We Were Warned About Flaws in the Mobile Data Backbone for Years. Now 2FA Is Screwed.
It has finally happened.
For years, researchers, hackers, and even some politicians have warned about stark vulnerabilities in a mobile data network called SS7. These flaws allow attackers to listen to calls, intercept text messages, and pinpoint a device's location armed with just the target's phone number. Taking advantage of these issues has typically been reserved for governments or surveillance contractors.
But on Wednesday, German newspaper The Süddeutsche Zeitung reported that financially-motivated hackers had used those flaws to help drain bank accounts.
This is much bigger than a series of bank accounts though: it cements the fact that the SS7 network poses a threat to all of us, the general public. And it shows that companies and services across the world urgently need to move away from SMS-based authentication to protect customer accounts.
"I'm not surprised that hackers take money that is 'lying on the table'. I'm just surprised that online bank thieves took so long in joining spying contractors in abusing the global SS7 network," Karsten Nohl, a cybersecurity researcher who has highlighted vulnerabilities in SS7, told Motherboard in an email.
In short, the issue with SS7 is that the network believes whatever you tell it. SS7 is especially used for data-roaming: when a phone user goes outside their own provider's coverage, messages still need to get routed to them. But anyone with SS7 access, which can be purchased for around 1000 Euros according to The Süddeutsche Zeitung, can send a routing request, and the network may not authenticate where the message is coming from.
That allows the attacker to direct a target's text messages to another device, and, in the case of the bank accounts, steal any codes needed to login or greenlight money transfers (after the hackers obtained victim passwords).
None of the vulnerabilities are news. As mentioned, Nohl previously demonstrated these issues, including at the Chaos Communication Congress hacking festival in 2014. Last year, Nohl listened in on Rep. Ted Lieu's (D-CA) phone calls (with his consent) using SS7 attacks. And just recently, Senator Ron Wyden (D-OR) and Lieu highlighted the vulnerabilities, and the Federal Communications Commission published a report about the problem.
Although some telcos have taken steps to mitigate the issue, there are clearly still huge gaps for hackers to exploit.
"Everyone's accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw," Lieu said in a statement published Wednesday. "I urge the Republican-controlled Congress to hold immediate hearings on this issue."
In the meantime, and maybe irrespective of whether SS7 problems are ever fixed, social media companies, banks, and other online services need to stop using SMS-based two-factor authentication. Last year the National Institute of Standards and Technology said it was no longer recommending solutions that used SMS.
Twitter does let users sign in with a code from Google Authenticator, an app on your smartphone that provides a more robust form of two-factor authentication, but the site apparently still sends those logging in an SMS code, which, in light of these recent SS7 attacks, totally undermines the extra security protections. Twitter did not immediately respond to a request for comment.
Motherboard even recently published a piece telling general readers that they were likely fine with only SMS-based two-factor authentication, which focused on another type of attack and was based on the premise that non-state hackers were not widely using SS7. That piece, clearly, is out of date.
"It is unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security," Lieu's statement added.