When WhatsApp announced last month that it was turning on end-to-end encryption for every one of its 1 billion users, it was hailed as a historic achievement and a major stance in Silicon Valley’s ongoing battle with the U.S. government over access to communications. No longer could intelligence agencies read any message, see any photograph or watch any video sent using WhatsApp — except, of course, they could.
WhatsApp’s encryption is not the problem, but just like Google, Facebook and most banks these days, it relies on sending SMS messages to verify users, and this means using an outdated system that is vulnerable to attack, allows hackers to impersonate their targets and, in the case of WhatsApp, lets cyber-thieves steal your chat histories.
The network on which WhatsApp and others send SMS messages to verify user identity is called Signaling System 7 (SS7), which was developed in the 1970s and has never been revised or improved. At the time, the security was based on the fact that no one could remotely access the private network, but that hasn't been true for a long time.
Researchers at Positive Technologies have revealed they are able to conduct tests that allowed them to impersonate their target on the network, grab the verification code from the SMS sent by WhatsApp and communicate with the contacts who believed they were communicating with the target.
Because WhatsApp offers users the ability to back up all their chat logs to Google Drive, an attacker who has compromised the account is also able to download the entire chat history of their target if it has been backed up.
“While messaging services such as WhatsApp and Telegram have introduced end-to-end encryption to protect users’ communications, vulnerabilities in the SS7 network on which they rely render these security enhancements redundant,” Positive Technologies' Alex Matthews told International Business Times, adding that carrying out these attacks was not difficult.
Matthews warned that no one should be relying on the outdated network for anything to do with verifying users if they want to remain secure. “None of these mechanisms, these core functions, should be used for user verification, because in our research in the last year we have seen that all these core functions can be manipulated.”
WhatsApp says it has built in security measures to “mitigate SS7 vulnerabilities,” pointing to the fact that users get alerts when their contacts change a security code. However this setting — called Show Security Notifications — is not the default, so it has to be turned on.
Positive Technologies also demonstrated it was capable of carrying out similar attacks against Telegram, the privacy-focused messaging app that recently announced it had 100 million users. While the researchers were able to impersonate their target and communicate with contacts, they were not able to read communications that used Telegram's “Secret Chats” feature, which is used by those seeking to communicate with an added layer of privacy.
The vulnerabilities in the system are clear, but one security researcher doesn’t believe that WhatsApp’s billion users should be overly worried. “I think it is niche,” Sean Sullivan, security advisor at F-Secure Labs, told IBT when describing the level of threat to a typical user.
Sullivan said that if an intelligence agency wanted to hack into someone’s WhatsApp account, “they are just going to sit there with the operator and catch the SMS.” While this may alert the operator to the agency’s surveillance, it won’t alert the target.
There are, however, some situations where Sullivan believes the vulnerabilities in SS7 could be exploited against a more typical user. “A private detective in a very serious divorce case, involving a lot of alimony,” Sullivan says, could use this method, outlining that it would give them access to chat histories that could prove infidelity.
A recent "60 Minutes" investigation exposed further vulnerabilities in the SS7 network, allowing researchers to monitor both sides of a conversation knowing only the phone number of the target phone. This followed an investigation in Australia last August that exposed similar problems.
Encryption is seen by many as a silver bullet to provide a level of privacy and security that protects their communications from surveillance. As Positive Technologies’ research shows, this is simply not the case — and it is not just limited to WhatsApp or to SS7.
As security expert Nicholas Weaver highlighted last August, iMessage — which also encrypts all messages end-to-end — has some significant vulnerabilities. As well as failing to obscure any metadata, “there is a sin-of-omission in iMessage that enables Apple to support wiretapping iMessage,” Weaver says, describing a method of impersonating a target’s phone.
“Apple, I’m very confident, hasn’t engineered any ability to silently add something to your iCloud, turning your private conversation into a party line,” Sullivan says. “I only have my trust in Apple engineering-wise, but it is certainly not beyond Apple’s ability to do.”
Additionally, this week John McAfee, presidential candidate for the Libertarian Party and former anti-virus pioneer, claims to have been able to read encrypted WhatsApp messages by exploiting a flaw in the Android operating system — something he says he can also do for Snapchat messages.
McAfee and his team of researchers have yet to reveal exactly how they managed this feat, saying they will do so once they've discussed the flaw with Google.