Hackers can use a nasty trick to steal someone else’s Whatsapp accounts. Telekom confirms the existence of this problem, but considers it very theoretical.
Nasty trick: How hackers steal Whatsapp accounts
© DANIEL CONSTANTE/Shutterstock.com
Update June 3: This is what Telekom says about this gap
Deutsche Telekom basically confirms the existence of this possibility of attack. But Telekom estimates their exploitability as very theoretical. When we asked, Telekom wrote: ”
We are familiar with the scenario as outlined by security researchers. But we haven’t seen anything like it in the wild yet. It is theoretically possible – the crux of the matter is setting up the forwarding. These so-called USSD strings are a feature of the GSM mobile radio standards and therefore affect all network operators. These have prevailed among nerds, Lieschen Müller has a hard time with it. A procedure would be conceivable in which the victim hands over his phone in good faith and thus enables third parties to set it up. In this way, they can undermine the 2nd factor in the case of Whatsapp, as described in the article.
This last hint with the “handing over” of the cell phone is indeed exciting. So this attack could actually be realized.
With a nasty trick, hackers can take over someone else’s Whatsapp account and gain access to their personal messages and contact lists. This is reported by the US IT security news site Bleeping Computer, citing a corresponding post by Rahul Sasi, CEO of CloudSEK, on Linkedin. The attacker only needs a few minutes for this. However, the attacker must know the victim’s phone number and also master some social engineering tricks.
Attacker has to convince his victim on the phone
Because the attacker has to call the victim and, with his call, get him to call a telephone number that starts with a so-called “Man Machine Interface Code” (MMI). Mobile phone providers actually use this technology to forward calls when the line is busy or unavailable. Depending on the mobile network operator, an MMI code can also forward all calls to a terminal device to another number. Such codes always start with “*” or with “#” – for example **67* – and have ten digits.
The security researcher explains that the 10-digit number for the victim to call belongs to the attacker and the prepended MMI code instructs the mobile operator to forward all calls to the phone number provided after it. In other words, by calling this MMI number, the victim consents to having all of their calls forwarded to another number.
The attacker can now start the registration and verification for the Whatsapp account on his own device. Including a verification code, which is now sent to the hacker’s cell phone thanks to MMI forwarding. And the Whatsapp account is already hijacked, including the possibility for the hacker to set up 2-factor authentication for it. This means: The actual owner of the Whatsapp account is locked out of his own Whatsapp account.
The attacker has to overcome these hurdles
Bleeping Computer was able to replicate this attack method at least with the providers Verizon and Vodafone. However, there are quite a few hurdles for the attackers. So ideally the cellular provider needs to use MMI code that routes all calls in all cases and not just in those cases when the phone is busy. Otherwise, the attacker would have to keep his victim on the phone until the Whatsapp authentication code was sent and – since the victim’s cell phone was occupied by the call with the hacker – was forwarded to the hacker’s cell phone thanks to MMI.
Also, the Whatsapp account owner will receive text messages informing them that their Whatsapp account has been registered on another device. On top of that, if call forwarding is activated, a notification to this effect is displayed on the victim’s smartphone.
How to protect yourself
But there is a simple protection against this attack method: Set up two-factor authentication for Whatsapp! Then the attacker has no chance.