Hackers have this week published videos revealing how WhatsApp and Telegram accounts can be hijacked using vulnerabilities within the Signaling System 7 or SS7 system that is a global network of telecom companies.
Unfortunately SS7 vulnerabilities aren’t a secret to either hackers or governments and providing a fix for them is a little tricky due tot he amount of red tape that needs to be crossed to access the system legitimately.
TNW explain more bout the process and why the problem exists :
Typically, encrypted messaging apps are impervious to hackers because the key to decrypt the message relies on each end of the conversation (you and your friend). Intercepting the message in the middle — known as a man-in-the-middle attack — is still possible, but the attacker would gain nothing but a message they couldn’t read, or decrypt.
These two hacks aren’t attacking the encryption in the app(s), however, they’re attacking the SS7 vulnerability. This is done by tricking the telecom network into believing the attacker’s phone has the same number as the target’s. I won’t detail how that’s done, but let’s just say it’s not difficult. From there, the attacker would create a new WhatsApp or Telegram account and receive the secret code that authenticates their phone as the legitimate account holder.
Once complete, the attacker now controls the account, including the ability to send and receive messages. This is particularly troublesome as — now that they’re phone is authenticated — they are the original account holder, meaning they’ll now be able to send messages as you, and read messages intended for you without ever having to try to break strong encryption protocols.
Why can’t we just fix SS7? SS7 is a global network of telecom companies, which means none of them actually own, or govern it. Instead, any change is met with miles of red tape and a lack of decent options aside from global compliance to actually get things done. It’s a mess, and it’ll remain that way until someone, or a group, is appointed to govern and maintain it.