WhatsApp and Telegram, both the messaging services that claim to offer end-to-end encryption for chats, can witness hackers logging into user chats and even replying on their behalf, according to a new research. The vulnerability mainly stems from the Signaling System 7 (SS7), which is an international telecommunications standard that states how network elements exchange information over a signalling network.
The report brought by Positive Technologies states that this SS7-based vulnerability might allow intruders with just basic skills perform dangerous attacks, some of which may even lead to financial loss, confidential data leaks or even disruption of services.
As for chat applications like WhatsApp, Viber, Telegram, Facebook and others, SMS authentication is used as the primary security verification mechanism, which is also routed through SS7 signalling, thus allowing hackers to gain access. The potential hackers, in this case, can extract the identity of the legitimate user and as a result impersonate them virtually.
The most worrisome part is that a potential hacker does not even need sophisticated equipment for such a hack. Positive Technologies in its experiment used a popular Linux-based computer and a publicly available SDK for testing this vulnerability.
SS7 vulnerability not new
Prior to this, researchers at AdaptiveMobile made practical demonstration of SS7 vulnerabilities by white hats at the Chaos Communication Congress back in 2014. German researcher Tobias Engel has also shown in the past how the location of a mobile phone could be determined by using the SS7 loophole.
The report by Positive Technologies says the main cause for the loophole is that SS7 signalling technology, which was developed way back in the 1970s, has not really received any major revision. And the ones it has did not do much good as security vulnerabilities within SS7 protocols still remain.
"If telecom and network operators protect their core telecom networks, it will improve the security of customers, but that's not going to happen over night. Service providers such as WhatsApp need to consider introducing additional mechanisms to verify the identity of users to stay secure," Alex Mathews, technical manager EMEA of Positive Technologies, concluded.