Yesterday, FORBES published a profile of a $20 million spy service that exploits weaknesses in a critical piece of telecoms networks known as SS7, short for Signalling System No. 7. The company claimed it was able to surveil any phone from anywhere on the planet with just a telephone number.
The firm, Ability Inc, abuses much-publicised problems in SS7 that allow hackers to spy on users’ calls and text messages by tricking operator networks into routing connections through their own phones.
But snoops using these techniques can’t break the encryption deployed by the likes of WhatsApp, Telegram and Signal – three of the most popular security-focused apps. It would take extreme compute power to actually determine how users communications were encrypted, effectively using machines to guess how encryption keys were created by algorithms.
The cryptography also means that even where snoops are able to redirect data to their own machines – as Israeli company Ability claims its licensed Unlimited Interception System will soon do – it would be unreadable. Ability CEO Anatoly Hurgin told me it doesn’t provide its customers with a way around that protection.
But hackers can bypass the encryption protections by exploiting SS7 to create duplicate accounts that receive all the messages intended for the target phone.
This is done by tricking the telecoms networks into believing the hacker’s phone has the same number as the target’s. That means they can set up a new WhatsApp or Telegram account with the same number and will receive the supposedly secret code that confirms they are a “legitimate” user. From there, they can impersonate their target, sending and receiving new calls and texts.
What you can do to protect yourself
As much as Positive’s hacks might scare users off running such apps, they are all cheaper and more secure than standard SMS texts. Using the call functions over them should protect the person’s conversations from spies on the line too, unless the hacker can do a very good impression of the target, convincing enough for the caller to divulge secrets.
Karsten Nohl, a security researcher renowned for his SS7 work, recommends using those aforementioned apps for their end-to-end encryption, which prevents “men-in-the-middle” from redirecting readable communications to their phones.
Extra-paranoid users should verify their contacts’ key fingerprints, says Nohl. These are the unique strings of letters and/or numbers attached to accounts that can be crosschecked for validity.
For instance, some use Twitter TWTR -1.31% profiles to post their fingerprint. If it’s the same one attached to their WhatsApp account, you can be a little more confident that account is owned by the real user. The fingerprint will look something like my own PGP key fingerprint (for encrypted email): 19A0 3F37 B3B7 4C1E C1D1 9AA4 5E37 654C 1660 B817.
In WhatsApp, the fingerprints are 12 five-digit blocks. You can find a contact’s fingerprint by clicking the “View contact” and “Verify security code” options in the menu bars at the top right hand corner of conversations. The Facebook FB -0.06%-owned company also has a feature that lets users scan a barcode that will check the accounts are legitimate and communications are end-to-end encrypted. This kind of check will help users avoid the kind of attacks showcased above.
But there’s an extra measure Android users can benefit from, using a free app created by Nohl. Every time a phone receives a call or a text message, they receive a silent “Paging” message. If only a Paging message and nothing else hits the phone, that’s a strong indication of SS7 attacks. Nohl created an Android mobile security app, SnoopSnitch, that detects when those suspicious messages hit the phone. The app, available on Google Play, also warns about nearby IMSI-catchers, also known as StingRays, which force phones to connect to them in order to hoover up texts and calls. There’s one caveat: users have to root their Android phone for it to work.
Ultimately, the networks can and are, albeit slowly, deploying firewalls that can create rules to prevent SS7 attacks from being feasible. That would both protect the average user and put a serious dent in the business of any surveillance provider trying to create profit from such attacks.