back to article After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts

Experts have been warning for years about security blunders in the Signaling System 7 protocol – the magic glue used by cellphone networks to communicate with each other. These shortcomings can be potentially abused to, for example, redirect people's calls and text messages to miscreants' devices. Now we've seen the first case …

  1. John Smith 19 Gold badge
    Unhappy

    AIUI SS7 was meant to end the ability to impersonate a remote exchange by "seizing a trunk"

    Which seemed to be a core tactic of phone phreaks.

    And in the 1980's it did.

    Because it was out of band and "digital."

    In 2017 I'd suggest the background knowledge about how GSM works is a lot more widespread and the options to access a mobile network (for a wide variety of definitions of access) are a lot broader than the 1980's.

    1. Christian Berger

      Well actually the reason was different

      Back in the 1980s, you had "The Phone Company", and only it could get access to SS7. Authentication made no sense as this was the time before public key cryptography so you could easily just sniff any password anyhow and even shared key cryptography would have been expensive. Also there was no reason for it, as "The Phone Companies" of all countries trusted each other.

      Today there's lots of phone companies with access to the SS7 network. They shouldn't sell that access... but there are some that apparently do. After all there are plausible things to do with access to the SS7 network, for example operating SMS gateways to the Internet.

      This story actually highlights another problem, and that is that SMS is completely unencrypted, except for the last air interface from the tower to your mobile phone. It never should have been used for anything even remotely resembling security.

      1. Charles 9

        Re: Well actually the reason was different

        "This story actually highlights another problem, and that is that SMS is completely unencrypted, except for the last air interface from the tower to your mobile phone. It never should have been used for anything even remotely resembling security."

        Given the age of the underlying technologies, security really couldn't be considered (too far back in time, too intensive and not advanced enough to be practical), nor can it be considered now without a complete top-to-bottom overhaul of the system, as there is basically NO system in use today that can't be compromised. Indeed, no system known to man can do much against an insider.

        1. Stevie

          Re: Insider

          Overly broad statement.

          Encryption done right would make whatever was grabbed of dubious use when compared to cost of acquisition, I would think.

          1. Charles 9

            Re: Insider

            "Overly broad statement.

            Encryption done right would make whatever was grabbed of dubious use when compared to cost of acquisition, I would think."

            Except if chips like the Motorola 68000 were considered state of the art at the time, not to mention pretty damn expensive (think about how much a Macintosh cost at its debut--it used a 68000), you kinda hit a technological wall. Even if the technology was available and ubiquitous at the time (I think the closest we had was encrypted satellite communications), the pace of technological advancement means security tech doesn't age very well.

            For another thing, there are those for whom money isn't as great an object when it comes to cracking stuff like this. Especially if backed by something like a hostile state (consider: the Cold War was still on at the time).

      2. Anonymous Coward
        Anonymous Coward

        Re: Well actually the reason was different

        I used to run a phone card company.

        All you need for SS7 access is to rent a T1 or E1 line.

        That needs some money, and the patience of a saint to deal with the necessary telco sales team, but very little else. You plug your line into a Cisco* box, and start programming.

        * or any cheaper alternative.

      3. Cuddles

        Re: Well actually the reason was different

        "This story actually highlights another problem, and that is that SMS is completely unencrypted, except for the last air interface from the tower to your mobile phone. It never should have been used for anything even remotely resembling security."

        Indeed. It's a point made many times before but that apparently can never be made enough times - SMS is not a substitute for proper two-factor authentication. The issue here is not that technology from the 1980s is insecure, but that banks, and others, are increasingly using it as authentication despite knowing about that lack of security.

        As a side note, it seems somewhat ironic that of all the banks I interact with, the only one still using actual two-factor authentication instead of SMS is the Co-op bank, who utterly fail at every other aspect of banking. Sadly, I suspect the only reason for this is that they tend to lag well behind everyone else and simply haven't caught up to the new trend yet, rather than that they actually care for security.

        1. Sir Runcible Spoon

          Re: Well actually the reason was different

          HSBC also uses 2fa, for both business and personal banking. Just sayin'.

          1. Down not across

            Re: Well actually the reason was different

            HSBC also uses 2fa, for both business and personal banking. Just sayin'.

            They also seem to think using your voice as a password is a great idea...

  2. Marty McFly Silver badge
    FAIL

    Old news....

    ...that telco's internal systems are vulnerable. Google "Free Kevin" and read some real hacking stories from 25+ years ago. If the telco's have not updated the back end cellular tech since the 1980's then I suspect those old-school attacks are still operative once the perimeter has been breached.

  3. Your alien overlord - fear me

    Sour krauts

    Bitte ?

    that's "You're welcome" in German for those who don't get it !!!

  4. Anonymous Coward
    Anonymous Coward

    Head in the sand

    The problems have been known about by technical staff and security staff in telcos for 20 years.

    I remember discussions amongst engineers over a beer in the '90s about the minimum amount of effort that would be necessary to get an SS7 interconnect to BT (which BT could not legally refuse if you jumped through the right hoops). And more than one discussion with customers in the same sort of timeframe about SS7 firewalls. Not that I am aware of one ever being deployed! The telcos chose to ignore the problem.

    Maybe the right business decision as it seems to have taken 20 years for the crims to catch up and actually exploit the weakness. To be honest I am very surprised it has taken so long: I had expected organised crime to create their own licensed telco in order to get this access by the year 2000. Just goes to show that we telecoms engineers are good guys at heart!

