SS7 Cellular Network Flaw Nobody Wants To Fix Now Being Exploited To Drain Bank Accounts
from the whoops-a-daisy dept
Back in 2017, you might recall how hackers and security researchers highlighted long-standing vulnerabilities in Signaling System 7 (SS7, or Common Channel Signalling System 7 in the US), a series of protocols first built in 1975 to help connect phone carriers around the world. While the problem isn't new, a 2016 60 minutes report brought wider attention to the fact that the flaw can allow a hacker to track user location, dodge encryption, and even record private conversations. All while the intrusion looks like ordinary carrier to carrier chatter among a sea of other, "privileged peering relationships."
Telecom lobbyists have routinely tried to downplay the flaw after carriers have failed to do enough to stop hackers from exploiting it. In Canada for example, the CBC recently noted how Bell and Rogers weren't even willing to talk about the flaw after the news outlet published an investigation showing how, using only the number of his mobile phone, it was possible to intercept the calls and movements of Quebec NDP MP Matthew Dubé.
But while major telecom carriers try to downplay the scale of the problem, news reports keep indicating how the flaw is abused far more widely than previously believed. This Motherboard investigation by Joseph Cox, for example, showed how, while the attacks were originally only surmised to be within the reach of intelligence operators (perhaps part of the reason intelligence-tied telcos have been so slow to address the issue), hackers have increasingly been using the flaw to siphon money out of targets' bank accounts, thus far predominately in Europe:
"In the case of stealing money from bank accounts, a hacker would typically first need a target’s online banking username and password. Perhaps they could obtain this by phishing the target. Then, once logged in, the bank may ask for confirmation of the transfer by sending the account owner a verification code in a text message. With SS7, the hackers can intercept this text and enter it themselves. Exploiting SS7 in this way is a way to circumvent the protections of two-factor authentication, where a system not only requires a password, but something else too, such as an extra code."
Again the flaw isn't new; a group of German hackers widely demonstrated the vulnerability in 2008 and again in 2014. It's believed that the intelligence community has known about the vulnerability even earlier, and the hackers note that only modest headway has been made since German hacker Karsten Nohl first demonstrated it. Some mitigation efforts have been put into place, but not quickly or uniformly enough to constrain the exploitation of the flaw:
"The fundamental issue with the SS7 network is that it does not authenticate who sent a request. So if someone gains access to the network—a government agency, a surveillance company, or a criminal—SS7 will treat their commands to reroute text messages or calls just as legitimately as anyone else’s. There are protections that can be put in place, such as SS7 firewalls, and ways to detect certain attacks, but room for exploitation remains."
Senator Ron Wyden wrote to the FCC (pdf) in May of last year stating the agency hadn't done enough to pressure carriers into fixing the problem, but nothing much appears to have happened in the wake of that letter. Much like the cellular industry's location data scandals, it's likely going to take a few more high profile scandals to create enough momentum to drive actual change.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: bank robbery, security, ss7, telcos
Reader Comments
Subscribe: RSS
View by: Time | Thread
'What do you mean they can do it to ME as well?!'
Much like the cellular industry's location data scandals, it's likely going to take a few more high profile scandals to create enough momentum to drive actual change.
Nah, all it would take would be for a hacker to get greedy enough to go after a large target, like a politician, CEO or a celebrity. If one of those got hit by this I suspect that overnight there would be plenty of 'momentum', both from them and other rich individuals who suddenly realized that it can affect more than the peons.
[ link to this | view in chronology ]
Re: 'What do you mean they can do it to ME as well?!'
Unfortunately, it's likely that the criminals perpetrating this sort of theft aren't that short-sighted. They certainly don't want it fixed, or they wouldn't be able to continue to exploit it, so they are likely to avoid those targets who, once targeted, would light a fire to fix it.
They're also likely to avoid the large-scale drains that get significant law enforcement attention, again, so as to remain in operation.
[ link to this | view in chronology ]
Re: Re: 'What do you mean they can do it to ME as well?!'
But once the process is scripted, you're going to have criminals who have no idea what's under the hood who decide to reroute someone prominent. This isn't really a possibility, it's a certainty. It's happened in every other exploit field out there eventually.
