SS7 Cellular Network Flaw Nobody Wants To Fix Now Being Exploited To Drain Bank Accounts

from the whoops-a-daisy dept

Back in 2017, you might recall how hackers and security researchers highlighted long-standing vulnerabilities in Signaling System 7 (SS7, or Common Channel Signalling System 7 in the US), a series of protocols first built in 1975 to help connect phone carriers around the world. While the problem isn’t new, a 2016 60 minutes report brought wider attention to the fact that the flaw can allow a hacker to track user location, dodge encryption, and even record private conversations. All while the intrusion looks like ordinary carrier to carrier chatter among a sea of other, “privileged peering relationships.”

Telecom lobbyists have routinely tried to downplay the flaw after carriers have failed to do enough to stop hackers from exploiting it. In Canada for example, the CBC recently noted how Bell and Rogers weren’t even willing to talk about the flaw after the news outlet published an investigation showing how, using only the number of his mobile phone, it was possible to intercept the calls and movements of Quebec NDP MP Matthew Dub?.

But while major telecom carriers try to downplay the scale of the problem, news reports keep indicating how the flaw is abused far more widely than previously believed. This Motherboard investigation by Joseph Cox, for example, showed how, while the attacks were originally only surmised to be within the reach of intelligence operators (perhaps part of the reason intelligence-tied telcos have been so slow to address the issue), hackers have increasingly been using the flaw to siphon money out of targets’ bank accounts, thus far predominately in Europe:

“In the case of stealing money from bank accounts, a hacker would typically first need a target?s online banking username and password. Perhaps they could obtain this by phishing the target. Then, once logged in, the bank may ask for confirmation of the transfer by sending the account owner a verification code in a text message. With SS7, the hackers can intercept this text and enter it themselves. Exploiting SS7 in this way is a way to circumvent the protections of two-factor authentication, where a system not only requires a password, but something else too, such as an extra code.”

Again the flaw isn’t new; a group of German hackers widely demonstrated the vulnerability in 2008 and again in 2014. It’s believed that the intelligence community has known about the vulnerability even earlier, and the hackers note that only modest headway has been made since German hacker Karsten Nohl first demonstrated it. Some mitigation efforts have been put into place, but not quickly or uniformly enough to constrain the exploitation of the flaw:

“The fundamental issue with the SS7 network is that it does not authenticate who sent a request. So if someone gains access to the network?a government agency, a surveillance company, or a criminal?SS7 will treat their commands to reroute text messages or calls just as legitimately as anyone else?s. There are protections that can be put in place, such as SS7 firewalls, and ways to detect certain attacks, but room for exploitation remains.”

Senator Ron Wyden wrote to the FCC (pdf) in May of last year stating the agency hadn’t done enough to pressure carriers into fixing the problem, but nothing much appears to have happened in the wake of that letter. Much like the cellular industry’s location data scandals, it’s likely going to take a few more high profile scandals to create enough momentum to drive actual change.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “SS7 Cellular Network Flaw Nobody Wants To Fix Now Being Exploited To Drain Bank Accounts”

Subscribe: RSS Leave a comment
55 Comments
That One Guy (profile) says:

'What do you mean they can do it to ME as well?!'

Much like the cellular industry’s location data scandals, it’s likely going to take a few more high profile scandals to create enough momentum to drive actual change.

Nah, all it would take would be for a hacker to get greedy enough to go after a large target, like a politician, CEO or a celebrity. If one of those got hit by this I suspect that overnight there would be plenty of ‘momentum’, both from them and other rich individuals who suddenly realized that it can affect more than the peons.

TFG says:

Re: 'What do you mean they can do it to ME as well?!'

Unfortunately, it’s likely that the criminals perpetrating this sort of theft aren’t that short-sighted. They certainly don’t want it fixed, or they wouldn’t be able to continue to exploit it, so they are likely to avoid those targets who, once targeted, would light a fire to fix it.

