Flaws in the mobile signalling protocols can be abused to read messaging apps such as WhatsApp and Telegram.

Security researchers at Positive Technologies found they can intercept messages and respond as if they were the intended recipient in services such as WhatsApp or Telegram.

This is not a man in the middle attack: instead, the attacker is actually impersonating the victim's identity. The mechanism of the attack renders encryption offered by the apps irrelevant.

Alex Mathews, technical manager EMEA of Positive Technologies explained: “Chat applications such as WhatsApp, Telegram, and others use SMS verification based on text messages using SS7 signalling to verify identity of users/numbers.

“SMS authentication is one of the major security mechanisms for services like WhatsApp, Viber, Telegram, Facebook, and is also part of second factor authentication for Google accounts, etc. Devices and applications send SMS messages via the SS7 network to verify identity, and an attacker can easily intercept these and assume identity of the legitimate user. Having done so, the attacker can read and write messages as if they are the intended recipient.

If chat history is stored on the server, this information can also be retrieved, according to Positive Technologies.

This class of attack is, in the public imagination at least, the stuff of high end criminals and intel agencies. However, an intruder doesn’t need sophisticated equipment. Positive Technologies used a popular Linux based computer and a publicly available SDK for generating SS7 packets in order to pull off its demonstration hacks.

SS7 signalling technology was developed in the 1970s and hasn’t been improved or revised since even after systems became accessible over the internet, as a white paper (pdf) by Positive Technologies explains.

The process of placing voice calls in modern mobile networks is still based on SS7 technology which dates back to the 1970s. At that time, safety protocols involved physical security of hosts and communication channels, making it impossible to obtain access to an SS7 network through a remote unauthorised host. In the early 21st century, a set of signalling transport protocols called SIGTRAN were developed. SIGTRAN is an extension to SS7 that allows the use of IP networks to transfer messages. However, even with these new specifications, security vulnerabilities within SS7 protocols remained. As a result, an intruder is able to send, intercept and alter SS7 messages by executing various attacks against mobile networks and their subscribers.

Positive Technologies' isn't the first to warn about SS7. Security researchers at AdaptiveMobile have researched the issue in some depth, and there was a practical demonstration of SS7 vulnerabilities by white hats at the Chaos Communication Congress back in 2014.

SS7 vulnerabilities can be exploited to run all sorts of attacks that threaten the privacy of mobile subscribers including - but not limited to - discovering a subscriber’s location, disrupting a subscriber’s service, SMS interception, Unstructured Supplementary Service Data (USSD) forgery requests, voice call redirection, conversation tapping and disrupting the availability of a mobile switch.

Testing by Positive Technologies revealed that even the top 10 telecommunications companies are vulnerable to these attacks. After performing an initial attack using SS7 commands, a skilled hacker would be able to execute additional attacks using the same methods. For instance, if an intruder manages to determine a subscriber’s location, only one further step is required to intercept SMS messages or commit fraud, the company warns.

Attacks are based on legitimate SS7 signalling messages, so filtering won't work - it could undermine quality of service or network performance.

“If telecom and network operators protect their core telecom networks, it will improve the security of customers, but that’s not going to happen over night,” Mathews concluded. “Service providers, such as WhatsApp need to consider introducing additional mechanisms to verify the identity of users to stay secure.” ®