It’s still easy for hackers to attack WhatsApp and Telegram (in spite of end-to-end encryption)

hackersDuring the last few months we’ve witnessed a huge debate generated by the decision of WhatsApp owners to introduce end-to-end encryption to further secure its users safety and privacy. And while users all over the world seem to appreciate this service, some governments (first of all USA government) don’t think that the instant messaging app should push security this far. But this problem doesn’t seem to exist anymore, since another flaw in the security system has arisen.

In fact a new research has demonstrated that hackers can easily breach the security system of WhatsApp and Telegram and even impersonate their targets. The main flaw is the Signaling System n. 7 (or SS7). What is SS7? It is an international telecommunications protocol standard developed in 1975 that allows different mobile operators to exchange information over a signalling network. Well, now Positive Technologies reports that SS7 is vulnerable and hackers with even basic skills could perform dangerous attacks, leading to data leaks, financial loss or disruption of services.

And apps like WhatsApp, Telegram, Facebook and Viber use an authentication system that is routed through SS7 signalling, that’s why hackers could be able to steal users’ identity and impersonate them (virtually). Positive Technologies explains that for their experiment it was used just a simple Linux-based computer and a SDK. This shows that potential hackers don’t even need sophisticated tools. According to Positive Technologies, the main problem is that the SS7 signalling technology, since 1975, has never been really updated.

But this problem is not new to security experts, who, in 2014 during the 31st Chaos Communication Congress held in Germany, gave a warning about its lack of security measures. And that’s what Alex Mathews, technical manager EMEA of Positive Technologies, affirms concluding the last report of Positive Technologies: “Service providers such as WhatsApp need to consider introducing additional mechanisms to verify the identity of users to stay secure“.