Hackers have proven just how urgently a gaping flaw in the global telecoms network, affecting what’s known as Signalling System No. 7 (SS7), needs to be fixed. In a video demonstration, shown to Forbes ahead of publication today, benevolent hackers from Positive Technologies were able to take control of a Coinbase bitcoin wallet and start pilfering funds via the SS7 flaws.
SS7 weaknesses, despite fixes being available for years, remain open. They allow anyone with access to that part of the telecoms backbone to send and receive messages to and from cellphones, with various attacks allowing silent interception of SMS texts, calls and location data. (Typically, the SS7 network is used by telecoms companies to talk with one another, normally for shifting customers between operators when roaming).
In their attack, the Positive researchers first went to Gmail, using Google’s service to find an email account with just a phone number. Once the email account was identified, the hackers initiated a password reset process, asking one-time authorization codes to be sent to the victim’s phone. By exploiting SS7 weaknesses they were able to intercept text messages containing those codes, allowing them to choose a new password and take control of the Gmail account. They could then simply head to the Coinbase website and do another password reset using the email they’d compromised.
Scary SS7 attacks
This isn’t just a threat that affects bitcoin, of course. It affects anything linked within the Gmail account, not to mention the complete loss of all those emails and the entire Google account. “This hack would work for any resource – real currency or virtual currency – that uses SMS for password recovery,” said Positive researcher Dmitry Kurbatov. “This is a vulnerability in mobile networks, which ultimately means it is an issue for everyone, especially services relying on the mobile network to send security codes.”
The biggest barrier, perhaps, to such attacks is acquiring access to the SS7 network in the first place. Positive’s researchers had access to it “for research purposes to identify vulnerabilities and help mobile operators make their networks more secure.” Typically, criminals would either have to buy or hack their way onto the network.
As for how others might do that, Kurbatov added: “The risk lies in the fact that cybercriminals can potentially buy access to SS7 illegitimately [on the] dark web.” He pointed to dark web sites, like Interconnector, that have been seen selling SS7 services. (Some claimed Interconnector was a scam).
Indeed, criminals have, on at least one occasion, used SS7 vulnerabilities to carry out an attack. That occurred in Germany this year, when crooks were able to use the same methods as the Positive researchers, but to pilfer funds from bank accounts of O2-Telefonica customers.
Surveillance companies, such as Israeli firm Ability Inc., are also actively selling services to spy on targets over the SS7 network. Ability’s Unlimited Inteception app has sold for as much as $5 million, though the cost can go up to $20 million, the firm’s CEO told Forbes last year.
While the world waits for telecoms companies to act, users could also stop using SMS for two-factor authentication. SS7 attacks such as those carried out by Positive, which previously showed how to hack WhatsApp and Facebook accounts with similar exploits, currently won’t work where data-based communications are used for sending one-time codes, such as Google’s Authenticator app.
Daniel Romero, Coinbase vice president of operations, said the company has been reaching out to customers about migrating from SMS-based two-factor authentication to apps like Google Authenticator. “Additionally, we’ve enhanced our own monitoring systems to prevent phone-related security threats. We are continuing to monitor this vigilantly,” he said. The company has witnessed an uptick in hacks using another popular method for bitcoin theft: stealing a user’s telephone number by social engineering the telecoms firms. From there, the hackers can, in a similar way to the SS7 attacks, reset passwords.
Google has various tools available to concerned users on to of Authenticator, such as the Google Security Checkup. For non-SMS two-factor authentication, which will prevent SS7 attacks, it’s possible to use a Google prompt or security key instead.
But the problem won’t go away until telecoms operators take action. Even with pressure to patch coming from Capitol Hill, chiefly from representative Ted Lieu and senator Ron Wyden, little progress appears to have been made.