SS7, a worldwide undernet of sorts for telecoms that facilitates basic communication, has a serious bug that leaves it vulnerable to a fairly simple attack based on having a user’s phone number. The hack is well known and well documented, but patching it would be quite difficult due to a need for worldwide compliance between all of the telecoms involved. With SS7 being such a widely known bug, naturally, everybody from carriers to app developers have to do what they can to help ensure that their products are as guarded as possible against the SS7 vulnerability. There is no such thing as 100% safety, of course, as WhatsApp and Telegram found out when security buff Thomas Fox-Brewster took to YouTube to reveal his hacks of their services based on the SS7 bug.
The way it works, in essence, is that by tricking the network into thinking that a designated phone, the “hacker”, is the actual owner of the target phone number, referred to as “the victim.” A hacker can use that to gain access to the intended victim’s account on both services. Essentially, all the hacker had to do was use the lost password option and choose to get into the account via phone number verification, including an SMS message and a phone call, made possible by the network thinking that the “hacker” phone had the “victim” number. From there, the hacker gains access to the account, which actually kicks the real victim out. If the hacker wants to keep the victim out for whatever reason, they have every privilege to close down the account or change the password.
While this is only shown with WhatsApp and Telegram, this hack has the potential to work for just about any app or service that uses a phone number to verify a user’s identity, even services like PayPal that deal with financial information. Even a user’s Facebook and Google account, under the right conditions, could even be compromised by this hack, as long as a hacker has the phone number in question. This only serves to underscore the severity of the SS7 bug and the importance of safeguarding against it in any possible way while worldwide telecoms work on getting a fix implemented.