Wired: Fixing the Cell Network Flaw That Lets Hackers Drain Bank Accounts
Recently, hackers managed to drain bank accounts across Germany. They did so not by hacking the banks themselves, but by exploiting a long-known flaw in a global telephony protocol known as Signaling System 7. It's the kind of attack that researchers have warned about for years—and may finally be the one the gets the telecom industry to clean up its giant SS7 mess.
Part of the global telecom backbone, SS7 enables carrier interoperability. It's what lets you receive an SMS text from your friend whether you're at your house, in a moving car, or halfway around the world roaming on a foreign network. And for years, analysts have warned that third parties can breach SS7, enabling spying and data interception. Or, in this case, the redirection of two-factor authentication codes that a bank intends for its customers.
As German newspaper Süddeutsche Zeitung first reported, once hackers obtained a bank customer's username, password, and telephone number, they were able to use SS7 vulnerabilities to reroute the two-factor codes that act as the last line of defense against fraud. This time, they targeted German carrier O2-Telefonica, but it could have been anybody. Which is all the more reason to fix SS7 once an for all.
"It's the first time now that we have non-ignorable evidence of SS7 abuse," says Karsten Nohl, chief scientist at the German firm Security Research Labs, who has been researching and publicizing the dangers of SS7 vulnerabilities since 2014. "I think that's a good development in the sense that if customers lose money, that must be acted on, whereas as long as they were ‘just' being spied on, you could sweep that under the rug."
Patching the Hole
The SS7 problem stems from its original set-up. Because it's a way for telecoms to talk to one another—like T-Mobile asking Verizon to deliver an SMS text—it was designed to trust any request. For instance: Carriers often "ask" one another for the whereabouts of a certain device so they can calculate the nearest cell tower to route a call. These sorts of automated interactions happen all the time, but with little to no vetting. If a scammer poses as a telecom and asks that same location question, he'll get the same answer a real carrier would, enabling illicit tracking.
Nohl and others argue that overcoming SS7 insecurity requires implementing a series of firewalls and filters that can stop these types of attacks. That's more complicated than it sounds. First, setting up automated filters risks blocking legitimate communications, an inconvenience at best. "The overwhelming amount of SS7 traffic is legitimate, [so] carriers need to be measured as they implement solutions in order to avoid collateral network impacts," an FCC working group concluded in March.
Some SS7 experts warn, though, that the process of truly strengthening SS7 security takes a more nuanced approach than just filtering given the complexities involved. "It's doubtful that there's an easy filtering that would completely wipe out these kinds of attacks," says Philippe Langlois, CEO of the telecom security firm P1 Security. "We're not talking about adding a firewall rule and saying ‘OK, now it's done.'"
Researchers say that adding encryption to SS7 would address more long-term SS7 concerns by shielding network traffic from prying eyes and bolstering authentication.
But Nohl says that the filtering systems telecoms can currently implement adequately protect against the real-world attacks that are actually happening. He notes that it's not the perfect solution a security expert would conceive if she were building a new SS7 from scratch, but the network or other similarly vulnerable protocols can't just disappear because of interoperability issues. And adding effective filtering offers at least the minimum mitigation. "Rolling out the SS7 solution involves several steps," Nohl says. "This is not just, you order something, you wait for two months, and then it magically appears. There's a whole set of filtering rules and you apply one after the other."
The whole process can at best take a company two to three months, says Nohl, who consults with telecoms on SS7 fixes. For larger operations with competing priorities it can drag on for months or years on end, but experts hope that the recent bank fraud will at last inspire businesses to make the necessary minimum changes.
Spurred to Action
While it has flaws, SS7 is also a private network, meaning criminals have to hack it to gain entry—or find a telecom insider willing to offer illicit access. As with almost anything, though, you can buy access on the underground spyware market for a few million bucks.
Whatever the way in, SS7 attackers have clearly become emboldened, which may spark action where other efforts haven't. Senator Ron Wyden of Oregon and Calfornia representative Ted Lieu have for months pushed for telecoms and the FCC to take action about SS7. So far the working group findings and a recent Department of Homeland Security report are what they have to show for it. Last year, the National Institute of Standards and Technology also stopped recommending the use of SMS messages in two-factor authentication because of concern about attacks exploiting SS7.
"It is unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security," Lieu said in a statement on Wednesday about the German bank fraud. "Everyone's accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw."
While privacy and security concerns about texts and calls didn't spur action, the danger posed to online accounts because of two-factor authentication through SMS may. "Implementing a full solution takes time and money, and is intrusive to the core network, which the operators don't like to touch," says Hassan Mourad, a security architect at IBM who has studied SS7. "But operators can take faster action to prevent this."
If they don't, the message they send to hackers crystallizes: SS7 remains fair game. And anyone who uses two-factor is a potential victim.