SS7 Cellular Network Flaw Nobody Wants To Fix Now Being Exploited To Drain Bank Accounts

from the whoops-a-daisy dept

Back in 2017, you might recall how hackers and security researchers highlighted long-standing vulnerabilities in Signaling System 7 (SS7, or Common Channel Signalling System 7 in the US), a series of protocols first built in 1975 to help connect phone carriers around the world. While the problem isn't new, a 2016 60 minutes report brought wider attention to the fact that the flaw can allow a hacker to track user location, dodge encryption, and even record private conversations. All while the intrusion looks like ordinary carrier to carrier chatter among a sea of other, "privileged peering relationships."

Telecom lobbyists have routinely tried to downplay the flaw after carriers have failed to do enough to stop hackers from exploiting it. In Canada for example, the CBC recently noted how Bell and Rogers weren't even willing to talk about the flaw after the news outlet published an investigation showing how, using only the number of his mobile phone, it was possible to intercept the calls and movements of Quebec NDP MP Matthew Dubé.

But while major telecom carriers try to downplay the scale of the problem, news reports keep indicating how the flaw is abused far more widely than previously believed. This Motherboard investigation by Joseph Cox, for example, showed how, while the attacks were originally only surmised to be within the reach of intelligence operators (perhaps part of the reason intelligence-tied telcos have been so slow to address the issue), hackers have increasingly been using the flaw to siphon money out of targets' bank accounts, thus far predominately in Europe:

"In the case of stealing money from bank accounts, a hacker would typically first need a target’s online banking username and password. Perhaps they could obtain this by phishing the target. Then, once logged in, the bank may ask for confirmation of the transfer by sending the account owner a verification code in a text message. With SS7, the hackers can intercept this text and enter it themselves. Exploiting SS7 in this way is a way to circumvent the protections of two-factor authentication, where a system not only requires a password, but something else too, such as an extra code."

Again the flaw isn't new; a group of German hackers widely demonstrated the vulnerability in 2008 and again in 2014. It's believed that the intelligence community has known about the vulnerability even earlier, and the hackers note that only modest headway has been made since German hacker Karsten Nohl first demonstrated it. Some mitigation efforts have been put into place, but not quickly or uniformly enough to constrain the exploitation of the flaw:

"The fundamental issue with the SS7 network is that it does not authenticate who sent a request. So if someone gains access to the network—a government agency, a surveillance company, or a criminal—SS7 will treat their commands to reroute text messages or calls just as legitimately as anyone else’s. There are protections that can be put in place, such as SS7 firewalls, and ways to detect certain attacks, but room for exploitation remains."

Senator Ron Wyden wrote to the FCC (pdf) in May of last year stating the agency hadn't done enough to pressure carriers into fixing the problem, but nothing much appears to have happened in the wake of that letter. Much like the cellular industry's location data scandals, it's likely going to take a few more high profile scandals to create enough momentum to drive actual change.

Filed Under: bank robbery, security, ss7, telcos


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That One Guy (profile), 11 Feb 2019 @ 5:31am

    'What do you mean they can do it to ME as well?!'

    Much like the cellular industry's location data scandals, it's likely going to take a few more high profile scandals to create enough momentum to drive actual change.

    Nah, all it would take would be for a hacker to get greedy enough to go after a large target, like a politician, CEO or a celebrity. If one of those got hit by this I suspect that overnight there would be plenty of 'momentum', both from them and other rich individuals who suddenly realized that it can affect more than the peons.

    reply to this | link to this | view in chronology ]

    • identicon
      TFG, 11 Feb 2019 @ 6:39am

      Re: 'What do you mean they can do it to ME as well?!'

      Unfortunately, it's likely that the criminals perpetrating this sort of theft aren't that short-sighted. They certainly don't want it fixed, or they wouldn't be able to continue to exploit it, so they are likely to avoid those targets who, once targeted, would light a fire to fix it.

      They're also likely to avoid the large-scale drains that get significant law enforcement attention, again, so as to remain in operation.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 11 Feb 2019 @ 1:16pm

        Re: Re: 'What do you mean they can do it to ME as well?!'

