A vulnerability in an international telecoms standard could render encryption useless in message services such as WhatsApp and Telegram, according to security researchers.
A report by Positive Technologies found the flaw in Signaling System 7 (SS7), an international standard that defines how network elements exchange information over a signalling network. The technology was developed in 1975 but never updated to take into account advancements in mobile technology or the rise of cyber-crime.
Researchers at the company said the vulnerability could enable hackers to “send, intercept and alter SS7 messages by executing various attacks against mobile networks and their subscribers.”
SMS authentication is used as a security verification mechanism in messages apps such as WhatsApp, Viber, Telegram, Facebook and others. The authentication is routed through SS7 signalling.
The researchers said that one-time codes via SMS are insecure, “because mobile communication is insecure”.
“Both the SS7 network and air interface encryption algorithms suffer from vulnerabilities. Attacks on SS7 may be conducted from anywhere, and hackers may choose other targets apart from messengers. It is worth noting that all the tests were performed with default settings, ie the mode most users apply,” the firm said in a blog post.
The researchers set up a test account in Telegram and exchanged a couple of messages. Then conducted an SS7 attack on one of the test numbers identifying the IMSI.
“After entering the code, full access is obtained to the Telegram account including the ability to write messages on behalf of the victim as well as read all the correspondence,” said the researchers.
The firm said that mobile operators “need to improve their signalling security and make it difficult for attackers to intercept various communications, and messaging services like WhatsApp need to add another layer of verification the user's identiyy, to avoid such interceptions in future”.
SCMagazineUK.com approached WhatsApp and Telegram as well as all the major mobile operators in the UK for comment on the vulnerability but at the time of writing, none have responded to our questions.
Jacob Ginsberg, senior director at Echoworx, told SC that a sensible next step for users is to double check their settings to find out if they are being notified of any changes to their keys or authentication.
“Going even further, it would be prudent for WhatsApp to enable this by default in any future updates. With notifications turned on, it should be simple enough to spot any third parties trying to snoop on conversations,” he said.
Claire Cassar, chief executive of Haud, told SC that while the exploit that Positive Technologies outline is a real one, this is not an exploit that will affect every user, but rather subscribers on mobile networks without adequate protection.
“It is possible to intercept and block this type of fraud using an advanced SS7 firewall managed by a team of mobile security experts. Forward thinking MNOs have already deployed such technology to protect their subscribers from this and other types of SS7 fraud,” she said.
She added the method used to intercept WhatsApp communication, as described by Positive Technologies, relies on a known SS7 exploit called SMS spoofing. Spoofing is outlined in detail, along with several other SS7 vulnerabilities, by the GSMA in a 2013 reference document, IR 70 on SMS SS7 Fraud 4.0, so is already well known about within the industry.
Cathal McDaid, chief intelligence officer at AdaptiveMobile, told SC that if mobile users want to use WhatsApp or other apps and are concerned with their security, they should contact their mobile operator to see if they are working to secure the network.
“WhatsApp and other messaging apps should also investigate ways that security can be improved on their end, based on accurate security and trust assumptions. In general, these types of methods are normally used against high-value interception targets,” he said.
He added that enterprises should confirm with their mobile carriers that they are working to secure all possible avenues of attack into their networks, and if using third-party apps they must ensure that they follow company policies based on the perceived risk.