WhatsApp’s recent adoption of end-to-end encryption was a big deal in the cyber security community. However, a research conducted by Positive Technologies reveals that the end-to-end encryption in services such as WhatsApp and Telegram is vulnerable. More specific, researchers have found vulnerabilities in the Signalling System 7 (SS7) network.
It’s a known fact that one-time codes via SMS are insecure, because mobile communication is insecure. Both the SS7 network and air interface encryption algorithms suffer from vulnerabilities. Attacks on SS7 may be conducted from anywhere, and hackers may choose other targets apart from messengers. It is worth noting that all the tests were performed with default settings, i.e. the mode most users apply.
As you perhaps know, SMS authentication is applied as security verification in messages in various services like WhatsApp. This authentication is routed via SS7 signalling. According to the researchers, one-time codes via SMS are unsafe, because mobile communication also is. In fact, not only the SS7 network is vulnerable but also air interface encryption algorithms. Furthermore, attacks on SS7 can be initiated from anywhere. Besides messengers, malicious actors may target other services, too.
More WhatsApp Security News:
Nivdort Trojan Spread Via Fake WhatsApp Emails
WhatsApp’s End-to-End Encryption
How Was the Research Conducted?
That being said, it’s important to note that Positive Technologies’ research was conducted with default settings, which is the mode used by most users. A test account was set up in Telegram and several messages were exchanged. Then an SS7 attack was carried out on the test numbers via identification of IMSI (International Mobile Subscriber Identity).
After entering the code, full access is obtained to the Telegram account including the ability to write messages on behalf of the victim as well as read all the correspondence.
According to the company, mobile operators should improve the signaling security and make it harder for attackers to intercept communications. In addition, WhatsApp and similar services should apply another layer of verification on the user’s identity.
What Do Mobile Operators and WhatsApp, Telegram Say?
SC Magazine UK has already approached WhatsApp and Telegram, together with all the major mobile operators in the United Kingdom. For now, none has replied with a comment.
However, Jacob Ginsberg, who is senior director at Echoworx, has told the magazine that a logical next step for users is to “double check their settings to find out if they are being notified of any changes to their keys or authentication“.
What else is new. The only sure way is the old way. 1 time pads or the like. The only thing off the top of my head would be using an live or virtual linux distro such as tails, running it routed through i2p, proxychained or Tor – but then that pesky MIT bug and all… pgp and memory wipe, even then disable camera, mic and all non essentials taking it further run it on a mini sdcard and wammo eat the damn thing. A paraphrasing of a quote from I think Jefferson or Jackson?:
“When the Government fears the people there is freedom, when the citizens fear the Government Tyranny” – we are in the middle harboring along the razors edge.