How outdated SS7 can make SMS security worthless

Date:19 September 2017 Tags:, ,

An SS7 hack could destroy SMS security and making stalking the easiest thing in the world.

By David Grossman

Relying on an obscure yet vital communications system, researchers have been able to demonstrate the chaos hackers could wreak by infiltrating SMS messaging and rendering many two-factory security systems worthless.

What is SS7?

You might be unfamiliar with Signaling System Number 7 (SS7), referred to in North America as the Common Channel Signaling System 7. Signaling here refers to the exchange of information between call components required to provide and maintain service. SS7, developed in 1975, is typically used by telecoms to determine when someone is roaming. It allows for transfers of information including texts and billing.

If hackers gained access to SS7 networks, they could turn two-step SMS verification, an otherwise crucial security mechanism, into a playground. White hat hackers from Positive Technologies show in this video how quickly it could happen. They use a bitcoin wallet as an example in the video.

Watch the video:

“This hack would work for any resource – real currency or virtual currency – that uses SMS for password recovery,” says Positive Technologies researcher Dmitry Kurbatov to Forbes. “This is a vulnerability in mobile networks, which ultimately means it is an issue for everyone, especially services relying on the mobile network to send security codes.”

The knock-on effect

Such a hack would affect more than bitcoin users, or those with two-step verification. An SS7 hack could also let an attacker listen in on calls, peruse through all of a phone’s sent SMS texts, track the location of the phone.

Positive Technologies hackers were able to gain to this network “for research purposes”. But hackers would have to, presumably, hack or bribe their way in. A service that claimed to give someone access to SS7 networks for $500 was recently deemed a scam. These threats have been around for a decade. SS7 vulnerabilities were first detected in 2008 by German SR Labs. Demonstrations of these vulnerabilities have been going on since 2014. Congressman Ted Lieu and Senator Ron Wyden have both called for upgrades in SS7 security.

Given the current outbreak of hacking worldwide, most of it related to outdated systems liked SS7, it makes more sense than ever to look towards more secure means of texting like Signal or Facebook’s WhatsApp for communication. And if you use two-step verification, use an authentication app instead of text message if at all possible.

Source: Forbes
From: PM USA
Video credit: Positive Technologies
Image credit: Jack Moreh