Verify your Apps, Ukraine
Hello everybody!
It disturbed me to read that Russian drones are now piloted via Telegram bots, using Ukraine’s own cellular networks and onboard AI. Not only because that would be equal to ‘giving the Russians both the map and the keys’, or because the use of cellular networks would be… hm… ‘particularly insidious’, even… yes, so ‘typically Russian’: but, because word is that over 70% of Ukrainians (apparently: civilians) are using Telegram as their primary source of information, while within circles of people busy with fighting cyber warfare, there is meanwhile little doubts this service is widely used not only for systematic information warfare, but much worse things. At least as much because the Ukrainian authorities have explicitly banned its use by officials and members of the armed forces, and still: alone gauging by the number of messages containing links to Telegram posts I’m receiving, this order remains largely ignored.
Privately, I couldn’t care less if it’s ‘politicians’ and/or ‘journalists’ (and especially editors and producers responsible for what are these journalists reporting) making use of this service: they’re supposed to be conscious and responsible people, so if they don’t care about taking risks… fine with me. However, and that’s troubling me the most, the sustained use of the Telegram by members of the Ukrainian Armed Forces (ZSU)… that is infuriating: bordering on intentional disregard for own security and the security of other members of the ZSU.
Unsurprisingly (I hope), when there are professional experts stressing that the Russians are now using Telegram bots to guide their nocturnal strikes with attack UAVs on Ukraine, I do think that should be taken damn seriously.
That said, gauging by reactions from several contacts in Ukraine and elsewhere (primarily EU), things are not as simple, and even less obvious. Therefore, lets start with the start and then see where is this rabbit hole leading…
***
Related rumours seem to have been sparked by an article in The Economist, ‘actually’ discussing the record numbers of the Russian attack UAVs striking all over Ukraine, and that almost every single night. When discussing the use of such long-range attack UAVs like Shahed/Geran the article claims that in addition to real-time video transmissions (something reported for months already), these are now including AI-supported guidance and flight controls via Telegram-based interfaces.
Now, while the feature is not even trying to discuss such topics like the exact percentage of the ZSU communications intercepted by the Russians via Telegram in, say, ‘the last week, month, year’ - and the same is unlikely to ever become known - the feature is creating the impression that, kind of, the Russians could guide their attack UAVs against selected Telegram users.
…which would mean a dramatic shift in the use of that service: from passive interception to active weaponisation.
If you have a problem to follow, it’s easy: consider the possibility of using enemy soldiers’ smartphones not only as sources of intelligence, for something like ‘collecting data leaks’, but: converting their smartphones into homing beacons.
***
Almost unsurprisingly (considering the widespread use of Telegram in Ukraine), there followed a ‘hefty’ reaction.
One of first ‘voices’ to react was… well, not really ‘official’, but at least ‘military affiliated’… sigh… Telegram channel (that’s the moment where my head meets the desk with the rhythmic despair of a man debating flat-earthers) ‘Polkovnyk HSh’.
To make sure: no, I’ve got no problem with Polkovnyk HSh. Only with his use of the Telegram. Anyway… he sharply rebuked The Economist explaining that nobody controls Shaheds through Telegram, BUT, he went on to explain, kind of, ‘yes: after the strike, basic flight parameters (coordinates, altitude, speed) are sent via Telegram, to help the Russians assess the results of the mission’…
Erm… hand on heart: I’m no ‘techie’. I have no trace of clue how the internet works, not to talk about how such services like Telegram work. And, as explained and stressed yesterday, I’m no expert, and everybody knows I’m totally unprofessional. Still, the expressions used are making me wonder about a great number of things not explained by anybody.
For example…
how is a Shahed/Geran supposed to transmit <quote> ‘basic flight parameters (coordinates, altitude, speed)’ </end of quote> AFTER either hitting its target (or being shot down)…? Or, say, such nifty questions like,
if Telegram is both capable of and secure enough to transmit post-strike data… then, why the heck should it be ‘impossible’ to use it for controlling the attack UAVs? Because… well, you know: if things can go in one direction, then they can go in another too… i.e. there is then the option of a two-ways communication… or?
