Russia exploits Telegram security flaw to surveil Ukrainian operative

Information security expert Matt Tait has a fascinating piece on Russia’s exploitation of a security flaw in the chat app Telegram to surveil an operative working with Ukraine’s special forces. Tait analyzes the details in a Washington Post story to evaluate Russia’s access and capabilities. Here’s the bottom line:

Telegram is not safe to use as a chat or call app. It nearly cost [the Ukrainian operative] his life. Ukrainians—and frankly everyone else too—should find another encrypted application for chats and calls.

Matt Tait

Tait ultimately concludes that Russia did not, but could have, obtained direct access to the operative’s Telegram chats with a Ukrainian special forces officer. Telegram does not end-to-end encrypt chats by default, but even if it had, Tait suspects that security design flaws in the app mean that Russia’s physical access to the device would have allowed it to read all of the operative’s messages.