A few days ago we talked to you about the basic concepts of cryptography and how an encrypted communication between two users works; today we talk about security again because the news we are about to give you concerns two of the most popular messaging apps, that is WhatsApp e Telegram.
WhatsApp and Telegram both have end-to-end (E2E) encryption by default and for this reason conversations are much more difficult for outsiders to track. Sometimes, however, it is not the application that has a security vulnerability but it is something completely different. In this case, as you can see from the video above and below, that "something else" is the Signaling System 7 (SS7), a global network of carriers that acts as a central hub to connect the world.
The "nice" thing is that the SS7 vulnerability is certainly not a secret and has been known for years: unfortunately it is not easy to fix but we will talk about it later.
Why does this happen?
In general, encrypted messaging applications are hacker / cracker proof because the key to decrypt the message rests on each end of the conversation (you and your friend). Intercepting the message in the center - the well-known attack Man-in-the-middle - it is always possible but the attacker would have gained nothing but a message that he cannot decipher.
However, these two hacks you see in the videos are not referring to an attack on WhatsApp or Telegram encryption but are attacking the SS7 vulnerability. The procedure is as follows: everything is done by tricking the telecommunications network by making the attacker's phone believe that it has the same number as one of the two victim users. Now the attacker simply needs to create a new WhatsApp or Telegram account and receive the secret code that authenticates their mobile phone as the legitimate account holder.
Once the procedure is complete, the attacker can check the account and have the ability to send and receive messages.
Why can't SS7 vulnerability be fixed?
SS7 is a global network of telecommunications companies, which means that no one actually owns or governs telecommunications. Every change goes against the bureaucracy and the lack of decent options and there is no body that "governs" and manages the global network above the parties: in short, everyone does their own thing or what the bureaucracy requires. Until then, the vulnerability will remain.