        But once the process is scripted, you're going to have criminals who have no idea what's under the hood who decide to reroute someone prominent. This isn't really a possibility, it's a certainty. It's happened in every other exploit field out there eventually.

        reply to this | link to this | view in chronology ]

    • identicon
      MathFox, 11 Feb 2019 @ 6:48am

      Re: 'What do you mean they can do it to ME as well?!'

      Action will only be started after the big profile hack. Then there will be discussions on how to change the SS7 protocol, vendors will have to update their software/firmware/equipment (and test it) and then the new soft- and hardware will have to be installed and configured at the phone companies.

      With sufficient presure, it can be done in a year. Without pressure, mañana. Essentially the same issues as one sees with the IoT.

      reply to this | link to this | view in chronology ]

    • icon
      Bamboo Harvester (profile), 12 Feb 2019 @ 5:26am

      Re: 'What do you mean they can do it to ME as well?!'

      Well, no. They're already hitting "large targets", the banks themselves.

      In the US, when you deposit money at a bank, you're effectively loaning that money to the bank - that's why they pay interest.

      The banks are insured against loss of that money.

      Something like this is little different than if Billy the Kid came in and stole bags of money, or if a Teller slips a few hundreds in their pocket.

      The bank simply puts the appropriate number of ones and zeros in the effected account and files it as a loss to their insurer. I think it's still the FDSLIC.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Feb 2019 @ 6:49am

    it'll soon get fixed once someone of power and wealth is concerned! as long as it's only ordinary people who are losing out, like with everything else since Trum(pet) became President and companies are getting whatever benefit they can, no one gives a shit!

    reply to this | link to this | view in chronology ]

    • This comment has been flagged by the community. Click here to show it
      identicon
      Anonymous Coward, 11 Feb 2019 @ 7:08am

      Re:

      This will also happen to Section 230 when the "wrong" person is targeted for defamation, say an outspoken freshman congressperson who just got lied about rather viciously.

      reply to this | link to this | view in chronology ]

      • icon
        Stephen T. Stone (profile), 11 Feb 2019 @ 7:11am

        Re: Re:

        Unles Section 230 became a sentient being and defamed Alexandria Ocasio-Cortez, nothing is going to happen to it. Now, the person who defamed her, on the other hand…

        reply to this | link to this | view in chronology ]

      • icon
        PaulT (profile), 11 Feb 2019 @ 7:22am

        Re: Re:

        Well, it certainly would be a shame that someone decides to hold people accountable for things they did not do just because they had their feelings hurt.

        Fortunately, the person you're talking about seems to react to criticism with good natured and fact-based retorts, unlike the toddler in chief.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 11 Feb 2019 @ 7:36am

        Re: Re:

        Noam Chomsky's not going to be on the jury, mate.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 11 Feb 2019 @ 11:33am

        Re: Re:

        I would bet good money right now, that you actually thought that was a clever “gotcha.”

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Feb 2019 @ 7:15am

      Re:

      "In a surprise announcement, the Republican National Committee has revealed it is bankrupt. A spokesman for the party said they had plenty of money in their accounts last week, but today they just don't know where the money has gone. But not everybody is going begging. Amnesty International, Greenpeace and the United Negro College Fund announced record earnings this week due mostly to large anonymous donations."

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Feb 2019 @ 7:06am

    Copyright: blame the pirate Hacking: blame the phone company

    reply to this | link to this | view in chronology ]

    • identicon
      TFG, 11 Feb 2019 @ 7:17am

      Re:

      Not quite blame the phone company. For each individual instance of hacking, blame the hacker. The article isn't asking for the telcos to be held liable for the hacking instances, or to pay damages to the afflicted, etc. etc.

      Instead, for not working to fix a long-known exploit in their system, blame the phone companies, because part of their duty to their users is to keep their systems secure. The SS7 flaw is the system's architecture not working the way it was intended to originally, and thus should be fixed. That they've tried to downplay it doesn't speak well of them.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 11 Feb 2019 @ 7:22am

        Re: Re:

        State-backed hackers all have the ability to use these exploits. Are you comfortable with your countries enemies having this kind of access to your top people at all times?