…and then, that itch in my small toe, is prompting me to ask: what’s with encryption protocols?
And, isn’t it so that if one is claiming security for one function but not another, then it might be necessary to define the technical boundary?
But OK. Lets say that my small toe is wrong, regardless how notorious meanwhile, and nobody there in Ukraine is either ignorant or dishonest. Lets take it for granted that nobody can control Shaheds/Gerans through Telegram.
As clueless as I am about this topic, I’m, instantly, feeling so much better, can’t say….
***
Therefore, and instead of guessing about things I’ve got no trace of clue about, and asking lots of questions - who knows: perhaps there is somebody who can sincerely answer all of the above - lets continue analysing reactions.
Another professional expert online presence (I’m relieved: this time not on Telegram), then explained that they’ve talked with analysts of the Ukraine’s Centre for Studies of Captured and Advanced Weaponry. Correspondingly, the latter confirmed that such attack UAVs are not operating under real-time remote control: on the contrary, they are pre-programmed with satellite-based guidance, and (but?) <quote> ‘may include’ simple post-strike telemetry systems designed to map Ukrainian air defence acticity for future route adjustments </end of quote>.
…and then goes on to explain that there is <quote>no verified evidence of AI-enabled autonomy or real-time control via social media</end of quote>.
Erm… and, how do they explain the Russian attack UAVs mapping air defence activity? I mean, for unprofessional jerks like me that is ‘automatically’ implying something called the ‘real-time data collection’. Because, the UAVs obviously have the ability to ‘report’ their findings to the base. In real time. And, except somebody there seriously thinks there’s something like ‘ghost of the UAVs making calls back to Moscow’, drones, certainly, can’t do so once they are destroyed - whether if shot down, jammed, or hitting (or missing) their target and crashing. And, if their telemetry is capable of… lets call it ‘adaptive routing’ during the mission - then why should it be ‘absolutely incapable’ of being used for ‘remote control’? And, if something is ‘not verified’, does that mean it’s 1000% sure? Like: does no verified evidence mean the Russian attack drones lack the capability or just haven’t been caught having such capability yet? And, since when is absence of evidence the evidence of absence? And, please one step forward whoever is ready to gamble his/her life for such assumptions…?
…at which point the impacts of my forehead against my desk are proceeding in morse code for, ‘I simply can’t believe this any more’…
***
…as the best wife in this solar system is bandaging my head, a joke making circles sometimes back in the late 1980s is coming to my mind.
Picture this: during the Second World War, a famous Hero of the Soviet Union steps on a mine. To his luck, he comes away almost uninjured. That is, the blast of the detonation goes into… ahem… his ‘most praised possession’…
Ever dilligent, his comrades collect him and all the ‘fragments’, bring them to a hospital. Because the hero is so famous, Stalin sends his best surgeons. They patch the hero-soldier’s private pieces together. Indeed, following the surgery, everybody is delighted and marvels at fantastic results of their work - because the hero’s best piece is ‘still’ showing a tattoo: ‘Olya’.
(For those who do not know it: that’s a cute, playful Russian derivative for ‘Olga’, a female name… which, BTW, also stands for ‘faithful’.)
The poor bastard sobs, though.
When asked why, he explains: the tattoo used to read ‘Greetings from Sevastopol’….
***
Why am I telling you something as macabre? Because this might help you memorise a tragic fact: that wars distort facts as violently as explosives distort bodies.
…because partial truths are ‘experts’ in surviving any war, just like wartime narratives.
…because, sorry, and by all respect and best will, after all the negative experiences of the last three years, I’m not promptly buying ‘simple but positive’ explanations any more.
