A security researcher in Germany eavesdropped on the cellphone conversations of US congressman Ted Lieu. The researcher didn’t need to hack Lieu’s phone, or install spyware on it—all he needed was his phone number.
The researcher, Karsten Nohl, was able to spy on Lieu thanks to flaws in a little-known telephone protocol that dates back to the 1970s called Signaling System No. 7, or SS7, which is part of the global telecommunications’ networks backbone. In response to this dramatic demonstration, Lieu has called for a congressional investigation into SS7’s weaknesses, and to protect his communications he’s started using WhatsApp, a chat app that provides end-to-end encryption for calls and messages.
But it turns out that even WhatsApp, chat app Telegram, as well any other app or service that rely on cellphone networks in some capacity, are vulnerable to SS7 attacks because they use text messages to register and activate users.
“Everything that relies on the secrecy of SMS is broken and has been broken ever since SS7 existed,” Nohl, who demonstrated how SS7 can be hacked back in 2014, told Motherboard.
The cellphone’s underlying mobile phone network is “probably the weakest link in our digital protection chain.”
Telegram stores the chat history on its servers, allowing users to access it when they log in from different devices. The ability to chat across devices and see past messages are “core features for tens of millions of our users,” according to Telegram’s spokesperson Markus Ra.
“Removing them would mean a dramatic downgrade for the larger part of Telegram's audience,” Ra told Motherboard in an email. “So as a counter-measure we're beginning to suggest users in countries with the highest risk level for such threats to turn on 2-step verification.”
When they tested WhatsApp, the researchers didn’t get access to users’ chat history, as the app doesn’t store it. But they could have still impersonated the victim. (WhatsApp did not respond to a request for comment.)
The main problems in an attack like this one is that the victims really can’t do anything to prevent them, according to Nohl.
If you use WhatsApp, you can mitigate the risks of this attack by turning on the ”Show Security Notifications” in the security settings.
This way, if one of your contacts gets hacked, you will be notified that his or her “security code” or encryption fingerprint changes. So if that happens, you should check with your friend, using a different communications channel (say, in person, on the phone, or via another secure app) that everything is OK and to verify the new code.
In the case of Telegram, if you’re worried about getting hacked or spied on, turn on two-step verification, and use secret chats as much as possible, given that those don’t get stored on the server. (It’s also worth remembering that Telegram has long been criticized for its security and encryption practices.)
As security expert Martijn Grooten put it on Twitter, the big takeaway from the experiment by Positive Technologies is that “end-to-end encryption is easy, [but] authentication is hard.”