Cybercriminals have exploited vulnerabilities in the SS7 protocol to bypass security mechanisms and steal money from bank accounts. Researchers have warned about the threat for years and these types of attacks have recently become a reality.
SS7, which stands for Signalling System No. 7, is a telephony signaling protocol used by telecommunications providers worldwide. It allows the customers of different networks to communicate with one another and ensures that calls are not interrupted when users are traveling over longer distances.
SS7 was developed back in 1975 and it does not include any protection or authentication, making it easy for third-parties to connect to the SS7 network.
The fact that SS7 has serious weaknesses has been known for years and researchers have often warned that malicious actors could leverage them to locate subscribers, intercept calls and SMS messages, and conduct fraud.
The first case of malicious actors exploiting SS7 flaws to make a profit has now come to light. German newspaper Süddeutsche Zeitung reported on Wednesday that cybercriminals had relied on SS7 attacks to bypass two-factor authentication (2FA) systems and conduct unauthorized wire transfers.
Attackers first obtained bank account information from the victims, which can be done either via phishing or malware, and then launched an SS7 attack to obtain the mobile transaction authentication number (mTAN) sent by the bank via SMS. mTANs are one-time passwords used by banks to confirm financial transactions.
According to Süddeutsche Zeitung, the attackers forwarded the SMS messages containing the mTAN to a number they controlled, allowing them to complete the wire transfers they had initiated from victims’ accounts.
Telecommunications firm O2-Telefonica confirmed for the newspaper that some of its customers in Germany had been targeted is such attacks via the network of a foreign mobile operator in mid-January. The company said it had blocked the offending provider and notified affected customers.
Experts told the German newspaper that access to SS7 networks can be acquired for under €1,000.
Jean Gottschalk, SS7 mobile network security consultant at Las Vegas-based Telecom Defense, has confirmed for SecurityWeek that access to the SS7 network can be obtained for roughly €1,000 per month, but the expert pointed out that this is not enough to conduct attacks.
Attackers also need an identity on the network, known as a global title (GT), which can be obtained from legitimate mobile operators. Normally, these identities are not handed out to anyone, but attackers could obtain them by bribing individuals working for mobile operators in less developed countries. The only condition is that the company needs to have a roaming agreement with the country whose citizens are targeted by the cybercriminals.
Gottschalk said attackers might pay another €1,000 per month for the GT, or their accomplice may want a share of the profit.
Another way to obtain access is via third-parties that rent global titles for SMS delivery and other types of services, the expert said.
Gottschalk told SecurityWeek that he had been aware of malicious operations targeting Germany, and the attacks were traced back to a former Soviet Union country.
The expert pointed out that malicious traffic has been seen on SS7 networks for many years, but it had mainly been used for geolocation purposes.
As for the United States, Gottschalk said attacks such as the ones in Germany are less likely to take place as banks typically don’t use SMS-based tokens for wire transfers. On the other hand, the expert warned that attackers can use the technique to hijack WhatsApp and Signal accounts, and bypass 2FA on services such as Gmail. Due to the risks, NIST and industry professionals have proposed replacing SMS-based 2FA with more secure alternatives.
Last year, researchers demonstrated the risks associated with SS7 when they managed to eavesdrop on U.S. Representative Ted Lieu knowing only his phone number. The official has now once again called for action.
“Both the FCC and telecom industry have been aware that hackers can acquire our text messages and phone conversations just knowing our cell phone number,” Lieu stated on Wednesday. “It is unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security. I urge the Republican-controlled Congress to hold immediate hearings on this issue.”
Until the issues are addressed on a wide scale, mobile operators can turn to specialized security firms such as Telecom Defense, which conduct security audits and help companies implement signaling firewalls.