Earlier this month, the German-based newspaper Süddeutsche Zeitung reported that criminal hackers in Germany completed a two-step attack on German bank accounts in January, successfully routing money from bank customers into their own accounts. But this wasn’t just another data breach – this was a Signaling System 7 (SS7) security breach, which many believed was low risk. Hackers exploited known flaws in the SS7 signaling protocol, a critical part of the cellular network, in order to intercept two-factor (2FA) authentication codes sent by text messaging (SMS) – making this one of the first publicized real world attacks, and proving the risk isn’t low at all.
This attack comes after three years of industry-wide discussion about the weaknesses in SS7, a language used by over 800 wireless telecommunications companies globally to ensure their networks interoperate. SS7 specifically enables mobile subscribers to communicate with anyone, anywhere, and contains real-time data on subscribers, such as identity, location, and status.
Initially discovered in 2014, vulnerabilities in the system were highlighted again in early 2016 when 60 Minutes effectively stalked U.S. Representative Ted Lieu’s smartphone with his permission. The hackers in this instance were well-intentioned, aiming to increase public awareness, but the reality was staggering. Through his iPhone, the friendly hackers listened to and recorded private conversations and even tracked his location in real-time – a massive security breach. Unfortunately, the most recent real-life example of SS7 hacking left bank customers much less fortunate.
As the first public announcement of a major instance of these weaknesses in Europe, vulnerabilities in the SS7 signaling protocol (and replacement technologies such as Diameter and SIP Signaling) are apt to leave mobile carriers’ networks open to fraud and misuse. Frighteningly enough, hackers have long had the ability to exploit networks to commit fraud, listen in on conversations, monitor messages, determine a subscriber’s location, and even manipulate network data. But until now the exploitation has been limited, with many thinking that the technical and financial investment to commit such offences would put hackers off. This is obviously not the case, and in this specific scenario, hackers used SS7 loopholes to bypass 2FA to drain accounts – otherwise known as one-time passcodes (OTP) sent by SMS to banking customers to access accounts and funds.
In a two-stage attack, hackers first accessed bank accounts by spamming out Trojans to infect bank account holders’ computers and steal passwords used to log into bank accounts. These cybercrooks then manipulated SS7 by setting up redirects from the victims’ phone numbers to handsets controlled by them in order to re-route one time passcodes to themselves. Those codes were then used to log into victims’ online bank accounts and finalize transactions to themselves.
While this may be shocking to some, mobile carriers have been aware of the potential dangers for quite some time, and had already started to collaborate to fix these issues and put mechanisms in place to mitigate threats. However, this latest bank attack news only emphasizes just how vulnerable networks really are and what is at stake should they not act with urgency to protect both their customers, networks and brand.
SS7 will be around for at least another ten years, and simply closing-down use of that protocol isn’t a viable solution, since similar vulnerabilities exist in its replacement, Diameter. If there is national and international interconnect access, the window of exploitation opportunity will still be there. With this, any business with an online or mobile presence must fight to protect their mobile users and their data by always taking the necessary steps to invest in the most sophisticated security solutions. And while the National Institute of Standards and Technology (NIST) agrees in its Digital Authentication Guidelines that two-factors authentication is still one of the better protection methods, it also implores networks and those involved in authentication to increase their investment in this security method. Specifically, the guidelines urge ecosystem partners to upgrade existing systems with further measures to ensure SMS remains a safe channel for message delivery, as it has been for the past 25 years.
If additional security steps are not taken now, new revenue streams and advanced technologies will also be put at risk. Specifically, mobile operators are putting lucrative Application-to-Person (A2P) communications at risk if they do not take the necessary action to secure the SMS channel, as well as the general network. Individual streams of revenue aside, as customers place more and more trust in their mobile devices and they become ingrained in everyday activities like banking, how we travel, social data, and lifestyle choices, even greater amounts of personal data are constantly at risk for exposure.
SS7 is little-known to anyone outside of the mobile operator space, and while carriers address security flaws in signaling protocols, it is also important for subscribers to be aware that few (if any) information systems and networks are 100 percent secure. Extra caution is required even as carriers introduce optimal, multi-layer solutions to shield users’ devices from potential attacks. Checking bills for adverse activity and paying attention to the permissions given to each app are all steps that subscribers can take in addition to the action to defend the network by carriers. Specifically, in relation to the type of attack announced recently, where banking access is at risk, it is now a good time to start changing passwords, and alert your bank and carrier if you receive access codes that you didn’t request – this could be a sign that you are the hackers’ next target.
Mark Windle is director of Strategy and Marketing for the Security division at Mavenir, a Texas-based network partner for major telecommunications service providers globally.