
SS7 MITM Attack Against WhatsApp and Telegram - aethertap
http://news.softpedia.com/news/ss7-attack-leaves-whatsapp-and-telegram-encryption-useless-503894.shtml
======
moxie
This article glosses over a few important details.

The reason that end to end encryption exists is precisely because man in the
middle attacks are possible, and always will be. This kind of attack is
devastating for Telegram, because by default they don't use end to end
encryption, and instead store the entire plaintext history of every message
you've ever sent or received, all of which an attacker instantly gets access
to.

For WhatsApp, everything is end to end encrypted by default, so the attacker
doesn't get any message history. All of the contacts for the MITM'd user also
get a notice that their contact's security code changed, and a comparison will
fail to match. This is exactly what E2E was built to protect against.

~~~
Fry-kun
So many people confuse encryption with authentication... Suppose you're a
whistleblower trying to contact a reporter using WhatsApp. You've never met in
person, so you send a message over WhatsApp, "Hello!" The reporter replies,
"Hi!" You now have a big problem -- you don't KNOW that it was the reporter
who replied to you, it might've been a nefarious 3rd party who already
intercepted your original message and is now replying. WhatsApp's only
mechanism for checking if that's the case is comparing some numbers out-of-
band (e.g. in person, with QR codes). What's even more tragic is that WhatsApp
doesn't track/show which contacts you may have already authenticated.. good
luck remembering which of your 100 contacts are verified

~~~
Royalaid
Just curious, how would you solve the authentication problem? I worked on a
semester long project building decentralized chat and found this as well as
bootstrapping to a node that you could trust be some of that hardest problems
to solve because it always boiled down to just trust.

~~~
viraptor
Out of band, very public signatures. Of course this only works for fairly
known people, but the reporter example could be easily covered by that
solution. Publishing signatures with every article for example.

This fails for two anonymous people... but that's "by design" of being
anonymous.

~~~
userbinator
_This fails for two anonymous people... but that 's "by design" of being
anonymous_

It's almost like a tautology: by definition, someone who is anonymous has no
identity to authenticate.

------
Animats
Is there a translation of how they got into SS7? Google rejects the PDF as too
large to translate.[1]

[1]
[http://www.ptsecurity.ru/download/PT_SS7_security_2014_rus.p...](http://www.ptsecurity.ru/download/PT_SS7_security_2014_rus.pdf)

~~~
Animats
Thanks. From that article: _" To access an SS7 network, attackers can acquire
an existing provider’s connection on the black (underground) market and obtain
authorization to operate as a mobile carrier in countries with lax
communications laws. In addition, any hacker who happens to work as a
technical specialist at a telecommunications operator, would be able to
connect their hacking equipment to the company’s SS7 network. In order to
perform certain attacks, legitimate functions of the existing communication
network equipment must be used. There is also an opportunity to penetrate a
provider’s network through a cracked edge device (GGSN or a femtocell)."_

So they don't have a way to break into WhatsApp without breaking into SS7
first. SS7 isn't publicly accessible, and it doesn't extend out to the air
link for mobiles. The attacker has to find a backdoor into SS7. The problem is
that, once on the SS7 network, you can send lots of messages which are
believed by telco networks. You can divert phone calls and set up MITM attacks
easily.

If this works against WhatsApp, their app lacks adequate MITM protection.

~~~
toomuchtodo
You can get the SS7 link for a few hundred bucks a month:

[https://www.youtube.com/watch?v=lQ0I5tl0YLY](https://www.youtube.com/watch?v=lQ0I5tl0YLY)

