Move Designed to Tighten Ban on App But Ineffective in the Long Run

In a new move aimed at tightening the state-imposed ban on the Telegram messaging app, the Telecommunications Company of Iran (TCI) temporarily rerouted Telegram app traffic in violation of domestic law in July 2018.

For one hour on July 30, Iran changed the routing (pathway) of Telegram’s internet protocol (IP) addresses to the TCI instead of Telegram’s servers so that the app was unusable even with censorship circumvention tools such as virtual private networks (VPNs).

Hijacking IP addresses could have global implications. By altering the routing of Telegram traffic, Iran is causing other servers in the world to also update their routing, resulting in incorrect IP addresses that could also disrupt internet traffic in other countries.

The TCI’s hijacking of border gateway protocols (BGPs)—which manage how data is transferred across the internet—is not only a violation of Iranian law, it also seals the reputation of Iran’s Telecommunications Ministry as a violator of internet freedom.

Responding to this action, Iran’s Telecommunications Minister Mohammad Javad Azari Jahromi tweeted on July 30, “Based on reports I’ve received so far, between 4 and 6 a.m. on July 30, the TCI was engaged in changing its topology and consolidating its provincial network in Shiraz and Bushehr [cities].”

“If confirmed, the TCI’s misdeed, whether intentional or not, will trigger a heavy fine,” he added. “The matter is under investigation by the Communications Regulatory Authority (CRA) of The I.R. of Iran.”

BGP hijacking is like changing your home address to receive mail at someone else’s residence. This is not the first time Iran has resorted to illegal methods to expand its filtering policies.

Investigations by the Center for Human Rights in Iran (CHRI) show that on July 17, 2018, Iran also attempted to block international access to banned domestic websites by sabotaging and interfering in the data traffic in violation of its own Computer Crimes Law.

For example, when a user outside Iran tried to access fileniko.com, the Telecommunication Infrastructure Company(TIC) inserted code into that website that redirected users to a different website, http://peyvandha.ir/, which displays a list of websites recommended by Iranian authorities.

The list is no longer displayed because Iran has removed the filter on the website.

The responsible authority for this action was the TIC, which operates under the Telecommunications Ministry. All ministries in Iran operate under the president, who appoints the head minister.

It is unknown how many websites in Iran have been made inaccessible via this method.

By blocking international access to the website, the TIC committed sabotage and hacked the network in violation of articles 736 and 737 of Iran’s Computer Crimes Law, a crime punishable by up to two years in prison and a maximum fine of 40 million rials (approximately $906 USD).

Why the BGP Filtering Method is Ineffective

On July 30, the bgpstream.com website, which monitors and analyzes internet traffic on the BGP protocol, reported that at 6:28 a.m. EST, the TCI hijacked a number of IPs belonging to Telegram.

Hamid Kashfi, an internet security expert based in Europe told CHRI: “Hijacking BGPs is just like giving a false address and getting someone else’s mail at your home and then sending them back to the original address—if you do it the right way.”

Implemented less than two months after Iran blocked access to Telegram, the move appears to be designed to strengthen the ban by rerouting access requests to servers inside Iran. This method was previously used by the government of Pakistan in February 2008 when it extended its filtering to international BGP routes and redirected most of YouTube’s traffic to Pakistan.

Commenting on the development, Wall Street Journal tech reporter Drew FitzGerland tweeted on July 30, “Translation: A bunch of Telegram messages from around the world ended up taking a detour thru Iran.”

Although this filtering method can be temporarily effective, it is also easily recognizable and can be corrected by international routers within a maximum of two to three days.

The BGP protocol enables internet routers to find each other.

For example, if you want to access the Telegram app, the best path to the app’s servers will be determined by routers that connect you to their stored IP addresses, which are updated when changes take place. As such, BGP allows routers to exchange information on how users can best access desired destinations.

“When you don’t have physical access to a target network inside the country, the easiest way to control its traffic is by hijacking internet data through BGPs,” Kashfi told CHRI.

He continued, “Despite what the public might think, this kind of attack is technically very simple. In truth, it’s a deliberate mistake intended to change the main route of internet service providers.”

Kashfi added that these types of attacks “are used for monitoring and extracting traffic information or even to carry out secure socket layer (SSL) attacks. If the traffic has been encrypedencoded correctly, it’s not a big threat, but in the real world it always causes problems.”

Asked if he thinks Iran’s action was accidental or deliberate, Kashfi responded, “Governments usually do it deliberately and then say it was accidental. Since blocking Telegram in Iran is a strategic matter, it’s very, very unlikely it was accidental.”