Chat” to modify on end-to-end encryption, making the messages unreadable to Telegram or anybody apart from the meant recipient. Additionally, through the years, many individuals have forged doubt over the standard of Telegram’s encryption, on condition that the corporate makes use of its personal proprietary encryption algorithm, created by Durov’s brother, as he mentioned in an prolonged model of the Carlson interview.
Eva Galperin, the director of cybersecurity on the Digital Frontier Basis and a longtime professional within the security of at-risk customers, mentioned that it’s vital to keep in mind that Telegram, not like Sign, is much more than only a messaging app.
“What makes Telegram totally different (and far worse!) is that Telegram is not only a messaging app, it is usually a social media platform. As a social media platform, it’s sitting on an infinite quantity of consumer information. Certainly, it’s sitting on the contents of all communications that aren’t one-on-one messages which have been particularly [end-to-end] encrypted,” Galperin advised information.killnetswitch. “‘Thirty engineers’ implies that there isn’t any one to battle authorized requests, there isn’t any infrastructure for coping with abuse and content material moderation points.”
“And I might even argue that the standard of these 30 engineers isn’t that nice,” Galperin continued. “Additionally, if I used to be a risk actor, I might positively think about this to be encouraging information. Each attacker loves a profoundly understaffed and overworked opponent.”
In different phrases, it’s unlikely for Telegram to be very efficient combating hackers, particularly government-backed ones, with such a small employees.
Telegram didn’t reply to a request for remark, which included questions on whether or not the corporate has a chief security officer, and what number of of its engineers work full time on securing the platform.
Final week, the well-known cybersecurity professional SwiftOnSecurity wrote on X that “the price to run an organization that has all the suitable cyber security instruments and employees is totally obscene.”
“It’s arduous to explain the numbers I’ve seen. Even saying this can be a grey space. However it’s [an] unimaginable headcount and spend,” SwiftOnSecurity wrote.
All to say, even the most important corporations on the planet in all probability don’t spend sufficient cash, time, and power on securing themselves. Telegram has nearly one billion customers, in keeping with Durov. It’s one of the widespread platforms for folks working in crypto (who transfer hundreds of thousands of {dollars}), extremists, hackers, and disinformation peddlers.
That makes it an extremely attention-grabbing goal for each prison and authorities hackers. And it has — at most — only a handful folks devoted to cybersecurity.
For years, security specialists have warned that folks shouldn’t see Telegram like a really safe messaging app. Given what Durov mentioned lately, it might be even worse than specialists thought.
