When WhatsApp announced last month that it was turning on end-to-end encryption for every one of its 1 billion users, it was hailed as a historic achievement and a major stance in Silicon Valley’s ongoing battle with the U.S. government over access to communications. No longer could intelligence agencies read any message, see any photograph or watch any video sent using WhatsApp — except, of course, they could.
WhatsApp’s encryption is not the problem, but just like Google, Facebook and most banks these days, it relies on sending SMS messages to verify users, and this means using an outdated system that is vulnerable to attack, allows hackers to impersonate their targets and, in the case of WhatsApp, lets cyber-thieves steal your chat histories.
The network on which WhatsApp and others send SMS messages to verify user identity is called Signaling System 7 (SS7), which was developed in the 1970s and has never been revised or improved. At the time, the security was based on the fact that no one could remotely access the private network, but that hasn’t been true for a long time.
Researchers at Positive Technologies have revealed they are able to conduct tests that allowed them to impersonate their target on the network, grab the verification code from the SMS sent by WhatsApp and communicate with the contacts who believed they were communicating with the target…see more