With the growing threat of cyber terrorism, no one is completely safe anymore. Even WhatsApp and Telegram's sophisticated end-to-end (e2e) encryption cannot stop the hackers from getting in.
The Next Web reports that there are instances wherein it is not the application that is not secure. In this video uploaded by Forbes, Positive Technologies demonstrates how hackers can take advantage of the vulnerability of the much talked about Signaling System 7, or SS7 for short, which is the backbone of telecoms networks.
In both videos, victim John Doe, and his friend Luke Vader, is having a casual chat on WhatsApp and Telegram. The third person, the hacker, wants to intercept these messages. The hacker proceeds to conduct an attack via SS7 network and gets subscriber data.
The hacker then exploits the SS7 vulnerabilities to trick a home subscriber network and register John in a fake roaming network. The hacker is now able to intercept John's calls and text messages. The hacker takes advantage of this and logs in to WhatsApp and Telegram. Hacker requests for verification code to be sent so he can gain access.
The hacker was able to hack into Telegram within two minutes. The first attempt to get the verification code for John's WhatsApp via text message failed to arrive, so he asked for a call to be made instead. The hacker can now read and spoof messages.
So how can this happen? The hacker does not try to bypass the encryption of the app itself. Instead, he manipulates SS7, tricking the system into thinking that the victim's and the attacker's phone number are the same.
It is easy to ask for the SS7 to be fix to avoid vulnerabilities in the future, but as The Next Web reports, no one is actually in charge of SS7. The publication reports that it is impossible to get the SS7 vulnerabilities sorted unless someone is appointed to take care of it and maintain it.
The Next Web also speculates that the reason why there is no attempt to fix the issue is that someone, probably intelligence agencies like the CIA, does not want it to be fixed. Unless there's someone who can govern the SS7, or if no one is preventing anyone from fixing it, then users will remain vulnerable to attacks like these, TNW concludes.