Expert cybersecurity researchers have demonstrated that it is possible to easily hack WhatsApp and Telegram using the well-known SS7 vulnerability in telecommunicationsWhatsApp is considered the most popular cross-platform messaging application in the world, and has been the target of many attackers who want to compromise its 256-bit encryption.
For ordinary people, this encryption would take days and months to decode a single sentence or complete message. The same applies to Telegram. Although Telegram is not as popular as WhatsApp, it has a user base that relies on it for the way it encrypts data, and which claims to be free from government surveillance.
Although both applications are end-to-end encrypted, both suffer from a hardware-side vulnerability that can be exploited to compromise and hijack WhatsApp and Telegram sessions.
It might seem that user accounts are compromised through social engineering, where the attacker tricks the victim into handing over their verification code. But there are more cases where this has not occurred and users simply lose access to their account. This happens due to the SS7 vulnerability.The vulnerability lies in Signaling System 7, or SS7, the technology used by telecommunications carriers on which high-security messaging systems and phone calls rely. SS7 is a set of telephony signaling protocols developed in 1975, used to set up and disconnect most telephone calls on the world's public switched telephone network (PSTN). It also performs number translation, local number portability, prepaid billing, short message service (SMS), and other mass-market services.
SS7 is vulnerable, and this has been known since 2008. In 2014, media outlets reported on an SS7 protocol vulnerability through which both government agencies and non-state actors can track the movements of mobile phone users from virtually anywhere in the world with a success rate of approximately 70%. Furthermore, it is possible to eavesdrop on conversations by using the protocol to forward calls, and also to facilitate decryption by requesting that each caller's carrier release a temporary encryption key to unlock communications after they have been recorded. Researchers created a tool (SnoopSnitch) that can warn when certain SS7 attacks are occurring against a phone and detect IMSI catchers.
You can see how researchers managed to hack WhatsApp and Telegram using the SS7 flaw below:
WhatsApp Hack
Telegram Hack
Both hacks exploit the SS7 vulnerability by tricking the telecommunications network into believing that the attacker's phone has the same number as the victim's. Once the network has been deceived, anyone — even a novice — can spy on the legitimate WhatsApp or Telegram user by creating a new WhatsApp or Telegram account using the secret verification code.
A hacker is a person with extensive computer knowledge who focuses on detecting security flaws in computer systems with the goal of having them resolved and providing protection.Once complete, the attacker now controls the account, including the ability to send and receive messages. Even more alarming is the fact that the cracker can also send messages on behalf of the victim and read confidential messages intended for the victim without having to attempt to break strong encryption protocols.
A cracker is a person with extensive computer knowledge who engages in illegally accessing other people's computer systems and manipulating them.See how easily you can hack WhatsApp and Telegram by tricking the network into believing you are the account owner.
How can we protect ourselves from these SS7 attacks?
Since the vulnerabilities and the possibilities of spying on users depend on systems outside of the user's control, there is very little you can do to protect yourself beyond not using the services.
For text messages, avoiding SMS and instead using encrypted messaging services such as Apple's iMessage, Facebook's WhatsApp, or the many other options available will allow you to send and receive instant messages without going through the SMS network, protecting your conversations from being intercepted.
For calls, using a VOIP service instead of the voice call network will help prevent your calls from being eavesdropped. Messaging services, including WhatsApp's calling feature, Silent Circle's end-to-end encrypted phone service, or the open-source Signal app also enable secure voice communications.
Your location could be tracked at any time when your mobile phone is turned on. The only way to prevent this is to turn off your phone or disable your mobile network connection and rely on Wi-Fi.
As additional protection for WhatsApp or Telegram, you can enable two-step verification to add more security to your account. Keep in mind that this vulnerability could remain present for years to come.
Why is this happening now?
SS7 vulnerabilities were first discovered by cybersecurity researchers. Karsten Nohl went on to demonstrate them at the Chaos Communication Congress hacker conference in Hamburg in 2014. The hack of Italian surveillance software provider Hacking Team highlighted the continued use of the SS7 system by governments and cybercriminals who intercept and read packets from both users and telecommunications carriers.
But it is Nohl's demonstration of remotely monitoring a U.S. congressman in California from Berlin during a CBS 60 Minutes segment that has brought SS7 back into the spotlight. Since the episode aired, Congressman Ted Lieu has called for an oversight committee investigation into the vulnerability.
Leave a Comment
Comments are reviewed before publishing.