Of late, people have been shifting from phone texts and emails to WhatsApp, Telegram and other encrypted messaging apps for privacy purposes.
Largely, that is true because these apps are protected by end-to-end encryption that makes it very hard for intruders to spy your conversations. However, hackers have improvised another means to hijack your WhatsApp or Telegram accounts and it has totally nothing to do with the security flaws in these applications.
This week, videos showing how WhatsApp and Telegram accounts can be cracked using flaws within the global network of telecom companies have been doing rounds – Signaling System 7 abbreviated as SS7. As a matter of fact, a profile of a $20 million undercover service that uses the flaws to spy users’ chats has been published. The firm by the name Ability Inc. confirmed it can surveil any handset anywhere across the world with just a mobile number. The weaknesses in SS7, though well known to hackers and governments, are a little tricky to fix due to some laws.
How the hijackers bypass encryption protections
Naturally, messaging apps using encrypted messaging protocol are resistant to hackers because the key to decode any conversation relies only on the sender and the receiver, not even the messaging service provider nor the authorities. Though man-in-the-middle attack i.e. intercepting messages on transit is still possible, the scammer will not be able to decipher the conversation. Basically, it’s nonsense to do that. Again, to effectively use machines to deduce algorithms-created encryptions would require a lot of effort and computer power. And so determining the patterns used to encrypt users conversation is never easy.
With encryption perfectly safe, hackers exploit the vulnerabilities in SS7 to break these popular encryption-protected messaging apps. The hackers’ system effortlessly tricks the operator network into believing that the criminal’s phone has the same number as the target’s so that connections are routed through their devices. Once completed, the hacker can set up a duplicate Telegram or WhatsApp account and proceed to get the secret code that validates their device as the legal account holder. It’s that simple! The attackers can now impersonate you, controlling the account by sending texts and reading messages intended for you.
Fixing Signaling System 7 is never easy as earlier stated because it’s a global network of telecom companies, none of them has absolute control or governs it. Unless someone or a group is appointed to govern and maintain it, the mess will remain and users of seemingly protected apps will still be vulnerable to impersonation.
Israeli-based company Ability CEO Anatoly Hurgin said the firm’s licensed Unlimited Interception System will soon redirect users’ data to their own machines. Russian security outfit, Positive Technologies also confirmed the validity of the technique by posting two videos.
How to stay safe
Encrypted messaging apps are still secure and cheaper than standard SMS. Even as attackers scare users from using them, there are ways to stay safe. First is using call functions over this apps. The hacker will have to do a very good convincing impression of the target that can lead to the caller disclosing secrets.
Moreover, a security researcher Karsten Nohl, famous for his SS7 excellent work, recommends usage of encrypted messaging apps to prevent men-in-the-middle from redirecting plain messages to their machines. Nohl advises that over-suspicious users should authenticate key fingerprints of their contacts.