Newly discovered security vulnerabilities in the SS7 mobile telecommunications protocol render WhatsApp and Telegram’s encryption pretty much useless. The vulnerabilities have been discovered by security firm Positive Technologies and reported by Softpedia.
The firm has used a cheap laptop running Linux and an SDK allowing the engineers to work with SS7 (Signaling System No. 7). They have done a proof-of-concept demonstration in which they show the hacking possibilities which come by abusing the security holes.
Among them is the ability for hackers to impersonate mobile users and receive messages intended for other people. Attackers can also send messages from the impersonated account. This means that there is basically no need for hackers to try and break the encryption of an app as they can simply intercept the messages and see the communication.
The researchers used loopholes in the SS7 protocol and point out they have been discovered back in 2014. Positive Technologies remind there were repeated warnings by security experts back then about the issues with the security of SS7. SS7 is a standard which was developed in 1975 and allows telecom operators to interconnect fixed lines and/or mobile networks. It is basically the foundation of the telephone communications backbone but it has never been updated or upgraded.
Researchers now say attacks on SS7 can be carried from anywhere and are not exclusive to chat apps. It shows that agencies and hackers don’t need to bother with cracking encryption in order to spy on conversations. Even so, this may not be a method most surveillance agencies would opt for, as there is a way for users to notice something is amiss.
In the WhatsApp messenger settings there is an option to Show Security Notifications. It is turned off by default. Activating it will allow users to see their contact’s original security code has changed. It is a sign that he or she is not using the same device and it might be a spoof account used to impersonate the person.
“With the constant stream of new technologies we, developers, often forget that the foundations on top of which we build software are ancient by today standards and assume them to be secure and trustworthy.”, said Georgy Ganchev, CTO of CouseDot. “In the last couple of years we’ve had security issues such as Heartbleed and Shellshock. The SS7 exploit is yet another proof that no matter how secure your code is your product is not invincible. Developers should strive to secure their product as best as they can, to fix fast when issue such as this arise and to constantly improve their knowledge on the subject”, Ganchev adds.