Its an hour, but I highly suggest the talk.

~~~
bogomipz
But you can just connect to a carrier SS7 network because you bought an SS7
gateway appliance or because bought a SIP trunk to some third party. It
doesn't work like this. You need to have an agreement with a carrier to even
talk to their gateway. These are usually well vetted as well because you are
entering into a financial agreement with a carrier when you connect to them
this way.

------
martinald
SMS verification really sucks. It's hugely helpful because it is an 'open
social graph' to use a Zuckerbergism. However, it's not at all designed to do
this. It's like the problem with SSL verifying ownership via email - ok at
first sight, but then say you run a webmail service and you can register
webmaster@, game over without any crypto bother. Or just trojan the webmaster@
mailbox and get control over the guy that runs it and issue a valid cert.
Insta-MITM.

Mobile numbers are easy to spoof and easy to port away from people. In most
countries telco regulators look at how easy it is to port cell numbers as a
badge of honour on how efficient their mobile regulation is. Just like
everything, attackers will rush to the easiest point of failure. In this it's
SMS and using phone numbers as a trusted identifier.

In the UK you need to get a "PAC code" to change provider, but it's not hard
to social engineer that if you went through someones trash and grabbed an old
cell bill. The number will be ported in a day or less and even worse, there's
no way for you to port it back quickly since you'll have no idea who it's got
to. And with it your WhatsApp, etc will all be gone security wise.

All this talk of "oh just enable these super warnings and scan QR codes" is
nonsense. People port phone numbers and move phones all the time, these
warnings can't be this strong otherwise half your phonebook would false
positive.

------
dbalan
SS7 is broken beyond repair, infact it being a walled garden is the only
security it ever had.

This ccc talk is a good intro - [https://media.ccc.de/v/31c3_-_6122_-_en_-
_saal_1_-_201412271...](https://media.ccc.de/v/31c3_-_6122_-_en_-
_saal_1_-_201412271830_-_mobile_self-defense_-_karsten_nohl)

~~~
bogomipz
SS7 is not broken at all. It's an extremely robust protocol thats been around
forever. It was designed to work in the closed Bell system not designed for an
idea 40 years in the future. Its not uncommon for an SS7 gateways to have 6
9's of uptime. Yes 6. There is nothing broken about it.

~~~
nickpsecurity
Oh I disagree. High-security engineer Clive Robinson has been writing online
about SS7 and similar protocols risks for years. In posts like this...

[https://www.schneier.com/blog/archives/2015/08/ss7_phone-
swi...](https://www.schneier.com/blog/archives/2015/08/ss7_phone-
switc.html#c6703762)

...he points out that telecom and spy agencies were very tight in U.K. (and
often U.S.). Many features that benefit spying are there on purpose. As he
predicted, they continued to be a problem in upgrades due to the compatibility
argument and downgrade attacks following. Worst, certification or connection
to a major wireless standard might force you to include weak crypto or
security in your product.

It's all crap in terms of security. Sure they're reliable... amazingly so in
some cases... but they're not secure and that's on purpose.

~~~
tptacek
The parent commenter isn't claiming that SS7 is secure. Nobody thinks it is.

~~~
nickpsecurity
I may have misread it. The subject is SS7 security and here's the parent
comment:

"broken beyond repair... infact it _being a walled garden is the only security
it ever had_."

bogomipz countered with how robust the protocol is. Your critique is true if
bogomipz was only countering the words "broken beyond repair" with no context.
In context, though, the counter would imply disagreement with the security
claim.

"isn't claiming that SS7 is secure. Nobody thinks it is."

Hopefully true. :)

------
jwr
The real problem is not Telegram or WhatsApp, it's the banks that insist on
using SMS as a secure authentication channel for authorizing transactions.

~~~
espadrine
The real problem is that there is no alternative to SMS for GSM messaging.

It is one of those protocols that won't die nor get replaced, like email.

~~~
peterwwillis
WhatsApp and TOTP apps can already replace SMS for verification. The only
problem is 2FA providers are still choosing to use SMS.

~~~
kbart
Not everyone uses WhatsApp or other 3rd party app while SMS is enabled by
default on all user phones, even "dumb" ones (still used by many people around
the world). I use Signal, many friends use WhatsApp, others Telegram etc. Do
you expect a bank to support them all or somehow enforce installation of their
app of choice?

~~~
peterwwillis
They should enforce one app. Since WhatsApp has the correct design and has a
billion or more users, I suggest that one.

~~~
kbart
So when another new, shiny app made by some walled garden company shows app,
bank should enforce that instead? My bank is using mobile signature(1) and I
think it's way superior to any app, because the encryption part is done inside
SIM which has quite good security record. There's simply no way I would trust
Facebook (via WhatsApp) with my financial data.

