SS7 spookery on the cheap allows hackers to impersonate mobile chat subscribers

Tuesday 10th May 2016 04:26 GMT DryBones

So wait. They're not passing a PGP / encryption key pair? What?

1 0 Reply
1. Tuesday 10th May 2016 06:26 GMT Anonymous Coward
  
  Yeah, this makes no sense. I could see needing some SMS support for the first WhatsApp message, but after that it should be IP only like iMessage I would think?
  
  0 0 Reply
  1. Tuesday 10th May 2016 08:30 GMT Anonymous Coward
    
    The SMS stage is just for account verification, which is useful for having the same account on multiple devices (eg phone + tablet).
    
    That it can be intercepted by a third party who is setting up your account on their own device is a bad thing.
    
    2 0 Reply
2. Tuesday 10th May 2016 13:26 GMT Skoorb
  
  Here's how it works:
  
  In WhatsApp, your handle/username is your phone number in E.164 format (so +441242221491 for example).
  
  To verify you control that number, when you register, WhatsApp sends the number you enter a verification SMS, which if you receive it authenticates you to access the account associated with that number.
  
  There's something I don't get though. I thought that the SMS contained a random 6 digit number, which had to be entered into the app and transmitted to the server for validation. Only if that number matches what was sent in the SMS does the server authenticate the request. How the heck does SS7 signalling allow you to intercept incoming SMS messages directed to someone else's number?
  
  Anyone care to explain this?
  
  0 0 Reply
  1. Tuesday 10th May 2016 16:15 GMT Anonymous Coward
    
    I don't know the details, but that's trivial for SS7 attacks. They can also intercept your calls or listen in on them. No need to compromise your phone when compromising SS7 is so much easier.
    
    0 0 Reply
Tuesday 10th May 2016 05:16 GMT Christian Berger

The problem is the mindset

There are people in the telco business which still believe that their networks are somehow sacred and that nobody with a bad intention can get in there. That's why some telcos will happily provide you with the username of the PPPoE session the user is using on the first invite.

3 0 Reply
Tuesday 10th May 2016 11:01 GMT Anonymous Coward

And that..

.. ladies and gentlemen, is why you always have a side channel key confirmation before you trust a connection, otherwise it's not Man In The Middle proof.

I'm a bit disappointed, that has been a standard component for most pretend secure (usually ZRTP based) VoIP apps for years (I say pretend because there are very few who are able to withstand independent audit). At least they got that bit right.

1 0 Reply
1. Tuesday 10th May 2016 11:30 GMT phuzz
  
  Re: And that..
  
  Well, this is using a side channel (SMS) which is separate from the main channel (eg Whatsapp), but unfortunately the side-channel has much lower security than necessary.
  
  0 0 Reply
2. Tuesday 10th May 2016 16:18 GMT Anonymous Coward
  
  Re: And that..
  
  What side channel would you recommend? SMS is compromised, how about email? Yeah that travels in cleartext most of the time, and email hacks are regular. Carrier pigeon, perhaps?
  
  0 0 Reply
Tuesday 10th May 2016 12:00 GMT Bronek Kozicki

Interesting

EFF gives Telegram (secret chats) all green points, I wonder whether EFF missed something or the problems reported do not affect "Telegram (secret chats)", only "less secure" Telegram

0 0 Reply
1. Wednesday 11th May 2016 02:54 GMT Anonymous Coward
  
  Re: Interesting
  
  Rumors are that the various governments have already pwned Telegram. Who knows if it's true though.
  
  0 0 Reply
This post has been deleted by its author
Thursday 30th August 2018 10:52 GMT cspsprotocol

Its not that easy it looks. The ss7 connection is not available to a common person and a company why would do an hack.

https://www.cspsprotocol.com/connect-on-ss7-or-sigtran/

https://www.cspsprotocol.com/ss7-hack/

0 0 Reply