Does SS7 render WhatsApp encryption pointless?

WhatsApp Encryption is Useless, Researchers Claim

WhatsApp recently announced encryption for all its 1 billion users. All the messages, phone calls, photos, and videos sent over the messaging app are at present encrypted end-to-end. While the services like WhatsApp offer encryption, security researchers warn that hackers can hands gain access to encrypted communications using SMS messages without having to really break the app's encryption.

SS7 vulnerabilities render encryption pointless

We may be thinking that our communications on encrypted services are to remain individual, forever. Information technology was also assumed that even the intelligence agencies won't be able to crack into the encrypted communications. While tech companies may lead the manufacture to encryption, a protocol designed in 1970s is here to bite the biggies of the tech world, and ultimately the end users.

Several online services at present offering two-factor authentication, enabling a user to get a code in an SMS to gain access to their account. By using the loopholes in the notorious Signalling Organisation 7 (SS7) protocol, hackers can easily impersonate and intercept SMS messages, gaining access to user accounts, regardless of them being encrypted.

whatsapp ss7 flaw

"Telecommunication signalling for all services like – vox, text, etc., travel across the SS7 network. Chat applications such equally WhatsApp, Telegram, and others use SMS verification based on text messages using SS7 signalling to verify identity of users/numbers. The upshot is that, as an aggressor, access to the SS7 network can easily be purchased, the just negotiation being on the price paid," - Alex Mathews, technical manager EMEA of Positive Technologies explained.

SMS authentication is one of the major security mechanisms for services like WhatsApp, Viber, Telegram, Facebook, and is too part of second gene authentication for Google accounts, etc. Devices and applications send SMS messages via the SS7 network to verify identity, and an attacker tin can hands intercept these and presume identity of the legitimate user. Having done so, the aggressor can read and write messages equally if they are the intended recipient.

The attack is non specific to WhatsApp, Telegram or messaging services, as information technology tin can exist used for any apps that rely on SMS verification for user identification.

SS7 flaws proceed to be exposed

Vulnerabilities in the SS7 mobile signalling protocol accept long been reported and tested. Nosotros take seen several cases where the exploits have been driveling. However, information technology was believed that just the law enforcement agencies and large hacking groups had access to these exploits. Last month, giving a demo of the exploit, German language hacker Karsten Nohl said, "The power to intercept cellphone calls through the SS7 network is an open up secret amidst the world'south intelligence agencies - including ours - and they don't necessarily want that hole plugged."

-For more than: Hacker Exploits Security Flaw to Record Congressman's Calls and Track His Location

Turns out, the exploits are available to anyone for the right cost and the hack doesn't demand whatever loftier-cease, sophisticated equipment too. Using a Linux-based reckoner and a publicly bachelor SDK for generating SS7 packets, the security researchers demonstrated how to circumvent encrypted apps. SS7 exploits have been used to track a mobile subscriber's location, heed to their calls, intercept SMS, and redirect vocalism calls, among other attacks.

The SS7 signalling technology was adult in 1970s and is yet to exist improved or revised, Positive Technologies said. Since the exploits are useful to the intelligence agencies, we won't be seeing any revisions any time soon. Yet, as Mathews warns "users of these services need to understand that private conversations are unlikely to exist private."