Totally Forked? // How The Telegram Ban and Tightened Sanctions Are Putting Iranian Netizens In Danger

With unsafe ‘forked’ versions of Telegram flooding the Iranian app market at the same time as sanctions are stripping citizens of digital security software, Iranian citizens are facing more and more online threats every day.

By Kaveh Azarhoosh, Tom Ormson & James Marchant

In recent months, Iran’s National Computer Emergency Response Team, or MAHER, has been issuing an ever-increasing number of advisory statements and warnings highlighting the cybersecurity threats faced by Iranian internet users and ICT managers in their day-to-day life.

In this edition of FilterWatch, we highlight the devastating effects of Iranian ICT policy on the online security of its citizens. We also note how compliance, or over-compliance, with some of the recent sanctions imposed by the United States against Iran has left a growing number of Iranians defenceless against online threats.

Meet MAHER // Iran’s National Computer Emergency Response Team

The National Computer Emergency Response Team (MAHER), established in 2008, is based at the Information Technology Organisation of Iran, and falls under the management of Seyyed Hadi Sajjadi, the ITO Deputy for Cyber Security.

It has 34 Computer Emergency Response Teams in universities across the country, as well as teams in the Intelligent Information Solutions Centre of Iran, and Iran’s Cyber Police (FATA).

MAHER is also affiliated with three international bodies: the International Multilateral Partnership Against Cyber Threats (IMPACT), the Organisations of the Islamic Cooperation — Computer Emergency Response Teams (OIC-CERT), and the Cybersecurity Alliance for Mutual Progress (CAMP).

Its scope covers:

• Rescue and response activities.
• Prevention activities.
• Security improvement activities.

MAHER publishes frequent reports on online threats facing Iranian citizens. Of particular note, the organisation released an analysis of the cyber attacks launched against Iranian data centres that took place in April 2018. Although MAHER was one of the leading organisations responsible for investigating the attacks, it also found itself criticised by Iran’s ICT Minister for failing to prevent the attack in the first place.

This rise in the profile of MAHER may in part be due to the ever-increasing threats against Iranian users online; risks that have increased due to policies pursued by the Iranian government in recent months.

An instructional infographic from MAHER illustrating how users can turn off location services.

Risky Business // Why The Situation’s More Dangerous Than Ever

Today’s online environment in Iran seems miles away from the early 2000s of the thriving days of the Persian ‘Blogestan’. Back when the rate of access to the internet was drastically lower, and internet speeds were much slower, internet censorship still did not leave a significant impression on the lives of many Iranian citizens.

After waves of protesters took to the streets of Tehran following the disputed presidential election of 2009, Iranian authorities expanded their filtering programme; soon the authorities blocked websites such as Twitter, Facebook, and YouTube.

Iran’s aggressive censorship gave rise to a generation of internet rights activists inside and outside Iran that focused on bypassing restrictions and providing circumvention tools to internet users in the country. It was around this time that a rise in targeted cyber attacks against high profile human rights activists and politically sensitive networks came to light as well.

However, a much less-talked about consequence of these policies is the growth of cyber security threats against private internet users in Iran. The most recent and notable threatening policy came with the filtering of Telegram.

The impact of blocking Telegram in Iran was fundamentally different to the blocking of Twitter, Facebook, or YouTube. Telegram was much more than a social networking site or an entertainment platform. Telegram was also a tool for marketing, and even conducting local business. As such, the blocking of Telegram resulted in over 40 million Iranians seeking a way to bypass the filtering and access the platform.

For Fork’s Sake // The Dangers of Talagram and Hotgram

One of the free tools that could be used to bypass filtering were ‘forked’ versions of Telegram — independently produced apps utilising Telegram’s source code. However, these also frequently compromise the privacy of users. For example, in recent months many Iranians have been using unofficial fork versions of Telegram such as ‘Talagram’. Telegram’s founder Pavel Durov has in the past warned about the security of the unofficial Telegram apps, saying that there is no guarantee they would comply with the app’s privacy policy.

On 14 July Iran’s Deputy Prosecutor General Abdolsamad Khorramabadi claimed that more than 30 million Iranians continue to access the banned messaging app Telegram using the two domestically produced applications Hotgram and Talagram. Hotgram and Talagram are two messaging apps produced by the Iranian company Rahkar Sarzamin Hooshmand (Smart Land Strategy) using Telegram’s open source code and servers. Earlier this year Google Play removed Talagram from its app store because it was not an officially sanctioned version of Telegram. It is unclear who from Rahkar Sarzamin Hooshmand has access to the unencrypted information of its users in Iran, thereby placing their privacy and security in a serious threat.

Telegram founder Pavel Durov warns users about the dangers of using forked versions of Telegram.

Although there is a debate in Iran regarding the level of support these apps may be receiving from some security-oriented bodies in Iran, they have had such a devastating effect on the security of individuals that even MAHER has released reports highlighting their dangers.

Permission Slips // The Perils Of An Unregulated VPN Market

On 8 July 2018, MAHER published a warning about the rise of brute force attacks on SSH service providers in Iran. The warning came with an official technical documentation file from SHOMA. In recent months, MAHER has also been publishing Persian-language reports on vulnerabilities discovered around the world. For example their recent reports included information about ransomwares such as PSCrypt and CryBrazil.

However, some of their reports have also came under criticism from internet security experts. On 11 February 2018 Twitter user Kevin Miston (@kevinmiston) posted a series of tweets in which he alleged that a MAHER report into the aftermath of attacks on Iranian news websites wrongly claimed that one of the IP addresses of the attackers was located in London. Kevin Miston demonstrated that the address was based in Bulgaria. MAHER later released a correction to its report.

