WhatsApp has recently announced that all its chats are protected by end-to-end encryption, meaning that only the sender and receiver will be able to read the messages in a conversation. Telegram offers end-to-end encryption too in secret chats. But hackers can read WhatsApp and Telegram conversations with relative ease if they wanted to, and that’s all without breaking encryption.
The following videos, published on Forbes, shows how easy it is to hijack WhatsApp and Telegram accounts. Because these chat services use your phone number, hackers can take advantage of known flaws in wireless communication standards to snoop on your chats.
Specifically, SS7 vulnerabilities are used to trick a telecom operator that the hacker’s phone has the same number as the target. Since WhatsApp is tied to a phone number, all the hacker has to do to get access to someone’s account is to clone the target’s device using these vulnerabilities.
After obtaining the verification code from WhatsApp, they’ll be able to access WhatsApp messages sent to the target, and even retrieve a history of messages in case they’re backed up to the cloud. At least the target will get a prompt telling them that their WhatsApp account is used on a different device. Meanwhile, Telegram secret chats (which are end-to-end encrypted) can’t be accessed using this method. You can see the hacks in the following videos.
Why isn’t anyone fixing SS7 issues? As The Next Web explains, SS7 is a global network of telecom companies, so it’s pretty difficult to manage. SS7, short for Signaling System No. 7, is the network that connects one mobile phone network to another. Essentially, this is part of the backbone of wireless networks. Once a hacker obtains access to it, he or she can do a lot more than snoop on chats. They can listen in to phone call conversations, forward calls, and access SMS messages.
In other words, these kind of vulnerabilities are exactly the kind of backdoors that intelligence agencies want from telecom and internet companies. As long as smartphone messaging and chat apps are tied to a device’s phone number, and as long these known SS7 vulnerabilities aren’t fixed, third-parties will be able to spy on virtually anyone.