1\.
[https://en.wikipedia.org/wiki/Mobile_signature](https://en.wikipedia.org/wiki/Mobile_signature)

------
vezycash
>...encrypted apps use SMS authentication to identify and authenticate users
participating in encrypted conversations

Is this true? Because it's common knowledge that SMS is insecure. So I don't
understand how why anyone would want to use it for secure authentication -
especially in the case of Whatsapp.

~~~
april1stislame
Ask Moxie? He uses it for Signal also, and unlike WhatsApp, Signal is "sold"
as secure...

~~~
pfg
I don't think anyone has implied that E2E-crypto without out-of-band key
verification is bulletproof. Both WhatsApp and Signal allow you to do that.

~~~
lucb1e
And Telegram. If someone bothers checking this they'd also use Telegram's
secret chats which do have open source end to end encryption.

------
bogomipz
I realize every new outlet on the internet is regurgitating this story but if
I call you via whats app and are both using wifi does the communication even
transit an SS7 gateway at all? Why would it? Also SS7 is generally a closed
system, not anyone can connect to an SS7 gateway. To signal to a carrier's SS7
gateway you have to either be a subscriber or carrier that has agreement with
the owner of a SS7 gateway to terminate traffic, since this is how calls are
billed. For an external carrier to connect to another carriers SS7 gateway
they need to know your "code points"(kind of like an IP address for SS7.) in
advance. There wasn't a lot to go on in the google translated doc.

------
superkuh
Stop using/requiring phone system in internet based instant messengers.

------
subliminalpanda
All the more reason to find an alternative to SMS based authentication.

It is somewhat comforting to know that message history cannot be retrieved
from WhatsApp or other E2E apps like Threema.

~~~
mauropolli
Threema isn't affected by this as it uses a randomly generated ID as unique
identifier, not your phone number.

------
pepijndevos
To mitigate this issue on WhatsApp, enable security notifications in settings
and verify your contacts QR code.

If you go to a contact there is a QR code you can scan to verify a contact. If
the code of a contact changes, WhatsApp will tell you.

------
leecarraher
i can't say much for telegram as their encryption has been broken, and is not
an openned, but whatsapp's new signal protocol designed by moxy marlinspike
doesn't use sms to authenticate. It doesn't by default require authentication,
but rather has it as an option and the option generates a long 80 character
passcode or QR code, to be communicated in person or via some out of band
communication channel, similar to threma. Maybe they are talking about old
whatsapp?

~~~
pfg
I think the article is referring to the fact that out-of-band key verification
is optional and isn't something that _most_ users will perform. If you're
doing out-of-band key verification with all your contacts, and have enabled
the setting that'll make WhatsApp notify you about key changes of your
contacts, this doesn't concern you.

~~~
moxie
_Most_ users probably aren't worried about targeted attacks from adversaries
who've compromised SS7, either. But the ones that are have an easy option.

------
zokier
So trust on first use -style system can be attacked by intercepting the
initial handshake? Yay... I suppose next the researchers will show how to MITM
SSH with free wifi hotspot.

------
danellis
When people perform attacks like this, how are they getting access to the SS7
network? Would they not need use of a (presumably expensive) trunk?

~~~
chinathrow
You pay someone giving you access. Check the YouTube videos up there, the talk
at the CCC is worth it.

~~~
lucb1e
Saw the talk live, can confirm it's worth watching.

------
jbob2000
> "The researchers, using their Linux laptop..."

My eye twitched a little when I read that. Is the author trying to suggest
that Linux is some hackers-only operating system?

~~~
AdmiralAsshat
Well, c'mon now. When was the last time you saw someone with a Linux laptop
that _wasn 't_ a hacker? :P

~~~
cmdrfred
Little kids with chromebooks.

~~~
JustSomeNobody
You should watch them more closely. Little kids are devious.

:)

~~~
qwertyuiop924
Yeah. Back in the days of 2012 when schools used Macs, some of the kids caught
on to the fact that SSH and Terminal existed because I was using them. Now
NOBODY is safe. :-D

