Practical Traffic Analysis Attacks on Secure Messaging Applications Alireza Bahramali∗, Amir Houmansadr∗, Ramin Soltaniy, Dennis Goeckelz, and Don Towsley∗ University of Massachusetts Amherst ∗ abahramali, amir, towsley @cs.umass.edu f [email protected] [email protected] Abstract—Instant Messaging (IM) applications like Telegram, A notable example of oppressed IM services is Tele- Signal, and WhatsApp have become extremely popular in recent gram [83] with over 200 million users globally [61], where years. Unfortunately, such IM services have been targets of a large fraction of its users come from countries with strict continuous governmental surveillance and censorship, as these media regulations like Iran and Russia. In particular, Telegram services are home to public and private communication channels is so popular in Iran that it has been estimated to consume more on socially and politically sensitive topics. To protect their clients, than 60 percent of Iran’s Internet bandwidth [9]. Consequently, popular IM services deploy state-of-the-art encryption mecha- nisms. In this paper, we show that despite the use of advanced Iranian officials have taken various measures to monitor and encryption, popular IM applications leak sensitive information block Telegram: from requesting Telegram to host some of its about their clients to adversaries who merely monitor their servers inside Iran to enable surveillance [85], to requesting encrypted IM traffic, with no need for leveraging any software Telegram to remove controversial political and non-political vulnerabilities of IM applications. Specifically, we devise traffic channels [85]. Eventually, Iran blocked Telegram entirely in analysis attacks that enable an adversary to identify adminis- April 2018 due to Telegram’s non-compliance. Despite this, trators as well as members of target IM channels (e.g., forums) statistics suggest only a small decrease in Telegram’s Iranian with high accuracies. We believe that our study demonstrates a users who connect to it through various kinds of VPNs [43]. significant, real-world threat to the users of such services given Telegram has also been blocked in Russia as Telegram op- the increasing attempts by oppressive governments at cracking erators refrained from handing over their encryption keys to down controversial IM channels. Russian officials for surveillance [73]. Finally, in the light of We demonstrate the practicality of our traffic analysis attacks Telegram’s crucial role in recent Hong Kong protests, there through extensive experiments on real-world IM communications. are unconfirmed reports [22], [75] that mainland Chinese and We show that standard countermeasure techniques such as Hong Kong authorities may have attempted to discover Hong adding cover traffic can degrade the effectiveness of the attacks Kong protesters by misusing a Telegram feature that enabled we introduce in this paper. We hope that our study will encourage them to map phone numbers to Telegram IDs. IM providers to integrate effective traffic obfuscation counter- measures into their software. In the meantime, we have designed A Fundamental Vulnerability: Popular IM applications like and deployed an open-source, publicly available countermeasure system, called IMProxy, that can be used by IM clients with no Telegram, WhatsApp, and Signal deploy encryption (either need for any support from IM providers. We have demonstrated end-to-end or end-to-middle) to secure user communications. the effectiveness of IMProxy through experiments. We refer to such services as secure IM (SIM) applications. In this paper, we demonstrate that despite their use of advanced encryption, popular IM applications leak sensitive information I. INTRODUCTION about their clients’ activities to surveillance parties. Specif- Instant Messaging (IM) applications like Telegram, Signal, ically, we demonstrate that surveillance parties are capable arXiv:2005.00508v1 [cs.CR] 1 May 2020 1 and WhatsApp have become enormously popular in recent of identifying members as well as administrators of target years. Recent studies estimate that over 2 billion people use IM communications (e.g., politically sensitive IM channels) mobile IM applications across the world [42]. IM services with very high accuracies, and by only using low-cost traffic enable users to form private and public social groups and analysis techniques. Note that our attacks are not due to exchange messages of various types, including text messages, security flaws or buggy software implementations such as those images, videos, and audio files. In particular, IM applications discovered previously [32], [49], [74], [94]; while important, are used extensively to exchange politically and socially sen- such security flaws are scarce, and are