[ link to this | view in chronology ]
Re: 'What do you mean they can do it to ME as well?!'
Action will only be started after the big profile hack. Then there will be discussions on how to change the SS7 protocol, vendors will have to update their software/firmware/equipment (and test it) and then the new soft- and hardware will have to be installed and configured at the phone companies.
With sufficient presure, it can be done in a year. Without pressure, mañana. Essentially the same issues as one sees with the IoT.
[ link to this | view in chronology ]
Re: 'What do you mean they can do it to ME as well?!'
Well, no. They're already hitting "large targets", the banks themselves.
In the US, when you deposit money at a bank, you're effectively loaning that money to the bank - that's why they pay interest.
The banks are insured against loss of that money.
Something like this is little different than if Billy the Kid came in and stole bags of money, or if a Teller slips a few hundreds in their pocket.
The bank simply puts the appropriate number of ones and zeros in the effected account and files it as a loss to their insurer. I think it's still the FDSLIC.
[ link to this | view in chronology ]
Re: 'What do you mean they can do it to ME as well?!'
So, if say, big name Twitter users got hacked. Perhaps Obama, Biden, or such?
I can see the flaw going away overnight /s
[ link to this | view in chronology ]
it'll soon get fixed once someone of power and wealth is concerned! as long as it's only ordinary people who are losing out, like with everything else since Trum(pet) became President and companies are getting whatever benefit they can, no one gives a shit!
[ link to this | view in chronology ]
Re:
This will also happen to Section 230 when the "wrong" person is targeted for defamation, say an outspoken freshman congressperson who just got lied about rather viciously.
[ link to this | view in chronology ]
Re: Re:
Unles Section 230 became a sentient being and defamed Alexandria Ocasio-Cortez, nothing is going to happen to it. Now, the person who defamed her, on the other hand…
[ link to this | view in chronology ]
Re: Re:
Well, it certainly would be a shame that someone decides to hold people accountable for things they did not do just because they had their feelings hurt.
Fortunately, the person you're talking about seems to react to criticism with good natured and fact-based retorts, unlike the toddler in chief.
[ link to this | view in chronology ]
Re: Re:
Noam Chomsky's not going to be on the jury, mate.
[ link to this | view in chronology ]
Re: Re:
I would bet good money right now, that you actually thought that was a clever “gotcha.”
[ link to this | view in chronology ]
Re:
"In a surprise announcement, the Republican National Committee has revealed it is bankrupt. A spokesman for the party said they had plenty of money in their accounts last week, but today they just don't know where the money has gone. But not everybody is going begging. Amnesty International, Greenpeace and the United Negro College Fund announced record earnings this week due mostly to large anonymous donations."
[ link to this | view in chronology ]
Re: Re:
One of my favorite movies of all time. Too many secrets.
[ link to this | view in chronology ]
Copyright: blame the pirate Hacking: blame the phone company
[ link to this | view in chronology ]
Re:
Not quite blame the phone company. For each individual instance of hacking, blame the hacker. The article isn't asking for the telcos to be held liable for the hacking instances, or to pay damages to the afflicted, etc. etc.
Instead, for not working to fix a long-known exploit in their system, blame the phone companies, because part of their duty to their users is to keep their systems secure. The SS7 flaw is the system's architecture not working the way it was intended to originally, and thus should be fixed. That they've tried to downplay it doesn't speak well of them.
[ link to this | view in chronology ]
Re: Re:
State-backed hackers all have the ability to use these exploits. Are you comfortable with your countries enemies having this kind of access to your top people at all times?
[ link to this | view in chronology ]
Re: Re: Re:
To hell with the "top people". I'm not comfortable with anyone having this kind of access to my stuff.
The "top people" don't care about us. Why should we care about them?
[ link to this | view in chronology ]
Re: Re: Re: Re:
Unless you make cross-exchange calls regularly, they don't have this kind of access to your stuff. This mostly affects people who use their phones in roaming mode or make lots of predictable international calls. Technically, it could also be done between local exchanges, but you'd have to really know what you were doing and what the peering agreements are between those exchanges, because they usually have more in place to spot stuff like this.
