Alleged covert wiretap on Russian messaging service blown by expired TLS certificate

Jason Macuray
Security researchers have discovered what they believe may be a government attempt to covertly wiretap an instant messaging service in Germany — an attempt that was blown because the potential intercepting authorities failed to reissue a TLS certificate.

Security researchers have discovered what they believe may be a government attempt to covertly wiretap an instant messaging service in Germany — an attempt that was blown because the potential intercepting authorities failed to reissue a TLS certificate.

The suspected man-in-the-middle attack was identified when the administrator of jabber.ru, the largest Russian XMPP service, received a notification that one of the servers’ certificates had expired.

However, jabber.ru found no expired certificates on the server — as explained in a blog post by ValdikSS, a pseudonymous anti-censorship researcher based in Russia who collaborated on the investigation.

The expired certificate was instead discovered on a single port being used by the service to establish an encrypted Transport Layer Security (TLS) connection with users. Before it had expired, it would have allowed someone to decrypt the traffic being exchanged over the service.

The wiretap is believed to have lasted for up to 6 months, from April 18 through to October 19, although the researchers were only able to confirm 90 days of actual interception. “All jabber.ru and xmpp.ru communications between these dates should be assumed compromised,” wrote ValdikSS.

“Given the nature of the interception, the attacker have been able to execute any action as if it is executed from the authorized account, without knowing the account password. This means that the attacker could download account’s roster, lifetime unencrypted server-side message history, send new messages or alter them in real time,” they added.

The researchers said they do not believe that the servers were hacked by criminals, but were reconfigured to facilitate the wiretapping as a result of a government request. “We believe this is lawful interception Hetzner and Linode were forced to setup,” ValdikSS wrote, referencing the hosting providers in Germany.

Recorded Future News has contacted both Hetzner and Linode, a subsidiary of Akamai, for comment, alongside the BfV, Germany’s domestic intelligence agency. As of publication, neither company nor the German government had responded to explain whether the incident was a criminal act or a lawful government intercept.

According to the researcher, the administrators of the jabber.ru service — which was founded in 2000 — had previously moved its hosting infrastructure to Germany due to the risk of government surveillance if it was based in the Russian Federation. Jabber.ru is popular with a range of users, from technology enthusiasts through to cybercriminals.

Most countries in Europe, including Germany, have laws providing intelligence services and law enforcement with the ability to intercept telecommunications messages in bulk. Although there are often extensive safeguards in place, the laws remain controversial due to the enormous potential for abuse.

“Another possible, although much more unlikely scenario is an intrusion on the internal networks of both Hetzner and Linode targeting specifically jabber.ru — much harder to believe but not entirely impossible,” the researcher wrote.

It is unlikely the companies would be able to publicly acknowledge a legal intercept order. In either case — a government wiretap or a criminal intrusion — the companies could face potential backlash from users about the privacy of their communications.

NewsPrivacyTechnology
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Alexander Martin is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.

 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

New York health network restores services after crippling cyberattack

Next Post

Behind the FTC’s plan to hire child psychologists to help regulate social media firms

Related Posts

Combined Security Practices Changing the Game for Risk Management

A significant challenge within cyber security at present is that there are a lot of risk management platforms available in the market, but only some deal with cyber risks in a very good way. The majority will shout alerts at the customer as and when they become apparent and cause great stress in the process. The issue being that by using a reactive, rather than proactive approach, many risks
Avatar
Read More

Cisco Issues Patch for High-Severity VPN Hijacking Bug in Secure Client

Cisco has released patches to address a high-severity security flaw impacting its Secure Client software that could be exploited by a threat actor to open a VPN session with that of a targeted user. The networking equipment company described the vulnerability, tracked as CVE-2024-20337 (CVSS score: 8.2), as allowing an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF
Avatar
Read More