Chat apps such as WhatsApp, Telegram or Viber should introduce extra measures to improve security, despite them having only just rolled out end-to-end encryption across their networks, according to researchers from security firm Positive Technologies.
The London-based software company highlights how the apps are reliant on the Signalling System 7 (SS7) – the much-maligned worldwide mobile phone network infrastructure which harbours a vulnerability that means hackers can read texts, listen to calls and track mobile phone users.
End-to-end encryption doesn't eliminate this vulnerability, explained Alex Mathews, technical manager EMEA of Positive Technologies.
He said: "Telecommunications signalling for all services like – voice, text, etc., travel across the SS7 network. Chat applications such as WhatsApp, Telegram, and others use SMS verification based on text messages using SS7 signalling to verify identity of users/numbers.
"The issue is that, as an attacker, access to the SS7 network can easily be purchased, the only negotiation being on the price paid."
It's now common for devices and applications to send SMS messages via the SS7 network to verify a user's identity, but a hacker can easily intercept these and assume identity of the legitimate user, Mathews continued.
This gives the attacker the ability to read and write messages as if they are the intended recipient and retrieve any chat history the user has stored on the server.
Despite it being "almost impossible" to stop attackers as nobody monitors the SS7 network, Mathews claims there are things that can be done to improve securing, including the protection of the core network by telecoms and network operators. However, he doesn't think that will happen any time soon.