Criminals are Now Exploiting SS7 Flaws to Hack Smartphone Two-Factor Authentication Systems

I’ve previously written about the serious vulnerabilities in the SS7 phone routing system. Basically, the system doesn’t authenticate messages. Now, criminals are using it to hack smartphone-based two-factor authentication systems:

In short, the issue with SS7 is that the network believes whatever you tell it. SS7 is especially used for data-roaming: when a phone user goes outside their own provider’s coverage, messages still need to get routed to them. But anyone with SS7 access, which can be purchased for around 1000 Euros according to The Süddeutsche Zeitung, can send a routing request, and the network may not authenticate where the message is coming from.

That allows the attacker to direct a target’s text messages to another device, and, in the case of the bank accounts, steal any codes needed to login or greenlight money transfers (after the hackers obtained victim passwords).

Tags: , , , ,

Posted on May 10, 2017 at 6:50 AM26 Comments

Comments

Ninja May 10, 2017 7:03 AM

Considering some banks are still using 6 digits, all number passwords it’s going to take a lot of damage before this is fixed. I’m trying to disable the option of receiving 2fa codes in my phones but some services don’t have such option unless you remove your phone number entirely, which is not desirable to me for a number of reasons on some services. For now I’m relying on a password manager with 2FA that has no connection to any phone aside from the code generator plus the standalone printed codes. It will surely mitigate any possible exposure but it is far from what I would consider fine. Heck, there’s no peace of mind if you want to actually do your security right, there will always be some caveat.

taw6 May 10, 2017 7:52 AM

I can not see how the above description allows you to intercept an SMS, when the SMSC sends an MT, it will issue an HLR request to the serving HLR and it will receive the MSE GT address back in response back. You would however be able to send fake MO and MT messages with SS7 access.

If the 1000 Euro SS7 connected had a genuine GT address and so would allow you to act as an MSE, I guess in principal you could fake register the handset with the HLR and indeed MT messages would end up on the MSE you are faking.

SS7 was never designed to be allowed to be used by the public in this way, it would however be straightforward to black list these GT address from your network and stop this possibility.

I have not yet seen an explanation of how it is working so maybe its another method.

The real problem is that none Telcos can even get SS7 access.

Peter Galbavy May 10, 2017 8:04 AM

Problem is that there are any number of messaging brokers that allow clients to craft the full SMS, including metadata and they sit out there on the public network with their own, sometimes insecure, authentication systems. Having direct SS7 access is only one vector.

Robert Thau May 10, 2017 8:59 AM

Might help to be more precise about which 2FA schemes are affected. What SS7 access breaks is 2FA-by-SMS, which doesn’t actually require a smartphone; ancient Nokia featurephones will do, so long as they can receive text messages. (Which is actually a reason that SMS used to be preferred to other 2FA schemes in some applications.) Conversely, there are smartphone-specific systems, like the use of TOTP apps (Google Authenticator, Authy, etc), which are immune to monkeywrenching at the telco level, since they don’t use the network at all after initial provisioning.

(The one-time password for TOTP is, roughly, a truncated HMAC of a timestamp and a shared secret between the phone and the app. To authenticate, the user reads the password for “right now” off the phone screen and types it into the app. So, once the shared secret is on the phone, there’s no further direct communication between the phone and the app. Thus, there’s nothing for SS7-based attackers to mess around with.)

TS May 10, 2017 9:33 AM

@Robert – very helpful addition kudos.

Steam, guildwars2, blizzards battle.net,. should all be unaffected then.

Just banks and apple/google which and when they use actual SMS communication.

Andy May 10, 2017 9:50 AM

You should also be able to trust TCP based “push” notifications (generally backed up by TOTP), at least for now, since they are not routed by SS7.

Yawnbox May 10, 2017 9:58 AM

Why do you call two-step via SMS “two-factor”?

No integrity, no authentication.

“Something you’re given” is neither “something you have” or “something you know”. There is only the presumption that you will be the one to “have” or “know” the token.

Russ May 10, 2017 10:15 AM

I was hacked last week for $11K. My bank, USAA, allowed a caller to bypass my 2FA ‘Cyber token’ (Symantec VIP) and use a cell phone sms txt message to authenticate instead. The good news is I also had notification messages turned on in my bank profile so I saw the wire transfer out of my account and was able to call them. (Police in Florida say they’ve caught someone.) I’m trying to convince USAA that sms txt messages are a problem now and becoming a bigger problem but they don’t seem to believe me or understand what I’m saying. In recent months they’ve been pushing sms messages as a way to secure customers so they appear to moving more in that direction instead of away from it.