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 11 Feb 2019 @ 7:31am

          Re: Re: Re:

          To hell with the "top people". I'm not comfortable with anyone having this kind of access to my stuff.

          The "top people" don't care about us. Why should we care about them?

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 11 Feb 2019 @ 1:23pm

            Re: Re: Re: Re:

            Unless you make cross-exchange calls regularly, they don't have this kind of access to your stuff. This mostly affects people who use their phones in roaming mode or make lots of predictable international calls. Technically, it could also be done between local exchanges, but you'd have to really know what you were doing and what the peering agreements are between those exchanges, because they usually have more in place to spot stuff like this.

            Interestingly, that means that this exploit really affects business managers and higher, not so much the little people. And since it would get caught out if used often on high profile targets, it usually gets used on secondary targets to gather third party metadata.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 11 Feb 2019 @ 1:47pm

              Re: Re: Re: Re: Re:

              I was under the impression the flaw didn't care whether you were making cross-exchange calls or not, as long as you knew some details about who you wanted to attack, you could do it. Reason being is because you can pose AS another carrier and the system never actually verifies that you are telling the truth.

              Technically, it could also be done between local exchanges, but you'd have to really know what you were doing and what the peering agreements are between those exchanges, because they usually have more in place to spot stuff like this.

              And state backed hacking groups and other well resourced crime organizations (not to mention anyone who has the drive and time to figure it out) wouldn't bother to figure this all out? As stated above, the system just doesn't care who you are, it defaults to trust all requests. So peering agreements or not, you could still execute a few breaches and get away with it, and technical details like that aren't going to matter to a well resourced group. That's just all part of the job.

              reply to this | link to this | view in chronology ]

              • identicon
                Anonymous Coward, 11 Feb 2019 @ 1:51pm

                Re: Re: Re: Re: Re: Re:

                I was under the impression the flaw didn't care whether you were making cross-exchange calls or not, as long as you knew some details about who you wanted to attack, you could do it.

                I don't recall anyone ever demonstrating this against a landline. That might mean landlines are not vulnerable (which suggests roaming or something mobile-specific is in play), or they just didn't try hard enough or at all.

                reply to this | link to this | view in chronology ]

                • identicon
                  Anonymous Coward, 11 Feb 2019 @ 2:43pm

                  Re: Re: Re: Re: Re: Re: Re:

                  Sorry, how did landlines come into this?

                  reply to this | link to this | view in chronology ]

                  • icon
                    Anonymous Anonymous Coward (profile), 11 Feb 2019 @ 3:35pm

                    Re: Re: Re: Re: Re: Re: Re: Re:

                    As a way to avoid the issue?

                    reply to this | link to this | view in chronology ]

                  • identicon
                    Anonymous Coward, 12 Feb 2019 @ 7:17am

                    Re: Re: Re: Re: Re: Re: Re: Re:

                    See above, "This mostly affects people who use their phones in roaming mode". Landlines don't have roaming.

                    reply to this | link to this | view in chronology ]

                    • identicon
                      Anonymous Coward, 12 Feb 2019 @ 8:07am

                      Re: Re: Re: Re: Re: Re: Re: Re: Re:

                      Dude, we're talking SS7 CELLULAR NETWORKS, they are never NOT roaming. Nobody was ever talking about landlines.

                      Read the article.

                      reply to this | link to this | view in chronology ]

                      • identicon
                        Anonymous Coward, 13 Feb 2019 @ 10:31am

                        Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:

                        The article doesn't say anything about "cellular". Karl added that in the title, but SS7 is used for cellular, landline and IP phones (behind the scenes, not in the actual phones). It's not obvious at all the non-cellular ones are immune. They can't receive text messages but banks will send spoken 2FA codes to those numbers.

