When known security issues regarding the global telephone network were resuscitated by the American television program 60 Minutes last month, we reassured people that end-to-end-encrypted, Internet-based services such as WhatsApp would stay safe. We may have been wrong.
WhatsApp and a similar mobile encrypted-messaging service, Telegram, both use SMS (text) messages to verify user identities. And, as Positive Technologies, a London-based security firm, said in a blog post today (May 6), SMS messages could be redirected by someone with privileged access to Signaling System No. 7 (SS7), the protocols that let telecommunications companies around the world direct calls or SMS messages to any landline or cellphone.
That means that if a hacker got into the SMS-addressing functions of SS7, he or she might be able to register a new device to your existing WhatsApp or Telegram account without you knowing it.
With a duplicate account, the attacker would be able to not only read all the encrypted messages you send and receive using WhatsApp and Telegram, but send messages as well. Your WhatsApp and Telegram contacts would have no idea it's not you.
In the blog posting, Positive Technologies researchers demonstrated how this process might work, using the free network-analysis tool Wireshark to capture cellular traffic. They replicated the capture of a phone's International Mobile Subscriber Identity (IMSI) number, and the redirection of SMS messages sent to that number.
Then the researchers installed Telegram on a phone and registered the app to a Telegram account already registered to a different phone — and showed how the SMS verification code meant for the second (real) phone went to the first (fake) phone instead. They did the same with WhatsApp.
Via email, a Positive Technologies spokesperson told us that the company had developed its own SS7 scanner that intercepted and modified SS7 packets.
(We've asked Facebook, which owns WhatsApp, for comment and will update this story if we receive it.)
"Mobile operators need [to] improve their signaling security and make it difficult for attackers intercept various communications," said the Positive Technologies blog posting. "And messaging services like WhatsApp need to add another layer of verification the users identify to avoid such interceptions in future."
Of course, if someone is already redirecting text messages sent to your phone, you've got other problems to worry about. Control of SS7 also lets malefactors automatically forward calls to third-party devices without you knowing it.
But this problem exposes a weakness in the SMS-based two-step-verification system used not only by WhatsApp and Telegram, but also by Google, Amazon, LinkedIn and dozens of other services. (Facebook's two-step-verification system uses the Facebook app itself and is more secure.)
The silver lining to all this bad news is that it's normally not that easy to get into the SS7 system. However, with approximately 800 different telecommunications companies worldwide using SS7, some will have weaker security than others. And SS7, which was set up during the 1970s, doesn't ask for internal verification of commands once you're in the system.
The upshot is that if you think you might be the target of a national intelligence agency, or a very sophisticated criminal enterprise, or very determined security researchers, don't trust messaging systems that use SMS verification codes to verify your identity.
[Editor's note: We originally stated that Positive Technologies had developed a tool that extracted SS7 packets over the air. That's apparently incorrect -- the tool works a different way. Tom's Guide regrets the error.]