An old vulnerability in the Signalling System No. 7 (SS7) telecom network protocol was used by Positive Technologies researchers to access and steal data from a test account, which they had registered recently at Coinbase, a bitcoin exchange platform.
It is thus, identified that through exploiting the SS7 flaw, an attacker could access text messages containing authentication codes and make financial transactions from the Bitcoin platform.
In its press release, Positive Technologies stated that this had already happened in spring of 2017 when cybercriminals managed to access text messages containing online banking authentication codes sent to customers of Telefonica Germany (O2), a German mobile firm and used the codes to make financial transactions.
Positive Technologies’ research revealed that they just needed to use the SS7 flaw to compromise Coinbase account was the first and last names and the phone number of the account holder and his Gmail address. T
hrough exploiting the SS7 flaw, researchers intercepted SMS text messages sent to Gmail phone numbers and Coinbase users trying to change their passwords using two-factor authentication.
Whoever can access the SS7 system can also intercept texts containing verification codes which can be stolen by attackers to gain full control of the accounts.
In case of Coinbase, virtual funds can easily be extracted from the account.
According to Positive Technologies’ head of telecommunications security department Dmitry Kurbatov:
“Unfortunately, it is still impossible to opt out of using SMS for sending one-time passwords. It is the most universal and convenient two-factor authentication technology. All telecom operators should analyze vulnerabilities and systematically improve the subscriber security level.”
The SS7 system is used by telecom operators for ensuring full protection of text messages and telephone calls.
It is a set of telephony signaling protocols that are used to set-up and tear down a majority of PSTN/public switched telephone network calls around the world.
Furthermore, it performs many important functions like prepaid billing, local number portability, translation of numbers and SMS (short messaging service) along with other main telecom services.
It was developed in 1975 while in 2008 it was identified to be vulnerable to hacking.
In 2014, it was reported that the SS7 vulnerability could be used by governmental agencies and non-state actors alike to track the movements of mobile phone users from any location around the world with 70% accuracy.
Positive Technologies shared a video detailing the way a hacker can compromise a Gmail account through using basic information such as mobile number just because of the SS7 flaw.
When hacking was successful, researchers showed how the same SS7 flaw could be used to compromise a Bitcoin wallet.
Scary SS7 attacks
This isn’t just a threat that affects bitcoin, of course.
It affects anything linked within the Gmail account, not to mention the complete loss of all those emails and the entire Google account.
“This hack would work for any resource – real currency or virtual currency – that uses SMS for password recovery,” said Positive researcher Dmitry Kurbatov.
“This is a vulnerability in mobile networks, which ultimately means it is an issue for everyone, especially services relying on the mobile network to send security codes.”
The biggest barrier, perhaps, to such attacks is acquiring access to the SS7 network in the first place.
Positive’s researchers had access to it “for research purposes to identify vulnerabilities and help mobile operators make their networks more secure.”
Typically, criminals would either have to buy or hack their way onto the network.
As for how others might do that, Kurbatov added: “The risk lies in the fact that cybercriminals can potentially buy access to SS7 illegitimately [on the] dark web.”
He pointed to dark web sites, like Interconnector, that have been seen selling SS7 services. (Some claimed Interconnector was a scam).
Indeed, criminals have, on at least one occasion, used SS7 vulnerabilities to carry out an attack.
That occurred in Germany this year, when crooks were able to use the same methods as the Positive researchers, but to pilfer funds from bank accounts of O2-Telefonica customers.
Surveillance companies, such as Israeli firm Ability Inc., are also actively selling services to spy on targets over the SS7 network.
Ability’s Unlimited Inteception app has sold for as much as $5 million, though the cost can go up to $20 million.
Google has various tools available to concerned users on to of Authenticator, such as the Google Security Checkup.
For non-SMS two-factor authentication, which will prevent SS7 attacks, it’s possible to use a Google prompt or security key instead.
But the problem won’t go away until telecoms operators take action. Even with pressure to patch coming from Capitol Hill, chiefly from representative Ted Lieu and senator Ron Wyden, little progress appears to have been made.