                        reply to this | link to this | view in chronology ]

                        • identicon
                          Anonymous Coward, 13 Feb 2019 @ 10:46am

                          Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:

                          The body of the article may not say it explicitly but the title does, which implies the body of the article will be related to cellular, not landlines. This is further supported by the fact that it's not very common to use landlines for MFA purposes since they can't receive text messages, which is the more common and preferred method, other than authenticator apps, to send MFA tokens.

                          Regardless of all that, it's still irrelevant. Literally no one was talking about this in relation to landlines.

                          Everyone was talking about how this related to cellular users. All discussion was related to cellular users. The AC a few posts up (or you if you are the same one) suddenly started talking about landlines as a refutation to one of my points which had zero to do with landlines.

                          If you want to talk about vulnerabilities in landlines we can do that, but it has absolutely no bearing on the discussion at hand.

                          reply to this | link to this | view in chronology ]

        • identicon
          TFG, 11 Feb 2019 @ 7:43am

          Re: Re: Re:

          Given I'd like the telcos to step up and fix the system, as indicated by my stating that it should be fixed, it is a simple matter to come to the logical conclusion that, no, I am not comfortable with this.

          Now that I've shown the work, I'll also repeat the answer: No, I am not comfortable with this. The flaw should be fixed.

          Now, why did you feel you had to ask?

          reply to this | link to this | view in chronology ]

      • icon
        PaulT (profile), 11 Feb 2019 @ 7:30am

        Re: Re:

        Exactly, there's plenty of blame deserved on both sides. If your garage is burgled a few times, the blame is on the burglars. But, if it turns out you know that your lock is faulty and the reason they keep getting in is because you refuse to buy a new one, then you share some of the blame.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 11 Feb 2019 @ 8:09am

          Re: Re: Re:

          So you're saying there are many crappy people on both sides.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 11 Feb 2019 @ 8:14am

            Re: Re: Re: Re:

            I think he's saying you're crappy. That much is undisputed.

            reply to this | link to this | view in chronology ]

          • icon
            PaulT (profile), 11 Feb 2019 @ 8:20am

            Re: Re: Re: Re:

            I'm saying the blame should go to where it's due, and one party doesn't get to shirk their responsibilities just because the other was more actively "bad". Reality is more nuanced than that, and we should be placing blame where it's actually due rather than racing to pretend there's only a single party at fault. If someone is responsible, they should get to face the consequences.

            reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 11 Feb 2019 @ 7:58am

        Re: Re:

        Claiming a duty is imputing liability on the carriers, who aren't responsible for the hacking any more (under this logic) than Google is to blame for someone's employer finding an archived post on 4Chan that never would have reached them, or than an ISP, webhost, or payment processor is to blame for piracy that wouldn't have occurred without their flawed systems.

        I was pointing out the logical inconsistency.

        reply to this | link to this | view in chronology ]

        • identicon
          TFG, 11 Feb 2019 @ 8:10am

          Re: Re: Re:

          The carriers are, and should be held, liable for failing to fix a known security flaw - this is generally known as negligence. They are not, and should not be held, liable for each individual hacking instance.

          I do not see a logical inconsistency here.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 11 Feb 2019 @ 8:18am

            Re: Re: Re: Re:

            Allowing mass piracy or mass defamation is also a security flaw within the control of the platform. People just don't want to blame them while they do want to blame the cell carriers for what their users do.

            I'm sure there's a lot you don't see.

            reply to this | link to this | view in chronology ]

            • icon
              PaulT (profile), 11 Feb 2019 @ 8:25am

              Re: Re: Re: Re: Re:

              "Allowing mass piracy or mass defamation is also a security flaw within the control of the platform."

              No, it's not. What you're whining about had nothing to do with security.

              "they do want to blame the cell carriers for what their users do."

              Yep, you don't understand the issue. The carriers are not being blamed for the actions of their customers. They're being blamed for their own actions.

              reply to this | link to this | view in chronology ]

              • identicon
                TFG, 11 Feb 2019 @ 8:41am

                Re: Re: Re: Re: Re: Re:

                Oh, now I see the logical inconsistency.

