How to Hack Telegram: SMS Interception and Mobile Network Vulnerability

Telegram may be considered one of the most secure messengers, but its users are periodically hacked. Recently, many users of the application began to complain that some IP addresses were trying to access their Telegram accounts.

Previously, we’ve written about Telegram’s “saved messages” threats. You can learn more here.

As it turns out, the topic of hacking this secure messenger remains relevant today. And this is due not only to hackers, but also to the vulnerability of the technical protocol of mobile networks, which allows you to intercept SMS messages.

What technical holes does Pavel Durov’s creation, Telegram, hide? And how can you secure your correspondence?

Note: If you want to delete Telegram after reading the article, you can find instructions here.

Telegram at risk

Over the past few years, many Telegram users have contacted the Cybercrime investigation department of Group-IB. The reason is the same: unknown people can get open access to the Telegram chats. The people used different phones like iOS or Android based version. In all cases, the attacks were instantaneous.

Read about a huge Telegram user database leak.

First, the Telegram user from the official account of the messenger received a confirmation code for logging in, which he did not request. Then an SMS with the activation code arrived, and almost immediately after came a message about the successful login from a new device.

The attackers got into the account via the mobile Internet from IP addresses from Paris, Berlin, Tokyo, etc.

Look into other alternatives to the Telegram messenger.

However, experts did not find any spyware on the smartphones of the victims.

– Then how does the hacking happen?

Experts say that when activating the messenger on a new device, Telegram first sends the code through the official service channel to all other devices, and only then is an SMS message sent on request. The attackers allegedly initiate such a request themselves and then intercept the SMS. With the code from the text message, they successfully log into the messenger and access all files, photos, and correspondence.

– Who is to blame and what to do?

SS7 vulnerability

SS7 is a set of signaling telephone protocols. It was developed half a century ago. Today it is widely used in the provision of many services, including:

establishing a phone call
making a call from a mobile phone to a fixed number
roaming charges
sending SMS messages

Both European and American experts have periodically discussed the vulnerability of this protocol.

The beginning of the use of SS7 in Europe refers to the time of the construction of GSM mobile networks, in which, when roaming, the switch of the “guest” network (MSC/VLR) must access the reference register (HLR) of the subscriber’s “home” network, which stores data about this subscriber.

Currently, SS7 is the signal infrastructure of almost all fixed-line and mobile operators and transmits information about connection establishment and routing.

However, the outdated security concepts at its core make this protocol vulnerable to hackers. For example, there were many articles about the vulnerabilities found, with which you can determine the location of a subscriber, listen to a conversation, or intercept their SMS messages.

Don’t be a victim of social engineering attackers. Read this article and ensure your privacy.

In 2014 at a hacker conference in Berlin, German Tobias Engel spoke about the vulnerability of SS7 and demonstrated how, for two weeks, he tracked the movements of several subscribers (with their prior consent). They gave him their own phone numbers, and he was able to build a small map of their movements by interviewing the network.

As the specialist noted at the time, private companies around the world offered tools based on the SS7 vulnerability as Legal Interception — means for interception within the law for law enforcement agencies and special services.

Almost all the special services of all countries have a direct connection to the network of operators and can easily listen to conversations and read SMS messages. This is all allowed by law, for example in post-Soviet Russia such equipment is standardized and is called SORM (System for Operative Investigative Activities).

Previously, it was enough for an attacker to have a computer with special software and be connected to the telecom operator’s network in the form of an SS7 signal point. With the proper level of knowledge, it was possible to deceive another operator’s network, passing off the hacker device as a guest switch MSC/VLR.

How does an SS7 attack work?

The attacker connects to the SS7 signal network of a foreign operator and sends the Send Routing Info for SM (SRI4SM) service command to the network channel, specifying the attacked subscriber’s phone number as a parameter.

Then, thanks to the received data, the attacker registers the victim’s number in the dummy VLR via the Insert Subscriber Data (ISD) message, simulating that the subscriber arrived at a new location and registered in the new network while roaming. After that, the attacker can receive SMS messages sent to this subscriber.

However, switching equipment suppliers, banks, telecom operators, messenger owners, and other internet service providers are also aware of this and try to protect users. For example, representatives of the internet services industry and banks use two-factor authorization. Mobile carriers use protection via SMS Home Routing. This method is used to counter attacks that request the information needed to deliver an incoming SMS message to the subscriber.

In addition, a register of addresses of network equipment is maintained, which is specially registered and configured. Therefore, to use SS7 at the network level, the attacker must at least be connected directly to some telecom operator’s equipment.

Nevertheless, SS7 attacks continue, but now in the Telegram app.

Think about your security and choose the most protected and reliable messenger app.

How do you know if someone has connected to your Telegram account?

The easiest way is to check the active sessions. For this, you need to:

Go to settings (three horizontal bars at the top of the screen).
Select “Privacy.”
Find the line “Active sessions.”
Click and view a list of all the devices where your account is currently opened.

If you notice something suspicious, click “End all other sessions.”

What do you need to do to use Telegram safely?

First, set up two-factor authorization. This is done in the following way:

Settings → Privacy → Two-step authentication

*Note: This is an option for Android. In the iPhone you need to do it this way: Settings → Privacy → Cloud password.

Second, come up with a strong password. After entering it, you will be asked to specify an email address through which you can restore your forgotten password. However, the maximum protection is provided by a password without specifying an email address. So, the possibility of hacking the account will be minimized (but there will be a chance you may forget or lose the password, which will lead to the complete loss of the account without the possibility of restoring it).

You should also set a password code. This is done like this:

Settings → Privacy → Code → Password

Here you can choose to unlock by fingerprint, or Face ID, or just a code. And you can also set an auto-lock after a certain period of time, or block the application manually.

Third, hide your phone number. To do so, follow this path:

Settings → Privacy → Phone Number

By default, your number is visible to your contacts. But by checking the box next to “no one,” you will prohibit those who do not have your phone number from seeing it.

It will also be useful to disable the synchronization of contacts in Telegram, so that you can not be found by phone number. You can do it like this:

Settings → Privacy → Contacts → Turn off contact syncing.

You can also hide your avatar from unknown users and prevent them from accessing your profile through messages sent from you and change your real name to an alias.

Search for privacy settings here:

Settings → Privacy → Profile Photos

Settings → Privacy → Forwarding Messages

Also, you can disable the ability to call you. This way, you can compromise yourself, especially if you accidentally answer a video call. Search here:

Settings → Privacy → Calls → Nobody

Settings → Privacy → Groups → My Contacts

Now you know how to protect yourself and ensure your personal right to privacy.