There is also a huge demand in Iran for VPNs and other circumvention tools. This market exists in complete legal limbo — policy makers and commentators are completely aware of the high demand and usage of VPNs in Iran, but the law does not clearly state if using VPNs is legal or not. Instead, the law makes it clear that selling circumvention tools is illegal. However, it must be noted that many activists recently raised their objections to ICT Minister Jahromi when he claimed erroneously that the use of VPNs is illegal.

This lack of clear legal protections for buying and selling VPNs has given rise to a shadowy market of free or cheap VPNs that compromise the security of Iranian users. Although there are many VPNs such as Psiphon which support Internet users in Iran by providing them with free VPNs, frustrations with the government’s constant attempts to target known VPNs drives Iranians to try other, lesser known and free VPNs. In October 2017 MAHER issued a warning against a fake version of Psiphon which MAHER claimed has been spreading the ransomware Tyrant throughout Iran. According to MAHER the ransomware demanded a payment of $15 in Iranian Rial through one of two Iranian online payment websites.

There are also examples of fake VPNs seeking to track Iranian internet users instead of asking for a financial ransom. According to a report by vpnMentor and cybersecurity firm ClearSky, in January 2018 and following the crackdown on the internet in response to widespread protests across the country, some Iranians received a text message inviting them to download a safe and free VPN. The investigation by ClearSky shows that the link was to an Android software called Ir.ops.breacker, which imitated the popular VPN app, Psiphon. The software requested an extensive list of permissions, including the location of the phone, in effect becoming a live spying tool.

The list of permissions demanded by the fake version of Psiphon. This originally appeared in a report from vpnMentor and ClearSky.

A Blocked Signal // How Sanctions Undermine Citizens’ Security

Since the reimplementation of the international sanction regime against Iran, there have been cases where tech companies have denied crucial services to internet users, which in turn has negatively impacted the security of Iran’s netizens.

It has been suggested that these are unintended consequences of sanctions, and are in fact the result of tech companies’ overcompliance with sanction regimes. The US Department of the Treasury in June 2013 announced that it was lifting sanctions against Iran that prevented the export and provision of software, hardware, and communications services to the country. The Treasury issued a general license that permits US companies and citizens to provide:

• “Fee-based services incident to the exchange of personal communications over the internet, such as instant messaging, chat and email, social networking, sharing of photos and movies, web browsing, and blogging”;
• “Consumer-grade internet connectivity services and the provision, sale, or leasing of capacity on telecommunications transmission facilities (such as satellite or terrestrial network connectivity) incident to personal communications”;
• Related software and hardware; and
• Internet connectivity services and related satellite/network capacity.

Even the issuing of this general licence by the US government has not resulted in eased accessibility to tech products for Iranians. For example, the secure messaging app Signal, which relies on the Google App Engine was not accessible by Iranian at the time of the protests earlier this year as Google, citing sanctions, denies this service to Iranians. Not having an option to use end-to-end encrypted messaging apps puts Iranian internet users at risk of being targeted by criminals, but perhaps more importantly exposes them to both targeted and mass surveillance by state and security oriented organisations.

And even more recently, Iranian internet users have taken to social media to complain about tech companies denying services to them which were available a year ago, citing new US sanctions. This has a particularly negative effect on the security of Iranian internet users when it stops them from accessing antivirus software, fully accessing app stores, or updating their software.

An image posted by Iranians Online complaining about effect of sanctions on accessing antivirus software.

Tech entrepreneur Mahdi Taghizadeh shares his frustrations at the impact of US sanctions on Iran’s tech sector.

Digital Badlands // Iran’s Dangerous Digital Security Landscape

Questions of cyber security have been very sensitive in Iran since the 2010–11 discovery of the Stuxnet attacks on Iran’s nuclear infrastructure. It can also be argued that many of the conservative supporters of the ‘National Internet’, or ‘SHOMA’ view this national infrastructure as instrumental in protecting against future attacks on Iran’s cyberspace.

However, the heavy-handed approach to implementation by the Iranian government has created a national network which is highly vulnerable to attackers seeking either financial gain or the collection of personal information. On top of the heavy-handed filtering regime, a highly restrictive legal framework has also left Iranians searching for functional tools in a highly unregulated and non-transparent market.

The Iranian government urgently needs to assess the effects of its filtering and legal regime on the security of its citizens. Without a doubt, any inquiry into the effect of Iran’s ICT policy on the security of individual users will reveal the financial cost of creating an unsecured network. The Iranian government’s responsibility to its people to provide them with a safe and secure online space goes much beyond technical press releases from MAHER.

If Iran’s ICT Ministry is hoping that MAHER will develop into a body with high levels of trust among the Iranian people, then it must not condone or turn a blind eye on the activities of the Cyber Police or other security-oriented organisations which seek to entrap Iranian internet users or to invade their online privacy. MAHER cannot be trusted to safeguard the security of all Iranians while there are documented reports showing the systematic campaigns of Iranian security organisations targeting activists inside and outside Iran.

It is also crucial that the international community — and in particular, the United States — along with tech companies, reassesses their approach to sanctions against Iran. There is no justification for denying services which could drastically improve the digital security of Iranian citizens and safeguard their privacy. To do so opens activists, journalists, and regular citizens up to the threat of surveillance, detention and digital attack.

This article is taken from Small Media’s Filterwatch series, available here.