The rising mobile cyber-crime drives mobile users to communicate via secure messaging services such as WhatsApp and Telegram, which claim to offer end-to-end encryption. This trend starts to spread in BYOD programs that serve a broad range of employees, all of whom actually control their own devices and apps. Commercial chat services and many other mobile applications use SMS authentication as the security verification mechanism. However, any SMS-based authentication flow, including two-phase authentication, is extremely vulnerable and users are not aware of it or tend to suppress it. The SMS is hackable via SS7 signaling security gaps, IMSI catchers, and cellular operator manipulations. The SS7 signaling mechanism enables hackers to extract the identity of messaging services users and impersonate them virtually.

Hacking the SMS enables hackers to impersonate and reply to WhatsApp and Telegram chats on behalf of the legitimate users.

Furthermore, hackers using an IMSI catcher can attack the SMS driven authentication flow, redirect and manipulate it to penetrate the mobile device. SS7 exploitation requires simple equipment (though the setup to gain access to SS7 is complex) and IMSI catchers are less scarce and expensive than ever.

In contrast, the IntactPhone uses a proprietary enrollment flow for its secure communications services. The system administrator enrolls users to the Intact Command Center which allows them to exchange secure communications via self-contained phonebook. The enrollment flow eliminates the ability to extract the security verification element and impersonate to another user. This is just another proof how the IntactPhone stands up to today’s threat landscape.

Watch here a nice illustration how hackers hijack WhatsApp and Telegram accounts using known telecom flaw.