Interestingly, that means that this exploit really affects business managers and higher, not so much the little people. And since it would get caught out if used often on high profile targets, it usually gets used on secondary targets to gather third party metadata.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
I was under the impression the flaw didn't care whether you were making cross-exchange calls or not, as long as you knew some details about who you wanted to attack, you could do it. Reason being is because you can pose AS another carrier and the system never actually verifies that you are telling the truth.
And state backed hacking groups and other well resourced crime organizations (not to mention anyone who has the drive and time to figure it out) wouldn't bother to figure this all out? As stated above, the system just doesn't care who you are, it defaults to trust all requests. So peering agreements or not, you could still execute a few breaches and get away with it, and technical details like that aren't going to matter to a well resourced group. That's just all part of the job.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
I don't recall anyone ever demonstrating this against a landline. That might mean landlines are not vulnerable (which suggests roaming or something mobile-specific is in play), or they just didn't try hard enough or at all.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
Sorry, how did landlines come into this?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re:
As a way to avoid the issue?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re:
See above, "This mostly affects people who use their phones in roaming mode". Landlines don't have roaming.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re:
Dude, we're talking SS7 CELLULAR NETWORKS, they are never NOT roaming. Nobody was ever talking about landlines.
Read the article.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
The article doesn't say anything about "cellular". Karl added that in the title, but SS7 is used for cellular, landline and IP phones (behind the scenes, not in the actual phones). It's not obvious at all the non-cellular ones are immune. They can't receive text messages but banks will send spoken 2FA codes to those numbers.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
The body of the article may not say it explicitly but the title does, which implies the body of the article will be related to cellular, not landlines. This is further supported by the fact that it's not very common to use landlines for MFA purposes since they can't receive text messages, which is the more common and preferred method, other than authenticator apps, to send MFA tokens.
Regardless of all that, it's still irrelevant. Literally no one was talking about this in relation to landlines.
Everyone was talking about how this related to cellular users. All discussion was related to cellular users. The AC a few posts up (or you if you are the same one) suddenly started talking about landlines as a refutation to one of my points which had zero to do with landlines.
If you want to talk about vulnerabilities in landlines we can do that, but it has absolutely no bearing on the discussion at hand.
[ link to this | view in chronology ]
Re: Re: Re:
Given I'd like the telcos to step up and fix the system, as indicated by my stating that it should be fixed, it is a simple matter to come to the logical conclusion that, no, I am not comfortable with this.
Now that I've shown the work, I'll also repeat the answer: No, I am not comfortable with this. The flaw should be fixed.
Now, why did you feel you had to ask?
[ link to this | view in chronology ]
Re: Re:
Exactly, there's plenty of blame deserved on both sides. If your garage is burgled a few times, the blame is on the burglars. But, if it turns out you know that your lock is faulty and the reason they keep getting in is because you refuse to buy a new one, then you share some of the blame.
[ link to this | view in chronology ]
Re: Re: Re:
So you're saying there are many crappy people on both sides.
[ link to this | view in chronology ]
Re: Re: Re: Re:
I think he's saying you're crappy. That much is undisputed.
[ link to this | view in chronology ]
Re: Re: Re: Re:
I'm saying the blame should go to where it's due, and one party doesn't get to shirk their responsibilities just because the other was more actively "bad". Reality is more nuanced than that, and we should be placing blame where it's actually due rather than racing to pretend there's only a single party at fault. If someone is responsible, they should get to face the consequences.
[ link to this | view in chronology ]
Re: Re:
Claiming a duty is imputing liability on the carriers, who aren't responsible for the hacking any more (under this logic) than Google is to blame for someone's employer finding an archived post on 4Chan that never would have reached them, or than an ISP, webhost, or payment processor is to blame for piracy that wouldn't have occurred without their flawed systems.
I was pointing out the logical inconsistency.
[ link to this | view in chronology ]
Re: Re: Re:
The carriers are, and should be held, liable for failing to fix a known security flaw - this is generally known as negligence. They are not, and should not be held, liable for each individual hacking instance.
I do not see a logical inconsistency here.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Allowing mass piracy or mass defamation is also a security flaw within the control of the platform. People just don't want to blame them while they do want to blame the cell carriers for what their users do.