USAA has been a great bank for me but this issue is causing me to reevaluate my banking needs.

Tony Pelliccio May 10, 2017 11:05 AM

The history of SS7 is fascinating. It grew out of the phreaking of the 1960’s and 1970’s. Ma Bell realized she had a problem with toll fraud and it was quit the sum.

First it started with modems in the central offices that would call the remote office to setup the call. A bit slow, that was known aa Common Channel Interoffice Signalling Systems or CCISS it got to level 5.

Then that all got replaced by SS7. And because it was Ma Bell her engineers never thought SS7 would be used by outside parties so there was no security built in.

War Geek May 10, 2017 1:30 PM

I guess its a fun Schadenfreude story?

Rather see news about people being held accountable for SS7 remaining a raging dumpster fire.

Some of the older school phreaking types that moved on from free bridges have been playing SS7 games for many years. Here’s a 5 year old story where the FBI and Scotland Yard had their heads handed to them by anonymous-ish types. Two LEO’s whining at each other about hackers, released for world entertainment.

http://www.latimes.com/business/technology/la-anonymous-leaks-fbi-phone-call-discussing-hacking-investigations-20120203-story.html

WG

Janos May 10, 2017 3:39 PM

I bank with USAA and I’ve had my identity stolen once (I believe it was on my trip to Hawaii. Luckily I have notifications set up so I was able to catch them before they did much damage ($200 out of an ATM). USAA was great in fixing the issue but having this article come out still concerns me. I am pretty new to hacking (taking an ethical hacking class right now) so my question is would a stand alone authentication app such as what Blizzard employs be more secure than what is currently being used?

Rhys May 10, 2017 3:58 PM

Mr. Pellico- SS7 had a very fundamental purpose back in 1975. With the advent of electronic processing (including AT&T’s own)- they could converge on both efficiency and availability with circuit switching. If holding time and offered load approach unity- cost and resource usage were the targets (traffic theory- operating time + talk time = holding time).

And they could move from high reliability costs to high availability while increasing user experience (four nines to six nines) with the new MTTR times.

There is “shrinkage” in every retail business’s allowance. Toll fraud, while an issue, was a financial calculation of IROR (internal rate of return or MROR- modified internal rate of return). With the ongoing court fight culminating in the consent decree of 1982, user devices were no longer under the ownership control of the operating company. DTMF (along with demarcation devices) were subsequently introduced. Only as a stop gap by Congressional mandate. USOC & universal availability once required amortization of user devices over 40 years. AT&T could not spread those costs for other technical solutions when 5 years was no longer an operating plan, let alone 40.

Everything on the integrity and assurance of the network was overseen by the NSA and some guidance by the DoS with the introduction of the agreed CCIT7 of 1980. Circuit switched solutions were all based on deterministic math. These were our entry into the global networking and markets. System Instruction (SI’s) numbers one through nine dealt largely with those issues. Somethings were/are still ‘sensitive’.

That system was based on a 5 level hierarchy. Peer-to-peer was not a concept, then. What became the ’82 Rainbow Series for Aerospace (e.g.NACSIM 5100/NICSIM 5200 Trusted Computing Systems, Trusted Computing Base, Trusted Network Interpretations…etc) were progeny of what was operational in the national network.

For others- the common denominator I would bring your attention to is that breaking up Telecommunications act of 1932 was poorly thought out and executed. What was thought to be profit for the new competitive start-up businesses was actually depreciation and operations expenses for a continuing asset base. Effectively, Congress gave liquidated assets to these private businesses with no obligation to sustain either the national initiatives or public infrastructure. They prospered not by good business acumen. Rather by privilege of omission. But now, they are too big to fail and the public must again underwrite the lack of stewardship.