They’re also likely to avoid the large-scale drains that get significant law enforcement attention, again, so as to remain in operation.

Anonymous Coward says:

Re: Re: 'What do you mean they can do it to ME as well?!'

But once the process is scripted, you’re going to have criminals who have no idea what’s under the hood who decide to reroute someone prominent. This isn’t really a possibility, it’s a certainty. It’s happened in every other exploit field out there eventually.

MathFox says:

Re: 'What do you mean they can do it to ME as well?!'

Action will only be started after the big profile hack. Then there will be discussions on how to change the SS7 protocol, vendors will have to update their software/firmware/equipment (and test it) and then the new soft- and hardware will have to be installed and configured at the phone companies.

With sufficient presure, it can be done in a year. Without pressure, mañana. Essentially the same issues as one sees with the IoT.

Bamboo Harvester (profile) says:

Re: 'What do you mean they can do it to ME as well?!'

Well, no. They’re already hitting "large targets", the banks themselves.

In the US, when you deposit money at a bank, you’re effectively loaning that money to the bank – that’s why they pay interest.

The banks are insured against loss of that money.

Something like this is little different than if Billy the Kid came in and stole bags of money, or if a Teller slips a few hundreds in their pocket.

The bank simply puts the appropriate number of ones and zeros in the effected account and files it as a loss to their insurer. I think it’s still the FDSLIC.

Anonymous Coward says:

Re: Re:

"In a surprise announcement, the Republican National Committee has revealed it is bankrupt. A spokesman for the party said they had plenty of money in their accounts last week, but today they just don’t know where the money has gone. But not everybody is going begging. Amnesty International, Greenpeace and the United Negro College Fund announced record earnings this week due mostly to large anonymous donations."

TFG says:

Re: Re:

Not quite blame the phone company. For each individual instance of hacking, blame the hacker. The article isn’t asking for the telcos to be held liable for the hacking instances, or to pay damages to the afflicted, etc. etc.

Instead, for not working to fix a long-known exploit in their system, blame the phone companies, because part of their duty to their users is to keep their systems secure. The SS7 flaw is the system’s architecture not working the way it was intended to originally, and thus should be fixed. That they’ve tried to downplay it doesn’t speak well of them.

Anonymous Coward says:

Re: Re: Re:2 Re:

Unless you make cross-exchange calls regularly, they don’t have this kind of access to your stuff. This mostly affects people who use their phones in roaming mode or make lots of predictable international calls. Technically, it could also be done between local exchanges, but you’d have to really know what you were doing and what the peering agreements are between those exchanges, because they usually have more in place to spot stuff like this.

Interestingly, that means that this exploit really affects business managers and higher, not so much the little people. And since it would get caught out if used often on high profile targets, it usually gets used on secondary targets to gather third party metadata.

Anonymous Coward says:

Re: Re: Re:3 Re:

I was under the impression the flaw didn’t care whether you were making cross-exchange calls or not, as long as you knew some details about who you wanted to attack, you could do it. Reason being is because you can pose AS another carrier and the system never actually verifies that you are telling the truth.

Technically, it could also be done between local exchanges, but you’d have to really know what you were doing and what the peering agreements are between those exchanges, because they usually have more in place to spot stuff like this.

And state backed hacking groups and other well resourced crime organizations (not to mention anyone who has the drive and time to figure it out) wouldn’t bother to figure this all out? As stated above, the system just doesn’t care who you are, it defaults to trust all requests. So peering agreements or not, you could still execute a few breaches and get away with it, and technical details like that aren’t going to matter to a well resourced group. That’s just all part of the job.

Anonymous Coward says:

Re: Re: Re:4 Re:

I was under the impression the flaw didn’t care whether you were making cross-exchange calls or not, as long as you knew some details about who you wanted to attack, you could do it.

I don’t recall anyone ever demonstrating this against a landline. That might mean landlines are not vulnerable (which suggests roaming or something mobile-specific is in play), or they just didn’t try hard enough or at all.