…because my unprofessional conclusion is that modern-day analysists have a strong preference for jumping to conclusions on basis of personal preferences and predilections, and stitching together their own ‘Olya’ from fragmented intel.
By side mythology about ‘handwritten notes’ and similar. Can’t care less. Fact is: using cellular networks to remotely control drones is technically possible. It might appear to ‘us’ - whether here in ‘the West’, or in Ukraine - as not the best way of doing that job considering how much electronic warfare are the Shahed/Gerans facing inside Ukraine. But, ‘we’ are not the Russians.
It is no ‘fact’ that the Russians are lagging ‘forever’ in regards of the use of the AIs. ‘We’ are assuming about something that, actually, requires rigorous verification - instead of the usual sweettalking.
I would not bet my life on that practice. And even less so ever come to the idea to use (or continue using) Telegram. Yes, sure, such ‘worst case’ assumptions were regularly proven as exaggerated, often as entirely wrong, but: in the case of a war like this one, there’s simply no way past the ‘worst case scenario’. This should be the ‘Lessons No. 1 - 1000’ about this war: ‘hope’ is no strategy.
Especially when it comes to the use of the social media, the safest way is always to assume the worst, and use that as the starting point. Indeed, the fact is: ‘hoping’, even ‘wishfully thinking the best’ - one of Ukrainian traditional traits - is far from being the most advisable practice.
At war, complacency, boys and girls: is lethal. Not only that the first question for anybody dismissive of drone tech should be: what else is the character in question missing - but: if you haven’t figured that out by now, not only Ukraine, but all of ‘the West’ is at war. Because, and whether you like that or not, Russia invaded, is attacking, and subverting.
Therefore, cannot but advise: dear Ukrainians, hands off Telegram, finally.
UA UAV engineer here with a few cents.
1. Serhii Flash (a very authoritative source on UAV connectivity) publicly debunked the whole "note from friendly engineers" thing as well as the idea that RU UAVs are able to use mobile connectivity in Ukraine en masse. There is no hard source for the note either.
2. Telegram is just hands down the most convenient messaging up there is from the user experience, chances are if Russians use Telegram to get drone telemetry, this would only be for the reason to keep all tabs in the same window. Same as anyone using Telegram bots a services up to Ukrainian government ones (e.g. traffic fine monitoring) because it's just a convenient thing to do.
3. There is nothing special to Telegram in means of creating a secure two way link so long as you have connectivity in first place. I literally did just that on our system for debugging with just an SSH tunnel. It's solvable by any half competent IT person so Telegram in itself would only provide some quality of life, but not a technological edge. The fact that Telegram is hard to filter is only relevant in the context of mass medias and regular users, not when you are rolling a telemetry system for devices you are in full control of.
4. Telegram's encryption (MProto) is home-grown and have been subject of many theoretical attacks and criticism. In general it's a bad idea to roll out your own crypto, so the best way to describe Telegram's security is "we don't know" and that would include risks for Russian operators too. That argument is absolutely not in favor of Telegram usage for the military and for Russians it'd be a sign of complacency above all.
5. The issue of mobile connectivity in itself is being worked by Ukraine in a systematic manner. As with anything it's a back and forth battle, but there is no evidence to suggest that Russian UAVs can efficiently use Ukraine's networks. It is plausible of course, but The Economist just went all out with spreading rumors which is hardly helpful for anyone.
tl;dr if Shaheds use mobile connectivity over Ukraine, that happens in a very limited capacity and has absolutely nothing to do with Telegram and its capabilities whatsoever.
Sigh... If only we all had a universally used "standard" proper messenger (for daily private communications, not "social media presences"). If only it was so easy to make everyone I know use only one of these. But no - Microsoft had to kill off Skype and I'm stuck using a wild jumble of telegrams, vibers and facebook messengers - none of which I trust or even like, but still have to use to communicate with literally 1-2 persons in each one.
Well, at least I'm not in the trenches.