Mobile networking experts from Russian security firm Positive Technologies revealed last week a new attack that uses the SS7 mobile telecommunications protocol that allows attackers to impersonate mobile users and receive messages intended for other people.
Their proof-of-concept demonstration relied only on a cheap laptop running Linux and an SDK that enabled them to interact with the SS7 protocol.
SS7 protocol flaws are known since 2014
The Signaling System No. 7 (SS7) protocol is a standard developed in 1975 that allows different mobile operators to interconnect their networks.
The protocol was never updated to take into account the advancements made in current mobile technologies and remained grossly outdated.
Many security experts have warned about its lack of proper security measures ever since 2014. Infamous are two talks given by researchers at the 31st Chaos Communication Congress in Germany. Positive Technologies was also one of those companies, releasing an in-depth report about the protocol’s issues in December 2014.
More recently, the protocol was subjected to public criticism after a CBS researcher with the help of a German security firm, used SS7 weaknesses to track and spy on a US elected official.
New SS7 attack demo shows how to circumvent encrypted apps
Seeing the attention this protocol started to get from the press once again, Positive Technologies has leveraged its previous research and has put out a blog post (in Russian , translated version ) in which it details an SS7-based attack on encrypted communications carried out via apps such as WhatsApp and Telegram.
The researchers, using their Linux laptop, spoofed a mobile network node and intercepted the initial phase of a chat between two users of an encrypted app.
Because encrypted apps use SMS authentication to identify and authenticate users participating in encrypted conversations, researchers didn’t bother to break the app’s encryption, but simply impersonated the second person in an encrypted communications channel.
To do this, they used loopholes in the SS7 protocol detailed in their 2014 research paper, which allow an attacker to intercept incoming SMS messages, used to identify users.
Their demonstration proved that surveillance agencies don’t necessarily need to crack encryption to spy on users, and can very well use the existing mobile networking infrastructure to carry out such operations. The attack is not tailored for WhatsApp or Telegram, and can be used for other apps such as Facebook Messenger or Viber, just to name a few.
Researchers intercepting Telegram conversations (third phone)