Hackers have exploited decades-old flaws in the SS7 mobile telephony protocol to hijack phone numbers and SMS messages, in order to bypass two-factor authentication (2FA) and steal money from bank accounts.
The attacks were reported on Wednesday by German newspaper Süddeutsche Zeitung, who detailed a first case where cybercriminals exploited known SS7 vulnerabilities for their own profit.
Security researchers have warned us about SS7 for years
The SS7 (Signalling System No. 7) protocol was developed in 1975 and is a so-called telephony signaling protocol, used to route calls between different telephony providers.
The protocol has no security features, and its flaws became widely known after talks at the Chaos Communication Congress meetings held in 2010 and 2014. In these two talks, German security researcher Tovias Engel showed how a determined actor could locate and track any person on the planet via SS7, and even manipulate their communications by taking over their phone number.
The issues surrounding SS7 came back again into the limelight in April 2016, when a CBS reporter with the help of another German security researcher used the same flaws to track US Representative Ted Lieu’s whereabouts.
A month later, security firm Positive Technologies showed how another technique through which an attacker could hijack a person’s phone number and receive messages intended for other WhatsApp and Telegram accounts.
SS7 attacks cost a few hundred-thousand dollars
SS7’s woeful security was brought up again this week after a German bank and telecom confirmed unauthorized wire transfers from a victim’s accounts.
According to the German newspaper, crooks first obtained the victim’s credentials for his banking account, then used the SS7 flaws to hijack his phone number and receive the transaction confirmation code on the attacker’s device.
Currently, carrying out such attacks requires specialized hardware and special codes to interact with other telephony providers. Buying such equipment and the codes isn’t as hard as you believe, and an SS7 hacking rig could cost an attacker a few hundred or thousands dollars, well below the money he stands to make.
A quick YouTube search provides many tutorials and ads for SS7 hijacking services, some of which have been available for years, since your reporter first started covering SS7 flaws.
Authorities are aware of the SS7 flaws
Following the CBS report that showed how an attacker could track victims via SS7, Rep. Lieu started a Congress investigation into the matter of insecure telephony protocols and urged the FCC to intervene. This week, following the attack, Lieu issued a new statement on his website.
Everyone’s accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw. Both the FCC and telecom industry have been aware that hackers can acquire our text messages and phone conversations just knowing our cell phone number. It is unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security. I urge the Republican-controlled Congress to hold immediate hearings on this issue.
Last year, the US National Institute of Standards and Technology (NIST) had started recommending that organizations and developers not use SMS-based solutions for authentication, including for 2FA systems.