Messaging App Encryption Ineffective due to SS7 Vulnerabilities

NOTE:  This is directly from the press release by Positive Technologies.  All references of “we” refer to this company, and has no affiliation with GadgetryTech.  We are simply reporting this important topic because it affects so many users.

SS7 network can be compromised by attackers, rendering encryption redundant.

Researchers at Positive Technologies have warned that, while messaging services – such as WhatsApp and Telegram, have introduced end-to-end encryption to protect users’ communications, vulnerabilities in the Signalling System 7 (SS7) network on which they rely renders these security enhancements redundant.

It’s a known fact that one-time codes via SMS are insecure, because mobile communication is insecure. Both the SS7 network and air interface encryption algorithms suffer from vulnerabilities. Attacks on SS7 may be conducted from anywhere, and hackers may choose other targets apart from messengers. It is worth noting that all the tests were performed with default settings, i.e. the mode most users apply.

Simplified and detailed view of the attack is described in the article.

SMS authentication is one of the major security mechanisms for services like WhatsApp, Facebook, Google, Viber, etc. Devices and applications send SMS messages via the SS7 network to verify identity, and an attacker can easily intercept these and assume identity of the legitimate user.

The way our research could perform successful is:

We registered a test Telegram account and exchanged a couple of messages.

Then one conducted an SS7 attack on one of the test numbers.

Then one identifies the IMSI…

Reassigning the subscriber to our terminal…

Getting the subscriber profile…

Completing the procedure of subscriber reassignment…

Now the victim’s number is under full control. One initiates connection to Telegram under the victim’s account (phone number) on any device and finally get the required SMS…

After entering the code, full access is obtained to the Telegram account including the ability to write messages on behalf of the victim as well as read all the correspondence. The phone on the right has a full copy of the correspondence from the mobile device on the left:

However, at this stage it’s impossible to read secret chats:

But you may create a new one and write messages impersonating your victim:

Later, the same attack was performed on WhatsApp. Similarly access to the account was obtained.

The one major conclusion or observation that comes out of this proof of concept is:

1. Mobile operators need improve their signalling security and make it difficult for attackers intercept various communications, and

2. Messaging services like WhatsApp need to add another layer of verification the users identify, to avoid such interceptions in future.

Be the first to comment

Leave a Reply

Your email address will not be published.