Privacy: Invasion of Public Peoples Mobiles in The National Politics – Part 2

Last week, the case of the invasion of mobile phones of public people from national politics gained new perspectives and characters. According to the Federal Police, four suspects of being involved in the leakage of messages from the current Minister of Justice and Public Security, Sergio Moro, other ministers, Republic prosecutors and several nationally famous people, including President Jair Bolsonaro, were arrested. One of those arrested is Walter Delgatti Neto, who confessed to being responsible for breaking into Minister Moro’s Telegram account in his testimony. 

The case became publicly known at the beginning of July when the Intercept Brazil website circulated alleged messages exchanged between the current Minister of Justice and Public Security, Sergio Moro, and prosecutor members of the Operation Lava Jato task force, which were obtained through an anonymous source. 

Even a month after the messages have circulated, and the minister of justice has reported a hacker attack on his phone, Federal Police investigations still had no answers to questions such as “who is responsible for the invasion?”, “What techniques were used to gain access to the messages?”. However, on the 23rd, Operation Spoofing, triggered by the Federal Police in São Paulo, seems to have found the possible answers to the questions raised last month.

According to the Federal Police investigation, the prisoners performed the attacks by intercepting the Telegram authentication code, sent via a telephone call and that allows an account to be synchronized with the web version of the application. Investigations are continuing and the police have avoided disclosing too many details, but the information released by the investigators so far helps to clarify unanswered security and privacy concerns. 

How was the attack performed?

The operation that led the Federal Police to the suspects was named Operation Spoofing and aimed to dismantle a criminal organization that committed cybercrimes. Spoofing is a cyberattack technique that aims to impersonate a known and trusted source to make a victim believe that the sources of the request are authentic. 

According to police information, the suspects used a VoIP service – voice over IP, telephone calls made through the Internet service – to obtain the Telegram application access code.

To sync the Telegram application’s account with its web version, one needs to enter a verification code that can be passed through a voice call. This means the number linked to the application’s account receives a call with a code that must be entered for synchronization, and if the call is not answered, the message containing the code is forwarded and stored in the voicemail. This is exactly how the attacks happened.   

The service of the company hired by the hackers has a feature called caller ID: this feature allows the use of any phone number to make calls, which was the main point for the attack’s success.

The minister and other victims reported receiving calls from their own telephone number, which may indicate that the attackers used the VoIP service to simulate the victims’ own cell phone numbers as a source, making multiple calls to their phones. With the phone line busy, they requested the verification code from Telegram Web and consequently it was recorded in the voicemail.  

Another detail made it possible for hackers to complete the attack without much trouble: telephone operators provide their customers with a quick and easy way to access their voicemail. So, one just needs to call their own number to get direct access without any authentication mechanism. Still using the VoIP service, the attackers were able to use the Caller ID spoofing technique, simulating the victim’s phone line and thus gaining access to the Telegram voice call recorded in the voicemail. Thus, they captured the code and finally accessed the victims’ accounts.  

Caller ID, also called Calling Line Identification – is the numeric identification of a line associated with the telephone number. This caller ID is sent at the beginning of the phone call and identifies who is calling before the call is answered. However, the Caller ID is only part of the initial call settings, which allows one to manipulate the ID to display a different number than the actual caller.

Caller ID spoofing happens when the caller spoofs the information transmitted to the caller ID of the victim’s line, hiding their real identity. In this case, the attackers assumed their victims’ ID by changing the Caller ID to the same ID. 

Who has performed the attacks?

Federal Police was able to find the suspects through the Internet Protocol (IP) of devices that connected to the VoIP service provider. Through the investigation, it was possible to find the record of 5,616 calls in which the source number was equal to the destination number in the files investigated.

João Vianey Xavier Filho, Federal Police’s Head Intelligence Coordinator, told the press that the investigation was based on calls made to Minister Sérgio Moro: “the police authority adopted the investigated process of verifying the paths and interconnections of calls made to the telephone that was used by the Minister of Justice and Public Security, notably calls that originated from the victim’s own telephone number,” he said.

Delgatti Neto confessed that he was responsible for breaking into the cell phones of several authorities, including Minister Sérgio Moro. The investigation now goes on to identify all the numbers that have been hacked in order to verify the exact extent of the attack.

Attackers are estimated to have invaded more than 1,000 victims, including President Jair Bolsonaro, President of the Federal Senate David Alcolumbre, President of the Superior Court of Justice João Otávio de Noronha, and other political and public figures. 

According to the Federal Police, the hackers’ technical skills were low, as the attackers did not perform actions considered common by hackers with better knowledge, such as masking their IPs, making the tracking of their activities more difficult, and blocking the victim’s access to the resources being exploited.

What was the vulnerability exploited?

Much has been said about the absence of two-factor authentication by the current Minister of Justice and Public Security. However, the Federal Police’s investigation suggests that the vulnerability that allowed the attack to be committed extends beyond local security settings. 

The weak points of the SS7 protocol, which was created to connect different operators and to be used as the channel through which calls and text messages travel, have long been discussed. However, the protocol has a flaw that allows the Caller ID spoofing attack to occur, not checking who sent the request. Consequently, whether be it the real number’s owner or a criminal impersonating the user, SS7 will treat the request as legitimate. 

In this case, even if the multiple-factor authentication was enabled in the SMS text token model, the account would still not be secure. Just as the attack used an SS7 vulnerability to obtain the Telegram application verification code, this protocol allows message path manipulation by directing traffic to the desired line and allowing the attacker to access the account with the intercepted token. 

How can you protect yourself?

The Brazilian Intelligence Agency (ABIN), since the first news about the message leaks have circulated, has provided President Jair Bolsonaro and Vice President Hamilton Mourão with encrypted cellphones so that messages containing confidential and strategic government affairs can travel through safer means. These devices have their own communication applications, similar to Telegram, but for the exclusive use of the Brazilian authorities. 

The SS7 protocol’s vulnerabilities are still far from being fixed, however, there are some ways to prevent this type of attack. Some of them are:

• Disabling the voicemail
• Using authentication factors other than SMS text token
• Not relying solely on the second authentication factor, and having complex first-access passwords. 
• Avoiding linking important accounts with phone lines. 

The technique used by hackers can be considered simple, but it exposes flaws in our communication means, allowing anyone to fall victim to a cyberattack and have their privacy violated. Regardless of the type of application used for communication, the way it is used should always be configured with privacy and security in mind.