Comms fan May 10, 2017 4:44 PM

Some time ago we resold and commissioned a service where the subscriber could use his gsm phone via satellite links.
It all relied on ss7 hacks, basically it was done like this:
Serviceprovider paired your imsi with an iax2 account.
Once you logged into iax2 the provider sent a message to the ss7 network imsi xyz is with me
The HLR of your home gsm net sent a tripplett to the service provider, consisting of auth tokens.
In a gsm net the roaming net would forward parts of it to your sim and using the other parts to verify the response of the sim then an ack is sent to your home net.
In our setup the provider discarded the tripplet and sent an ack back…

That much to gsm/ss7 security

Nick P May 10, 2017 7:25 PM

@ Rhys

“What became the ’82 Rainbow Series for Aerospace (e.g.NACSIM 5100/NICSIM 5200 Trusted Computing Systems, Trusted Computing Base, Trusted Network Interpretations…etc) were progeny of what was operational in the national network. ”

Interesting info on phone stuff but this seems incorrect from my research. The criteria came out of work from a mix of CompSci and defense sector spearheaded by both Anderson, Schell, and eventually Steve Walker. Anderson and Schell were where many early concepts came from. A bunch of these people did demonstrators until Honeywell’s SCOMP was test case. The Orange Book was designed in parallel with it over a 10 year period implementing ideas from high-assurance, security researchers. The other stuff were tweaks of networking, databases, and so on to use those same concepts with sometimes those same kernels (eg SeaView Database). The commercial sector was moving much faster on insecure stuff with them on Windows desktops and UNIX servers by time high-assurance had essentially mastered time-sharing machines w/ prototypes for desktops and servers. There was no interest or overlap in high-assurance systems outside Black Forest Group and some buying “Trusted” OS’s that were watered down to B1 level.

So, high-assurance stuff certainly didn’t come from telephone network. It was an independent activity that mirrored what the military did mostly with cherry-picked use of stuff from FOSS or commercial sector they tried to secure. I can link to relevant documents tracing the history of it if you need.

Elliot May 11, 2017 1:45 AM

Banks tend to be more inefficient than Credit Unions. I wonder if American credit unions are as dumb as the for-profit banking industry?

Nobody May 11, 2017 2:37 AM

Some comments: The price mentioned is roughly a small wholesale access per month. Some darknet resellers are even much cheaper.

The attack itself can be found e.g. from Positive Technologies from August 2014. Since there are some “experienced” guys here and the info is public anyway, here a summary:
VSMSC impersonation: SRI_SM-> getting IMSI
VMSC impersonation: UL -> “stealing” subscriber
SMS arrives at HN
HN sends SRI_SM to fake VMSC
Fake VMSC answers with a fake SMSC address, where then the message is send to.
and it works…..

GTs of target NW can be found on the internet.

There are hundreds of authorized entities having access to the Interconnetion + the ones they rent out to. For SS7 the best one can do is signaling firewalls and then try to do things better for diameter LTE (IPsec) as much as possible (remember that this is a network for the whole world, some don’t have security knowledge or any money at all ….).

The data layer trick only works, if the user has an app which takes care of the e2e encryption. But I would not consider the data layer approach “fully safe” e.g. Belgacom GTP attack (see theintercept).

What is more worrisome is the range of services, which use SMS for sensitive services like password recovery purposes: Facebook, twitter, google, amazon etc. In particular, looking at IoT stuff that uses cellular e.g. arming / disarming a house alarm system with SMS, or other “funny” things.

Denis May 11, 2017 4:03 AM

@Yawnbox SMS is considered “two-factor” because it checks if you’ve got your phone (=what you have). Presumably, only the person who has the mobile phone on him will get the SMS code and will be able to type it back to the authentication system – in addition to whatever password he knows.

Bank Customer May 11, 2017 6:19 AM

Did you mean to say criminals exploit hardware/software/high-tech security flaws?

I always thought it was NSA.

Rhys May 11, 2017 3:25 PM

Well Nick P- unless we are confusing specific instantiations with actual historic developments, there a lots of people who synthesize gold from straw.

Alchemy and Rumplestiltskin are fine stories by the many personalities similar to Al Gore’s. (spec. Success has a million fathers, failure is an orphan.)

For fiction writing, the method of storytelling is called ‘reboot’.

There are some disruptive aberrations, however. Such as the SigSaly (AKA Green Hornet). Work performed not at academic institutions. Sometimes a trade secret, sometimes a concession to national purpose.

This is unclassified- http://www.armysignalocs.com/veteranssalultes/44-35_mehl_bookrvw.html

Here’s a timeline you might look at: http://thocp.net/companies/att/att_company.htm

There are so many other aberrations to pure research and discovery of the 1950’s and ’60’s.