immediately fixed by sitive content. As a result, governments and corporations in- IM providers once discovered. Instead, our attacks enable creasingly monitor the communications made through popular surveillance by merely watching encrypted IM traffic of IM IM services [1], [2], [73], [85]. users, and assuming that the underlying IM software is entirely secure. The key enabler of our attacks is the fact that major IM operators do not deploy any mechanisms to obfuscate traffic characteristics (e.g., packet timing and sizes), due to Network and Distributed Systems Security (NDSS) Symposium 2020 23-26 February 2020, San Diego, CA, USA the impact of obfuscation on the usability and performance of ISBN 1-891562-61-4 https://dx.doi.org/10.14722/ndss.2020.24347 1An administrator of an IM channel is a member who is privileged to post www.ndss-symposium.org messages to that channel. such services. We therefore argue that our attacks demonstrate neling SIM traffic through VPNs, mixing it with background a fundamental vulnerability in major in-the-wild IM services, traffic, adding cover IM traffic, and delaying IM packets. As and, as we will demonstrate, they work against all major IM expected, our experiments show that such countermeasures services. reduce the effectiveness of the attacks at the cost of additional communication overhead as well as increased latency for SIM We believe that our attacks present significant real-world communications. For instance, we find that tunneling SIM threats to the users of believed-to-be-secure IM services, traffic through VPN and mixing it with background web- specially given escalating attempts by oppressive regimes to browsing traffic reduces the accuracy of our attack from crack down on such services, e.g., the recent attempts [1], [2], 93% to 70%, and adding cover traffic with a 17% overhead [22], [75] to identify and seize the administrators and members drops the accuracy to 62%. We argue that since many SIM of controversial IM communications. users do not deploy such third-party countermeasures due Our Contributions: We design traffic analysis attack algo- to usability reasons, SIM providers should integrate standard rithms for SIM communications; the objective of our attack traffic obfuscation techniques into their software to protect is to identify the admins and/or members of target SIM their users against the introduced traffic analysis attacks. In communications. What enables our attack is that, widely-used the meantime, we have designed and deployed an open-source, SIM services do not employ any mechanisms to obfuscate publicly available countermeasure system, called IMProxy, statistical characteristics of their communications. that can be used by IM clients with no need to any support from IM providers. We have demonstrated the effectiveness of We start by establishing a statistical model for IM traffic IMProxy through experiments. characteristics. Such a model is essential in our search for effective traffic analysis attacks on SIM services. To model IM In summary, we make the following contributions: communications, we join over 1,000 public Telegram channels We introduce traffic analysis attacks that reliably identify and record their communications, based on which we derive • users involved in sensitive communications through se- a statistical model for IM traffic features. We use our SIM cure IM services. To launch our attacks, the adversary model to derive theoretical bounds on the effectiveness of our does not need cooperate with IM providers, nor does traffic analysis algorithms; we also use our statistical model he need to leverage any security flaws of the target IM to generate arbitrary numbers of synthetic SIM channels to services. enhance the confidence of our empirical evaluations. We establish a statistical model for regular IM commu- Based on our statistical model for IM communications, we • nications by analyzing IM traffic from a large number of use hypothesis testing [68] to systematically design effective real-world IM channels. traffic analysis attack algorithms. Specifically, we design two We perform extensive experiments on the popular IM ser- traffic analysis attack algorithms; our first algorithm, which we • vices of Telegram, WhatsApp, and Signal to demonstrate call the event-based correlator, relies on the statistical model the in-the-wild effectiveness of our attacks. that we derive for SIM communications to offer an optimal We study potential countermeasures against our attacks. matching of users to channels. Our second algorithm, which • In particular, we design and deploy IMProxy, which is an we call the shape-based algorithm, correlates the shapes of open-source, publicly available countermeasure system. SIM traffic flows in order to match users to target