Last week, the public was excited about the news on the involvement of the security services to hack Telegram of opozitsionery. Throughout its existence, humanity has inexplicably tried to explain with the help of higher powers – the Gods. Nowadays all the strange things explain the machinations of intelligence agencies.
Positive Technologies experts decided to check whether you need to be an intelligence officer, to obtain access to others ‘ accounts Telegram and WhatsApp. It turned out that hack messengers for “wiretapping” is possible and the vaunted end-to-end encryption of correspondence plays no role.
For a start the developers have created a test account in the Telegram, exchanged several text messages:
Next was the attack carried out via the SS7 network on one of the test rooms. A breach in the security of telecommunication SS7 connectivity allows you to listen to phone conversations, read text messages and track location of any smartphone user, knowing only his phone number. Previously this was demonstrated by German hackers.
First, find out IMSI…
Will be rebooking on our subscriber terminal. The resulting profile of the subscriber, complete the procedure of re-registration of the subscriber:
Now the number of victims under full control. Initiate on any device the process of connecting to Telegram under the account of the victim (phone number) and get the coveted SMS…
After entering the code, developers are given full access to the account Telegram. Now they can not only engage in correspondence on behalf of the victim, but also to read all messages that the client Telegram courtesy of loads (phone on the right has a full copy of correspondence phone to the left):
However, to read the secret chats are not possible:
But you can create a new and correspond on behalf of the victim:
This was followed by the attack in the same pattern on WhatsApp. Access account received, however, because the messenger doesn’t store chat history on the server to access the messages that were previously failed. WhatsApp stores a backup copy of the correspondence in your Google Drive, therefore, to gain access to in addition to hack the Google account. But to carry on correspondence on behalf of the victim, so she won’t know about it – is quite real:
“How many times told the world that the one-time codes via SMS is not safe, because mobile communication is not secure, and the vulnerabilities affect not only technological network but SS7 and algorithms air interface encryption. Attacks on SS7 network can be done from anywhere in the world, and the possibilities of the attacker is not limited to hacking messenger. So now all of these attacks become accessible not only to intelligence but also to many others. It should be noted that all testing was done with default settings, i.e. in the regime in which the majority of users,” – concluded the experts.