A few years ago things such as wiretapping, intercepting calls and text messages, hacking phones and PCs were associated with intelligence agencies and government spies only.
However, time moves quickly, and our modern digital era gives more and more possibilities to anyone looking to accomplish any of these actions. In our present situation, there are a bunch of spying programs, software, and other methods that allow any person, even without specific knowledge, to find out somebody else’s secrets.
Intercepting calls and SMS, reading text messages, finding out the location, spying on notes, calendar, web activity, and many more are quite easy if you know where to look.
We’ve already talked about the insecurity of different popular messengers, such as Skype, Viber, FB Messenger, BBM, WhatsApp, Telegram, etc. If you haven’t read our previous articles, you will want to read this one. In this article we will prove that such popular means of communication as Telegram and WhatsApp can be easily hacked by the average hacker. By “hacked” we mean that someone would be able to intercept all your messages and even send “fake” ones.
Pre-History
Both Telegram and WhatsApp member accounts are connected to the user’s phone number. Registration in the service and further addition of the new devices are both verified by the code, sent in SMS. This is a very big vulnerability in these programs.
The whole telephony is based on the SS7 – standardized communications protocol, which allows mobile phone devices to exchange text messages. It started functioning as early as the 1980s, and was hardly ever improved. The problem is that SS7 is very vulnerable, which has been proven many times by the telecommunication specialists, hackers, and security professionals. The whole telephony is based on the SS7 – standardized communications protocol, which allows mobile phone devices to exchange text messages. It started functioning as early as the 1980s, and was hardly ever improved. The problem is that SS7 is very vulnerable, which has been proven many times by the telecommunication specialists, hackers, and security professionals.
Tracking and wiretapping may seem to be a skill only intelligence agencies are capable of, being that they are quite complicated and expensive processes, however, because of the insecurity of SS7 it is possible for any hacker even of average level. If you want to know more on this topic, move to our article SS7 Attacks.
How It Works
You may be asking yourself, “What’s the point of all this information?” The thing that is important to know is the way into your Telegram or WhatsApp account lies through the verification SMS. And this SMS, thanks to the SS7 vulnerabilities, can be easily intercepted by a third party.
So as not to sound unfounded, here is a description of the experiment carried out by the professionals of the information security company Positive Technologies.
First of all, a test account on Telegram was created. After that, an attack through the SS7 was fulfilled on a test phone number. A hacker found out that IMSI – an authenticator assigned to every mobile subscriber, carries some specific information, including a unique SIM-card code.
Next step is to register a subscriber in a hacker’s terminal and receive a subscriber’s profile. Actually, that’s all, the subscriber’s phone number is under the hacker’s control. Now, one can connect to the Telegram under the victim’s account (since it is connected to the phone number) And we receive a verification SMS.
After we’ve got an SMS code we have full access to the Telegram account. Not only can we write messages on behalf of a victim, but also read the previous conversation, which is kindly loaded by the Telegram. One isn’t able to read secret chats, but one has the ability to create a new chat and write on the victim’s behalf.
Using a similar scheme, it could be possible to hack a WhatsApp account. It is absolutely possible to carry on a conversation behind the subscriber’s back.
An important fact must be emphasized: one doesn’t need to receive a physical access to the target phone because everything is done remotely.
Conclusion
If you care about security, don’t use Telegram, WhatsApp or other products that use SMS-code verification.
Sending verification codes through the SMS is insecure because mobile telephony is insecure in general. Not only SS7, but also the algorithms of the air interface encryption are highly vulnerable and subject to attacks from any part of the world. Moreover, attacks can be carried out by any programmers with average technical knowledge and they don’t even need to invest in expensive equipment or intelligence agency warrants.
References
https://habrahabr.ru/company/pt/blog/283052/
http://www.ptsecurity.ru/download/PT_SS7_security_2014_rus.pdf
https://en.wikipedia.org/wiki/WhatsApp
https://en.wikipedia.org/wiki/Telegram_(software)