Back to Home

How to hack Telegram and WhatsApp: special services are not needed / Positive Technologies blog

Telegram · SS7 · WhatsApp · instant messengers · hacking instant messengers · correspondence security · telecom · information security · special services

How to hack Telegram and WhatsApp: special services are not needed

    Last week, the public was agitated by the news about the possible involvement of special services in hacking accounts of oppositionists in the popular Telegram messenger. Throughout its existence, mankind has tried to explain everything inexplicable with the help of higher powers - the Gods. Nowadays, all obscure things are explained by the intrigues of the special services.

    We decided to check whether you really need to be a special service in order to gain access to someone else's Telegram account. To do this, we registered a test Telegram account, exchanged several test messages: And then we conducted an attack through an SS7 network to one of the test numbers (we wrote more about the attacks themselves earlier ). And here's what we got: First we find out IMSI ...











    We re-register the subscriber to our terminal ...



    We get the subscriber profile ... We









    complete the procedure for re-registering the subscriber ...



    Now the victim number is under our full control. We initiate on any device the procedure for connecting to Telegram under the victim's account (phone number) - and we get the coveted SMS ...



    After entering the code, we get full access to the Telegram account. Now we can not only conduct correspondence on behalf of the victim, but also read all the correspondence that the Telegram client kindly loads (the phone on the right has a full copy of the correspondence on the left): However, it is impossible to read secret chats: But you can create a new one and write on behalf of the victim:











    After that, we conducted an attack according to the same scheme on WhatsApp. Of course, we got access to the account, but since WhatsApp (supposedly) does not store the history of correspondence on the server, it was not possible to access the correspondence that was earlier. WhatsApp stores backup correspondence in Google Drive, so in order to gain access to it, you still need to hack a Google account. But to conduct correspondence on behalf of the victim, so that she will not know about it - it’s quite realistic: Conclusions: how many times the world was told that



    sending one-time codes via SMS is unsafe, as mobile communications are generally unsafe. Vulnerabilities are affected not only by the SS7 technological network, but also by air interface encryption algorithms. Attacks on the SS7 network can be carried out from anywhere in the world, and the capabilities of an attacker are not limited to hacking instant messengers. And now all these attacks are becoming available not only to special services, but also to many others. It is also worth noting that all tests were carried out with default settings, that is, in the mode in which most users work.

    Read Next