Anonymous Coward says:

Re: Re: Re:8 Re:

The article doesn’t say anything about "cellular". Karl added that in the title, but SS7 is used for cellular, landline and IP phones (behind the scenes, not in the actual phones). It’s not obvious at all the non-cellular ones are immune. They can’t receive text messages but banks will send spoken 2FA codes to those numbers.

Anonymous Coward says:

Re: Re: Re:9 Re:

The body of the article may not say it explicitly but the title does, which implies the body of the article will be related to cellular, not landlines. This is further supported by the fact that it’s not very common to use landlines for MFA purposes since they can’t receive text messages, which is the more common and preferred method, other than authenticator apps, to send MFA tokens.

Regardless of all that, it’s still irrelevant. Literally no one was talking about this in relation to landlines.

Everyone was talking about how this related to cellular users. All discussion was related to cellular users. The AC a few posts up (or you if you are the same one) suddenly started talking about landlines as a refutation to one of my points which had zero to do with landlines.

If you want to talk about vulnerabilities in landlines we can do that, but it has absolutely no bearing on the discussion at hand.

TFG says:

Re: Re: Re: Re:

Given I’d like the telcos to step up and fix the system, as indicated by my stating that it should be fixed, it is a simple matter to come to the logical conclusion that, no, I am not comfortable with this.

Now that I’ve shown the work, I’ll also repeat the answer:
No, I am not comfortable with this. The flaw should be fixed.

Now, why did you feel you had to ask?

PaulT (profile) says:

Re: Re: Re:2 Re:

I’m saying the blame should go to where it’s due, and one party doesn’t get to shirk their responsibilities just because the other was more actively "bad". Reality is more nuanced than that, and we should be placing blame where it’s actually due rather than racing to pretend there’s only a single party at fault. If someone is responsible, they should get to face the consequences.

Anonymous Coward says:

Re: Re: Re:

Claiming a duty is imputing liability on the carriers, who aren’t responsible for the hacking any more (under this logic) than Google is to blame for someone’s employer finding an archived post on 4Chan that never would have reached them, or than an ISP, webhost, or payment processor is to blame for piracy that wouldn’t have occurred without their flawed systems.

I was pointing out the logical inconsistency.

PaulT (profile) says:

Re: Re: Re:3 Re:

"Allowing mass piracy or mass defamation is also a security flaw within the control of the platform."

No, it’s not. What you’re whining about had nothing to do with security.

"they do want to blame the cell carriers for what their users do."

Yep, you don’t understand the issue. The carriers are not being blamed for the actions of their customers. They’re being blamed for their own actions.

TFG says:

Re: Re: Re:4 Re:

Oh, now I see the logical inconsistency.

It’s in comparing mass piracy or mass defamation to a security flaw. You see, mass piracy, or more properly termed "potential mass copyright infringement" is a very nuanced mess, since there’s a question of intent and fair use with copyright infringement, and it has to do with that messy thing called culture, and people sharing culture with each other, and tech’s inability to engage the all-important thing called "context" when determining that infringement exists. "infringement" sometimes isn’t, and the legality in these cases is often murky.

On the other hand, the SS7 flaw, which is a security hole that enables bad actors to take clearly illegal actions, does not have any of these pitfalls. It’s a clear problem that is enabling clearly illegal actions, and which it is entirely possible to fix with no magic solutions.

The realms have so many differences that there’s no logical basis to compare the two.

I doubt you’ll acknowledge this, but I can hope.

TripMN says:

Re: Re: Re: Re:

This needs to be highlighted more.

Many financial institutions don’t have 2-factor authentication, and many of the ones that do send the auth token by text message or email… both known insecure methods. It’s a damn shame that the biggest companies in the financial sector are still in the early 2000s as far as their security stance is concerned.

And don’t get me started on what they think is a strong password — I’m looking at you, credit card companies that have a max 16 characters for passwords…

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...