In early May this year a German newspaper Süddeutsche Zeitung detailed the first documented case where cybercriminals exploited known SS7 (Signalling System version 7)(defined)(PDF) vulnerabilities for their own profit (the attack took place in January 2017).
How did this incident take place?
According to the German newspaper, the attackers first obtained the victim’s credentials for their bank account (by phishing (defined) emails), then used the SS7 flaws to hijack their phone number and receive the transaction confirmation code (within a text message (an SMS (defined) message)) on a mobile phone in use by the attackers. This exploit allowed the attackers to steal users’ mobile transaction authentication numbers (mTAN) and thereby withdraw money from their victim’s accounts.
Currently, carrying out such attacks requires specialized hardware and special codes to interact with other telephony providers. Buying such equipment and the codes isn’t as hard as you believe, and an SS7 hacking rig could cost an attacker a few hundred to a thousand dollars, well below the money they stand to make.
Why should this vulnerability be considered important?
The SS7 (Signalling System No. 7) protocol was developed in the 1980s and is a so-called telephony signalling protocol, used to route calls between different telephony providers.
The protocol has no security features, and its flaws became widely known after talks at the Chaos Communication Congress meetings held in 2010 and 2014. In these two talks, German security researcher Tobias Engel (with Karsten Nohl in 2014) showed how a determined actor could locate and track any person on the planet via SS7, and even manipulate their communications by taking over their phone number.
Moreover in April 2016; the issues surrounding SS7 came back again into the limelight when a CBS reporter with the help of the above mentioned German security researcher (Karsten Nohl) used the same flaws to track US House of Representative’s member Ted Lieu’s whereabouts (with his consent). Indeed; both US Senator Ron Wyden and Representative Lieu have previously called for the FCC to at least look into strengthening the security of SS7. They also wrote an open letter (PDF) to the Homeland Security Secretary John Kelly.
Just one month later (May 2016) security firm Positive Technologies showed how using another technique an attacker could hijack a person’s phone number and receive messages intended for other WhatsApp and Telegram accounts.
How can I protect myself from these vulnerabilities?
Before focusing on the vulnerabilities within SS7, let us first review how the attackers emptied victim’s bank accounts:
They first obtained their victims banking details via phishing emails. Tips to avoid being effected by such emails are provided here.
Following this incident, the affected German mobile network operator made it impossible for call forwarding to be effected by other organizations that have access to the mobile operator’s network. Other German mobile network operators have implemented this change. This should mitigate a similar attack occurring in the future for these mobile operators. All other mobile operators should deploy similar mitigations. Further recommendations to mobile operators e.g. the use of a signalling firewall are provided in this news article. As this article mentions, the successor of SS7, namely Diameter will take time to migrate to and unfortunately suffers from some of the same vulnerabilities.
In 2016 the US National Institute of Standards and Technology (NIST) began recommending not to use SMS messages for two-factor or two-step verification (differences between 2FA and 2SV). Instead they are suggesting the use of tokens (most likely hardware tokens) and cryptographic authenticators (and perhaps at a later time biometric authentication (defined)). They also encourage software vendors to check for the presence of a VoIP connection (Voice over IP, defined). This is due to some VoIP services allowing the hijacking of SMS messages.
At this time, the use of software authenticators such as the Google and Microsoft authenticators and RSA’s SecurID app are increasing and it favours the eventual phase out of SMS messages. The use of biometrics (perhaps making use of Windows Hello) or USB tokens such as the YubiKey.
Advice for consumers/end-users:
The previously linked to article (above) also contains advice (in the final three paragraphs) which you may find useful.
Thank you.
securityinaction 