Hackers have shown how urgently there has been a massive failure in the global telecommunications network, affecting what is known as signaling system no. 7 (ss7), needs to be fixed. In a video demo, shown to Forbes ahead of today’s release, benevolent hackers from Positive Technologies were able to take control of a coin-based Bitcoin wallet and begin stealing funds via SS7 flaws.
the weaknesses of ss7, despite the fact that solutions were available for years, remain open. they allow anyone with access to that part of the telecommunications backbone to send and receive messages to and from cell phones, with various attacks allowing the silent interception of text messages, calls, and location data. (Telcos typically use the SS7 network to communicate with each other, typically to switch customers between carriers when roaming.)
In their attack, the positive researchers first went to gmail, using the google service to find an email account with only a phone number. Once the email account was identified, the hackers initiated a password reset process and requested that unique authorization codes be sent to the victim’s phone. By exploiting weaknesses in SS7, they were able to intercept text messages containing those codes, allowing them to choose a new password and take control of the Gmail account. they could then simply head over to the coinbase website and do another password reset using the email they had compromised.
scary ss7 attacks
This is not just a threat affecting bitcoin, of course. It affects anything linked within the gmail account, not to mention the complete loss of all those emails and the entire google account. “this hack would work for any resource (real currency or virtual currency) that uses sms to recover passwords,” said positive researcher dmitry kurbatov. “This is a vulnerability in mobile networks, which ultimately means it’s a problem for everyone, especially services that rely on the mobile network to send security codes.”
The biggest barrier, perhaps, to such attacks is gaining access to the ss7 network in the first place. Positive researchers had access to it “for research purposes to identify vulnerabilities and help mobile operators make their networks more secure.” criminals would typically have to buy or hack to access the network.
as for how others might do that, kurbatov added: “the risk lies in the fact that cybercriminals can purchase access to ss7 illegitimately [on the] dark web.” he pointed to obscure websites, such as interconnector, that have been seen selling ss7 services. (some claimed the interconnector was a scam).
In fact, criminals have, on at least one occasion, used the ss7 vulnerabilities to carry out an attack. That happened in Germany this year, when the criminals were able to use the same methods as the positive investigators, but to steal funds from the bank accounts of o2-telefonica customers.
surveillance companies, such as israeli firmability inc., are also actively selling services to spy on targets through the ss7 network. The unlimited skill intercept app sold for up to $5 million, though the cost may go as high as $20 million, the company’s CEO told Forbes last year.
While the world waits for telcos to act, users might as well stop using SMS for two-factor authentication. ss7 attacks like the ones carried out by positive, which previously showed how to hack whatsapp and facebook accounts with similar exploits, will currently not work when using data-driven communications to send unique codes, like the google authenticator app.
Daniel Romero, Vice President of Operations at Coinbase, said the company has been reaching out to customers to migrate from SMS-based two-factor authentication to apps like Google Authenticator. “In addition, we have enhanced our own monitoring systems to prevent phone-related security threats. We continue to monitor this closely,” he said. The company has seen an increase in hacks using another popular bitcoin theft method: stealing a user’s phone number through social engineering from telecom companies. From there, hackers can, similar to ss7 attacks, reset passwords.
google has several tools available for users interested in the authenticator, such as the google security check. for two factor authentication without sms, which will prevent ss7 attacks, it is possible to use google prompt or security key instead.
but the problem will not go away until telecom operators take action. Even with patching pressure coming from Capitol Hill, primarily Rep. Ted Lieu and Sen. Ron Wyden, little progress appears to have been made.
Must Read: An Intrepid Investor’s Guide to Buying Bitcoin and Other Crypto Assets