The end-to-end encryption that was recently introduced by a number of chat apps such as WhatsApp, Telegram or Viber is actually pointless and does very little to protect the users from being spied upon, security researchers claim.
According to researchers from security firm Positive Technologies, these apps rely on the Signalling System 7 (SS7), which is vulnerable on its own. That means, all encryptions added to the apps themselves are rendered redundant.
“Telecommunications signalling for all services like – voice, text, etc., travel across the SS7 network. Chat applications such as WhatsApp, Telegram, and others use SMS verification based on text messages using SS7 signalling to verify identity of users/numbers. The issue is that, as an attacker, access to the SS7 network can easily be purchased, the only negotiation being on the price paid,” says Alex Mathews, technical manager EMEA of Positive Technologies.
“SMS authentication is one of the major security mechanisms for services like WhatsApp, Viber, Telegram, Facebook, and is also part of second factor authentication for Google accounts, etc,” he explains.
“Devices and applications send SMS messages via the SS7 network to verify identity, and an attacker can easily intercept these and assume identity of the legitimate user. Having done so, the attacker can read and write messages as if they are the intended recipient. Additionally, if chat history is stored on the server, these can be retrieved too. The attacker can be located anywhere in the world and it’s almost impossible to stop them as nobody monitors the SS7 network.”
There are things that can be done to improve security, including the protection of the core network by telecoms and network operators, but he doesn’t think that will happen any time soon. He says that service providers, such as WhatsApp, should introduce extra measures.
“In the meantime, any users of these services need to understand that private conversations are unlikely to be private.”
Photo credit: Rawpixel.com / Shutterstock