Is it your belief that transcontinental (CONUS) telecommunications came about with zero government participation? Or that intercontinental (OCONUS) cable links were just accidents with no security, no protective hierarchy (sound like “watermarks” high or low)? Going all the way back to the very 1st 1878/1879 telephone cable connection between New Haven and London- government and financial/banking transactions occurred without separations and/or protections? Or that Telstar 1 was just another spontaneous emission from the pursuit of an installed base and no security/privacy? Was information sent analog near exclusively for 100 years? And intercept, disruption, and injection were invented only by digital engineers from the 60’s? Compromising emanations were only openly discussed in the late ’50s -which should mean these were protectively known before then, don’t you think?

I was given a book of Bell System Practices dated 1891 revision 1895 when they closed the library at Monmouth. You should have fun with the “L” carrier section. That is if you believe there was no IA before digital academic research of 1950’s.

Nick P May 11, 2017 8:42 PM

@ Rhys

You didn’t link to anything contradicting my points although you talked a lot about government and communication networks (a different topic). Networks which NSA et al have been protecting for a long time under COMSEC and EMSEC. That’s all declassified documents I’ve seen show they were concerned about. They didn’t seem worried much about “COMPUSEC” (their phrase) until founders of INFOSEC going against the flow forced them with a series of embarrassing pentests. Military early on even mocked anyone for caring adding sometimes that all you needed for endpoints was access control. Anderson, of the Anderson Report, was actually the guy responsible for NSA’s security since those inside cared about COMSEC/EMSEC only. I’m guessing he embarrassed them into such a one-man deal like they did others. Anderson, Schell, and others spent a lot of time doing pentests, adversarial presentations, and so on to convince U.S. government to do a program for INFOSEC. Even as Walker did the Computer Security Initiative, there were still people in NSA publicly saying (problem here) wouldn’t be a big deal while it became a big deal by high-assurance security publications from the people that warned them in the first place.

So, no, there’s no evidence the U.S. government formally invested in inventing INFOSEC. The guy behind hardware/software safety was a Burrough’s genius named Bob Barton who Alan Kay vouches for as smart enough to do it himself. After Burroughs B5000, a Burroughs guy named Anderson went against the tide embarrasing so many that they were forced to listen. They and a blind guy whose name I forgot worked together periodically with some in CompSci to define a lot of the key concepts. After the Orange Book happened and failed commercially, Schell asked the blind guy working on the Intel 286 to add security measures Intel didn’t care about. He snuck things like segments in there which highly-secure systems used afterward. There was parallel work for things like KeyKOS on capability-security side, Computational Logic Inc on verified stacks, high-assurance attempts at Ada runtimes, and so on. This stuff was all a relatively small number of people in academia, government, and industry who believed this stuff was essential and kept building it. Schell later admitted he even semi-embezzled money to fund SCOMP system since military refused to fund a secure system. They thought they were funding something else.

So no, these magic government and military institutions probably weren’t behind that stuff. They fought it endlessly saying it was unnecessary. Most projects had to use scraps while bullshit projects reflecting open beliefs got plenty of funding and failures. Enough of it survived to create a movement. In parallel, mainstream hackers were creating awareness of securit problems pushing their weak tactics for popular stuff. The field converged slightly then matured into silos CompSci security, government/military-focused stuff, private defense, private non-defense, and mainstream INFOSEC. More overlap than before but still silod as I face on a regular basis. Most of the credit should go to Burroughs for their culture producing three key players (esp founders) along with specific CompSci researchers, private companies, and military heretics who contributed.

Anonymous Coward May 12, 2017 6:16 AM

Hasn’t it been known since the illegal “PATRIOT ACT” was passed, if not before then, that relying on unencrypted SMS or email to reset passwords, login to an account without a password, or to compensate for weak or leaked passwords, is extremely irresponsible? I’m honestly trying to understand how this is news, not to disrespect Bruce Schneier.

Clive Robinson May 12, 2017 7:27 AM

@ Anonymous Coward,

I’m honestly trying to understand how this is news…

Welcome to a bit of my world 😉

I said a whole load of things prior to Snowden, which were not believed but are now generally accepted post snowden.

Likewise I said things prior to Stuxnet about the weaknesses of code signing and how to abuse them as well as how to jump air gaps (when discussing attacking voting machines). They were not popular ideas untill after Stuxnet. Likewise I indicated that I thought the US target for Stuxnet was North Korea, after putting the evidence together, apparently I was “not right” untill a member of the US gov actually admitted it.