                It's in comparing mass piracy or mass defamation to a security flaw. You see, mass piracy, or more properly termed "potential mass copyright infringement" is a very nuanced mess, since there's a question of intent and fair use with copyright infringement, and it has to do with that messy thing called culture, and people sharing culture with each other, and tech's inability to engage the all-important thing called "context" when determining that infringement exists. "infringement" sometimes isn't, and the legality in these cases is often murky.

                On the other hand, the SS7 flaw, which is a security hole that enables bad actors to take clearly illegal actions, does not have any of these pitfalls. It's a clear problem that is enabling clearly illegal actions, and which it is entirely possible to fix with no magic solutions.

                The realms have so many differences that there's no logical basis to compare the two.

                I doubt you'll acknowledge this, but I can hope.

                reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 11 Feb 2019 @ 8:10am

          Re: Re: Re:

          Your imagined inconsistency doesn't exist.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 11 Feb 2019 @ 8:17am

            Re: Re: Re: Re:

            Scholars would disagree, but what do Ph.D.s from Ivy League schools know?

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 11 Feb 2019 @ 8:32am

              Re: Re: Re: Re: Re:

              [Citation needed]

              reply to this | link to this | view in chronology ]

            • identicon
              bob, 11 Feb 2019 @ 10:16am

              Re: Re: Re: Re: Re:

              Just because someone has a PhD doesn't mean they actually earned it or that the PhD is in a related field to the issue at hand.

              One would hope however that if a person has a PhD that would be able to follow logic and a conversation topic.

              reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 11 Feb 2019 @ 11:37am

              I got more prof than you got

              I have a super PHD from Saint Mary’s Carwash Academy and I say you are full of shit.

              reply to this | link to this | view in chronology ]

        • icon
          PaulT (profile), 11 Feb 2019 @ 8:22am

          Re: Re: Re:

          "I was pointing out the logical inconsistency."

          No, you were coming up with a bad analogy that serves only to indicate that you don't understand the issues and arguments here.

          reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 11 Feb 2019 @ 9:17am

        Re: Re:

        The banks should be held liable too, for implementing a text-message-based system when that's known to be insecure. It's like how we don't send banking details over email.

        reply to this | link to this | view in chronology ]

        • identicon
          TripMN, 11 Feb 2019 @ 11:49am

          Re: Re: Re:

          This needs to be highlighted more.

          Many financial institutions don't have 2-factor authentication, and many of the ones that do send the auth token by text message or email... both known insecure methods. It's a damn shame that the biggest companies in the financial sector are still in the early 2000s as far as their security stance is concerned.

          And don't get me started on what they think is a strong password -- I'm looking at you, credit card companies that have a max 16 characters for passwords...

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 11 Feb 2019 @ 12:54pm

            Re: Re: Re: Re:

            Many financial institutions don't have 2-factor authentication, and many of the ones that do send the auth token by text message or email...

            There are seriously banks sending it over email?

            reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 11 Feb 2019 @ 1:37pm

            Re: Re: Re: Re:

            THIS. SO MUCH THIS.

            reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Feb 2019 @ 7:33am

      Re:

      They are literally the ones enabling it at this point now that they know about it and have done jack and shit to fix it when it was within their means to do so. It is negligence essentially.

      reply to this | link to this | view in chronology ]

  • identicon
    Glenn, 11 Feb 2019 @ 7:29am

    Headway? ...in getting the NSA to get the carriers to take away one of its favorite attack methods on targets? ...yeah, sure thing.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Feb 2019 @ 8:17am

    "They want their weapon!" -- Outbreak

    reply to this | link to this | view in chronology ]

  • identicon
    Capt ICE Enforcer, 11 Feb 2019 @ 8:22am

    Feature

    Huh? I thought this was a feature from the telcos?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Feb 2019 @ 8:40am

      Re: Feature

      These flaws are alll the more reason to inject the chip under your skin. Coming to you soon, whether you want it or not.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown for basic formatting. (HTML is not supported.)
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown for basic formatting. (HTML is not supported.)
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.