SS7 attack gives pause for thought

Stephen Drake|07 February 2019
SS7 attack gives pause for thought

In July of 2017, we wrote this blog post about why continuing to have mobile carriers in the digital security chain means that the attack that left several customers of O2-Telefonica in Germany with empty bank accounts is likely to occur elsewhere. We are re-posting it because unfortunately, it seems that we were right, with Metro Bank recently being the target of an SS7 attack. Experts believe that this isn’t an isolated case, so we may be hearing much more about these attacks soon.

A recent malicious attack on customers of O2-Telefonica in Germany saw several bank accounts drained. This may just be the clarion call for telcos to address a flaw in Signaling System 7 (SS7) that has been raising red flags for years. 

SS7 is an international telecommunications standard that defines how elements in a public switched telephone network (PSTN) exchange information. It is what allows us to receive an SMS text message whether we are at home or roaming in Europe. It is what enables carrier interoperability, and as such is the backbone of global communication.

THE PROBLEM WITH SS7

Unfortunately, this interoperability means that anyone with internal access to a telco or mobile network operator (MNO) can gain access to any other carrier's backend anywhere in the world. First-generation protocols like SS7, SWIFT and ISO85883 were not designed with authentication built in, and as such rely on the network to restrict unauthorized access. These protocols are widely distributed and highly vulnerable: anyone can drop in and be active. One needs look no further than 2016’s SWIFT attacks to see evidence of this.

Via SS7, intruders can track a phone's location, read or redirect messages, and even listen to calls. For almost a decade it has been possible to take over a cell tower using an interceptor like the VME Dominator or Ability’s ULIN. This poses significant risks for any institution that uses the telco network to transmit authentication information such as SMS one-time passwords (OTPs). Until now, there has been a high level of complacency around the risks of SS7, largely because no breach had ever happened at scale.

However, the May attack on German customers clearly showed that SS7 vulnerabilities can be weaponized against SMS OTP. In this instance, hackers accessed victims’ computers via spammed malware and were able to collect login details, passwords, bank balances and mobile numbers. By redirecting OTPs from the victims’ phones via a rogue telecoms provider, the attackers were soon able access their bank accounts. As in most SIM fraud attacks, the attackers would make the online bank transfers late at night, when it would be less likely for the victims to raise the alarm.

While global financial institutions, social media sites and others reliant on mobile authentication protocols cannot control the telecommunication networks, they can institute measures that will mitigate much of the risk to customers. The first and most obvious means to avoid this kind of attack is to move away from SMS OTPs altogether. After being deprecated by the US National Institute of Standards and Technology (NIST) in August last year, this technology is starting to be phased out by financial institutions across the globe. 

WHAT CAN BE DONE?

It is sometimes claimed that network-initiated unstructured supplementary service data (NI-USSD, also known as push USSD) is a safer option than SMS. Unlike SMS, which is a store-and-forward technology, push USSD allows a two-way exchange of data in real time. However, USSD sessions are still unencrypted, and can be redirected in the same way that calls can. An attacker could redirect an entire USSD session to a phone and the victim would not even know. If a network operator is compromised internally, USSD is no safer than SMS.

The only solution for true security is to create a completely isolated, end-to-end-encrypted communications channel and to properly authenticate the users of this channel. With Entersekt’s Transakt solution, this channel is enabled by a self-contained, NIST-compliant cryptographic stack. This means that there is no reliance on SS7 or even on the transport layer for communication. No third party can access data travelling over this channel, making it impervious to SIM fraud attacks of the kind seen in Germany, as well as a wide range of other attack vectors.

Share

About the author

Stephen Drake

Stephen Drake

Senior Systems Developer

Subscribe to our newsletter for our latest news, press releases and events

logo entersekt

Entersekt is an international software development company based just outside of Cape Town, South Africa.

We are leaders in authentication, app security, and payments enablement technology, offering a highly scalable solution set with a track record of success across multiple continents.