I'm sure there's a lot you don't see.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
"Allowing mass piracy or mass defamation is also a security flaw within the control of the platform."
No, it's not. What you're whining about had nothing to do with security.
"they do want to blame the cell carriers for what their users do."
Yep, you don't understand the issue. The carriers are not being blamed for the actions of their customers. They're being blamed for their own actions.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
Oh, now I see the logical inconsistency.
It's in comparing mass piracy or mass defamation to a security flaw. You see, mass piracy, or more properly termed "potential mass copyright infringement" is a very nuanced mess, since there's a question of intent and fair use with copyright infringement, and it has to do with that messy thing called culture, and people sharing culture with each other, and tech's inability to engage the all-important thing called "context" when determining that infringement exists. "infringement" sometimes isn't, and the legality in these cases is often murky.
On the other hand, the SS7 flaw, which is a security hole that enables bad actors to take clearly illegal actions, does not have any of these pitfalls. It's a clear problem that is enabling clearly illegal actions, and which it is entirely possible to fix with no magic solutions.
The realms have so many differences that there's no logical basis to compare the two.
I doubt you'll acknowledge this, but I can hope.
[ link to this | view in chronology ]
Re: Re: Re:
Your imagined inconsistency doesn't exist.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Scholars would disagree, but what do Ph.D.s from Ivy League schools know?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[Citation needed]
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Just because someone has a PhD doesn't mean they actually earned it or that the PhD is in a related field to the issue at hand.
One would hope however that if a person has a PhD that would be able to follow logic and a conversation topic.
[ link to this | view in chronology ]
I got more prof than you got
I have a super PHD from Saint Mary’s Carwash Academy and I say you are full of shit.
[ link to this | view in chronology ]
Re: Re: Re:
"I was pointing out the logical inconsistency."
No, you were coming up with a bad analogy that serves only to indicate that you don't understand the issues and arguments here.
[ link to this | view in chronology ]
Re: Re: Re: Re:
You mean I don't agree with you on platform liability, not that I don't understand the issue. I know the flaw exists.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
My reply elsewhere also applies here:
"Oh, now I see the logical inconsistency. It's in comparing mass piracy or mass defamation to a security flaw."
Link to my comment in full: https://www.techdirt.com/articles/20190131/10492341502/ss7-cellular-network-flaw-nobody-wants-to-fix -now-being-exploited-to-drain-bank-accounts.shtml#c438
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
"You mean I don't agree with you on platform liability, not that I don't understand the issue"
No, I mean that the only way you can think that differently standards are being applied if that you don't understand the arguments being made on the issues.
[ link to this | view in chronology ]
Re: Re:
The banks should be held liable too, for implementing a text-message-based system when that's known to be insecure. It's like how we don't send banking details over email.
[ link to this | view in chronology ]
Re: Re: Re:
This needs to be highlighted more.
Many financial institutions don't have 2-factor authentication, and many of the ones that do send the auth token by text message or email... both known insecure methods. It's a damn shame that the biggest companies in the financial sector are still in the early 2000s as far as their security stance is concerned.
And don't get me started on what they think is a strong password -- I'm looking at you, credit card companies that have a max 16 characters for passwords...
[ link to this | view in chronology ]
Re: Re: Re: Re:
There are seriously banks sending it over email?
[ link to this | view in chronology ]
Re: Re: Re: Re:
THIS. SO MUCH THIS.
[ link to this | view in chronology ]
Re:
They are literally the ones enabling it at this point now that they know about it and have done jack and shit to fix it when it was within their means to do so. It is negligence essentially.
[ link to this | view in chronology ]
Headway? ...in getting the NSA to get the carriers to take away one of its favorite attack methods on targets? ...yeah, sure thing.
[ link to this | view in chronology ]
"They want their weapon!" -- Outbreak
[ link to this | view in chronology ]
Feature
Huh? I thought this was a feature from the telcos?
[ link to this | view in chronology ]
Re: Feature
These flaws are alll the more reason to inject the chip under your skin. Coming to you soon, whether you want it or not.
[ link to this | view in chronology ]