The fact that someone can spy on WhatsApp and Telegram, which have now become the center of our daily conversations, can immediately make the hair on your arms stand up.
We explained to you some time ago how this is theoretically possible but difficult to implement, however a recent "discovery" by the Milanese security firm InTheCyber shows that there is a viable method to do it; according to them it would be "child's play".
Practicable yes, even quite simple, but that in the real world could find a lot of difficulty.
Because? Simple: the whole thing is based on the fact that when authentication occurs (unauthorized) for connect to WhatsApp or Telegram il phone of the legitimate account holder must be turned off.
The flaw discovered by InTheCyber, as also reported by the Corriere, is not typical of WhatsApp or Telegram but concerns a weakness of the telephone answering system of English operators. The whole thing is based on the fact that both messaging systems authenticate on a device using a code sent via SMS (or via IM for Telegram, in some cases).
In case the authentication via SMS is not successful, it comes initiated an automatic call to communicate this code directly by telephone.
Spying on WhatsApp and Telegram: the answering machine arrives!
This is where the answering machine comes in; no, not that of WhatsApp, that of our telephone operator! Self the account owner's phone is switched off and has an active answering machine, the message containing the access code is left in the secretariat.
The weakness served: numerous English operators allow access the secretariat by simply calling from your number or by another number; in the latter case, you will need to specify the number of the mailbox you want to access and specify an access code. Not many users, unfortunately, change this code - and there are guides on the net that offer the default codes.
Among other things, there are some apps that allow you to "simulate" the caller ID of a number that is not really, thus misleading the answering machine and obtaining automatic access to it.
Moral of the story: theoretically, in order to have access to WhatsApp and Telegram, it is necessary to have the victim user's phone number, the default code of his answering machine and carry out the login procedure when the latter's phone is worn out.
A series of circumstances that are not easy to achieve, we must admit.
What happens if the attack is successful?
Having said that, let's get to the point: spying on WhatsApp with this method is only half possible, as for restore existing backups there is also a need to have the victim's Gmail credentials; however, it is possible to read the messages received from the moment of access (and possibly reply to them), at least until the victim herself does not realize of unwanted access and revokes it.
Slightly different story for Telegram, which instead stores messages on a server: in case of unwanted access these will be available immediately, however there will be no way to access secret chats. That is until, once again, the victim becomes aware of unwanted access.
The English telephone operators nor the Telegram operators responded to the report by InTheCyber; WhatsApp staff, on the other hand, replied that it is not a problem of their competence as the weakness is of the answering machine systems.
How to solve?
As for WhatsApp, to be safer (despite the occurrence of circumstances it is rather difficult) we can safely turn off the answering machine on a phone that is off or unreachable or, perhaps, change the access code (in this case, however, the problem of the "fake dial" apps would remain).
As for Telegram it is possible easily avoid this situation without even turning off the answering machine, simply enabling two-factor authentication - or the request for an additional password to the access PIN - from Menu> Settings> Privacy and Security.
Moral of the story
The problem exists, it is a fact; however, this must not trigger senseless alarmism, since the simultaneous occurrence of the conditions for the attack to succeed (especially with the phone turned off!) is quite rare. If we want to be sure, the solutions are simple: deactivate the answering machine if we use WhatsApp, activate two-factor authentication if we use Telegram.
This, at least, until the operators implement a more secure access mechanism to the answering machine!
