back to article SS7 spookery on the cheap allows hackers to impersonate mobile chat subscribers

Flaws in the mobile signalling protocols can be abused to read messaging apps such as WhatsApp and Telegram. Security researchers at Positive Technologies found they can intercept messages and respond as if they were the intended recipient in services such as WhatsApp or Telegram. This is not a man in the middle attack: …

  1. DryBones

    So wait. They're not passing a PGP / encryption key pair? What?

    1. DougS Silver badge

      Yeah, this makes no sense. I could see needing some SMS support for the first WhatsApp message, but after that it should be IP only like iMessage I would think?

      1. Anonymous Coward
        Anonymous Coward

        The SMS stage is just for account verification, which is useful for having the same account on multiple devices (eg phone + tablet).

        That it can be intercepted by a third party who is setting up your account on their own device is a bad thing.

    2. Skoorb

      Here's how it works:

      In WhatsApp, your handle/username is your phone number in E.164 format (so +441242221491 for example).

      To verify you control that number, when you register, WhatsApp sends the number you enter a verification SMS, which if you receive it authenticates you to access the account associated with that number.

      There's something I don't get though. I thought that the SMS contained a random 6 digit number, which had to be entered into the app and transmitted to the server for validation. Only if that number matches what was sent in the SMS does the server authenticate the request. How the heck does SS7 signalling allow you to intercept incoming SMS messages directed to someone else's number?

      Anyone care to explain this?

      1. DougS Silver badge

        I don't know the details, but that's trivial for SS7 attacks. They can also intercept your calls or listen in on them. No need to compromise your phone when compromising SS7 is so much easier.

  2. Christian Berger Silver badge

    The problem is the mindset

    There are people in the telco business which still believe that their networks are somehow sacred and that nobody with a bad intention can get in there. That's why some telcos will happily provide you with the username of the PPPoE session the user is using on the first invite.

  3. Anonymous Coward
    Anonymous Coward

    And that..

    .. ladies and gentlemen, is why you always have a side channel key confirmation before you trust a connection, otherwise it's not Man In The Middle proof.

    I'm a bit disappointed, that has been a standard component for most pretend secure (usually ZRTP based) VoIP apps for years (I say pretend because there are very few who are able to withstand independent audit). At least they got that bit right.

    1. phuzz Silver badge

      Re: And that..

      Well, this is using a side channel (SMS) which is separate from the main channel (eg Whatsapp), but unfortunately the side-channel has much lower security than necessary.

    2. DougS Silver badge

      Re: And that..

      What side channel would you recommend? SMS is compromised, how about email? Yeah that travels in cleartext most of the time, and email hacks are regular. Carrier pigeon, perhaps?

  4. Bronek Kozicki Silver badge


    EFF gives Telegram (secret chats) all green points, I wonder whether EFF missed something or the problems reported do not affect "Telegram (secret chats)", only "less secure" Telegram

    1. Anonymous Coward
      Anonymous Coward

      Re: Interesting

      Rumors are that the various governments have already pwned Telegram. Who knows if it's true though.

  5. This post has been deleted by its author

  6. cspsprotocol

    Its not that easy it looks. The ss7 connection is not available to a common person and a company why would do an hack.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019