Then there was BadBIOS… Which my discription of how to make work also included how to make it hard drive and BIOS wiping proof. Which predated the debacal with the Lenovo persistant malware in their consumer laptops…

The list goes on and on but hey it might sound like I was sore 😉

I’ll leave you with this thought, there is a saying that is getting old fast these days,

    The first sign post to disaster is missed by all except a few clever outsiders. The second signpost to disaster is clear to the wiser insiders and with hindsight by those who can analyse the disaster and thereby learn it’s lessons. However the third signpost to disaster is seen by many of those involved, but are powerless to do anything. But the only time a sign post is ever “obvious” is after the disaster.

To which you could add these days,

    But obvious only to those talking heads who saw nothing before but now have 20-20 hindsight as their job is to talk it up for those who are just rubber necking as they watch Fox/CNN…

Which is why the defenistration of Mr Comey is so funny to me. The guy rail roaded Pres Obama on a number of occasions and should have been kicked out then, in fact a few people actually said so at the time. Now of course that is apparently compleatly forgotton by the talking heads, but I bet there are quite a few seniors in Silicon Valley that not only remember it, but would be quite happy if Mr Comey suffered a serious accident… Somewhat simillar to one of his predecessors.

Dror October 9, 2017 5:49 AM

Hi,
Very interesting topic.
I have few questions regarding the issue:
1. On top of this specific case of the German bank – have you heard on additional scenarios this SS7 flaw took place and people actually lost their money? (or, in other words, how relevant is this breach? was it a one time scam or do you/we know on additional similar cases)
2. What it takes to proactively identify this scam by the telecom operator? can the info extracted from a network sniffer/an SS7 probe be utilized to detect this scam? what is the business logic which needs to be applied?
Thanks for sharing.
Dror

ResearcherZero April 11, 2023 4:37 AM

“We drop bags of cash at your office.”

Digital surveillance is a booming industry in Africa. Major players include not just NSO Group, but China-based Huawei, UK-based Gamma Group, Milan-based Hacking Team, and the French firm Amesys. All these firms have sold cyber espionage tools to African clients who have used the software to track or crack down on dissidents.
‘https://www.brookings.edu/techstream/how-digital-espionage-tools-exacerbate-authoritarianism-across-africa/

“Two state governors in Nigeria acquired Circles systems and used them to spy on political opponents. In one case, the system was installed at the residence of a governor.”
‘https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/

A common misapprehension is that security offences are very complicated and expensive to perform and can be executed only by security intelligence agencies or the most sophisticated hackers.
‘https://www.infopulse.com/blog/telecom-security-ss7-network-protocols

‘https://www.wired.com/2014/09/cryptophone-firewall-identifies-rogue-cell-towers/

ResearcherZero April 11, 2023 4:44 AM

When it comes to the communication between devices, there is a need to establish a link between devices for reliable transmission, and this connection can be made using protocols.
‘https://www.geeksforgeeks.org/different-functionalities-of-mtp3-layer/

‘https://www.eetimes.com/understanding-the-sigtran-protocol-suite-a-tutorial/

How do you transport SS7 over IP?

signalling and switching – Signaling System No. 7
‘https://media.ccc.de/v/osmodevcall-20210514-laforge-ss7-sigtran

Signaling System No. 7 (SS7), has been solely based on the mutual trust between the interconnecting operators.

SS7 is the protocol suite used by most telecommunications operators throughout the world to talk to each other (no authentication built in).
To support GSM/UMTS to LTE, there are interfaces mapping most of the SS7 functionality onto Diameter (no authentication built in).
‘https://www.smtechub.com/ss7-attack/

“The presidency yesterday expressed shock as the Nigeria Police Force (NPF) launched a legal bid to arrest the ongoing proceedings by judicial panels set up by state governments to investigate allegations of brutality…”
‘https://www.thisdaylive.com/index.php/2020/12/04/presidency-expresses-shock-as-police-move-to-stop-judicial-inquiries/

“We’ve seen our fair share of federal government attempts to keep records about stingrays secret, but we’ve never seen an actual physical raid on state records in order to conceal them from public view.”
‘https://www.aclu.org/news/civil-liberties/us-marshals-seize-local-cops-cell-phone-tracking-files-extraordinary-attempt-keep-information

Police say Stingray, a suitcase-size device that pretends it’s a cell tower, is useful for catching criminals, but that’s about all they’ll say.
‘https://news.yahoo.com/police-keep-quiet-cell-tracking-technology-070618821–finance.html

‘https://www.rfc-editor.org/rfc/rfc4165

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.