    1. Anonymous Coward
      Anonymous Coward

      Re: Head in the sand

      Not only that, in the US 60 Minutes did a story about it last year, which included a demonstration where a German hacker in Berlin used a SS7 attack to listen in on a conversation between a US congressman in California and the 60 Minutes correspondent. All he needed to know to perform the attack was the congressman's phone number.

      For the purpose of the demo, 60 Minutes sent him a brand new iPhone and SIM so it wasn't his 'real' phone number compromised, but it wouldn't take that much to learn the phone number of almost anyone a motivated attacker wanted to listen in on. And obviously would work on any landlines that either aren't behind a PBX or are behind a PBX running SS7.

      While this congressman was technically literate (Stanford grad in comp sci IIRC) regulation will be required to fix it (telcos have had three decades to do something about this and haven't, so they never will unless forced) but the only way a republican congress would agree to that would be if congressmen are attacked this way. Someone just needs to listen in to the inner workings of the health care debate and make a few calls between Trump and a congressman public, and this would quickly move to the top of the agenda!

      1. I sound like Peter Griffin!!

        Re: Head in the sand

        Trump already has a counter-play ready:

        "..Congressman hacked? That's FAKE NEWS - nothing to see here.. Move along!.."

      2. Anonymous Coward
        Anonymous Coward

        Re: Head in the sand

        >> Someone just needs to listen in to the inner workings of the health care debate and make a few calls between Trump and a congressman public, and this would quickly move to the top of the agenda!

        Ми працюємо над цим!

    2. Alistair
      Headmaster

      Re: Head in the sand

      Um. All things considered, .... aren't the licensed telco's considered organized crime?

      1. Alumoi Silver badge

        Re: Head in the sand

        Alistair, organized crime is for the government. Telco's are just highway robbers.

    3. Barry Rueger

      Re: Head in the sand

      Maybe the right business decision as it seems to have taken 20 years for the crims to catch up and actually exploit the weakness.

      The fact that someone is only now admitting this happened does not mean it's the first time the exploit has been used.

      It's entirely possible that either clever criminals just never got caught, or that the telcos managed to keep incursions secret.

      1. Anonymous Coward
        Anonymous Coward

        Re: Head in the sand

        "It's entirely possible that either clever criminals just never got caught, or that the telcos managed to keep incursions secret."

        Or that there are 'banks' who are dim enough to offer equally effective tactics (for some purposes) using much much simpler (actually unbelievably stupid) methods.

        After several months of relatively low profile speculation it's gone public now: Santander UK has for a long time been allowing changes to critical payee details (sort code, account number) with insufficient authentication. An imposter can thus change the sort code and account number of an existing payee, and hijack any payments to the (genuine) payee, so that they go to the imposter's bank account.

        Or something along those lines. More details in this well known technical journal:

        http://www.thisismoney.co.uk/money/beatthescammers/article-4422806/Santander-says-online-banking-fraud-flaw-fixed.html

  5. Anonymous Coward
    Anonymous Coward

    Fraud up!

    Pants still down!

  6. david 12 Silver badge

    Created in the 70's.

    >which was created in the 1980s by telcos to allow cellular and some landline networks to interconnect and exchange data<

    It was created/designed in the 70's to handle telephone calls. The ability to handle cellular and data came almost free as the result of the flexible digital design.

  7. John Smith 19 Gold badge
    Unhappy

    Time for "Signalling System No 8" ?

    It's been what 4-5 decades since first roll out.

    You know certain TLA's have had to have been in through this path for decades.

    Those telcos that don't use IP protocols also need to adopt defense-in-depth and can no longer assume that the next node they send to (or receive a packet from) is benign.

    It may be a less trusting world for telcos, but it's a safer world for their customers.

    1. Bronek Kozicki

      Re: Time for "Signalling System No 8" ?

      Well yes, perhaps it is time for "SS8". The trouble is that many engineers are necessarily conservative, which makes me think that any new protocol to replace old one will be about as popular as, say, IPv6.

    2. Anonymous Coward
      Anonymous Coward

      Re: Time for "Signalling System No 8" ?

      What you mean is the diameter protocol. It has inbuilt support for IPsec, but that means that the parties using it have to agree on common certificate authorities or similar. And there is the hook......could you imagine all countries in the world trusting a single root cert?

      It not only safer for consumers, also for network operators. SS7 / Diameter have also features for "managing" network events.....that may cause "minor inconveniences" in the network

  8. Anonymous Coward Silver badge
    Black Helicopters

    Perhaps

    It hasn't been fixed yet because government spooks use it for 'legitimate' eavesdropping?

    1. Anonymous Coward
      Anonymous Coward

      Re: Perhaps

      SS7 is used within the operator core networks and between networks. The eavesdropping / spying you refer to is Lawful interception (LI) and governments can do that in their country according to local legislation, it has nothing to do with SS7 security (LI interfaces exist and the operator has to comply to authorized requests).

      The eavesdropping attacks from OTHER countries is usually not "appreciated" by the local government, so there the local government would have good reasons to stop this.

  9. steelpillow Silver badge

    pragmatism

    Rhetorical question: so, is it easier to patch every SS7 link on the planet, or to squash rogue telcos under more and more red tape until you feel safe from blame again?

    1. Nick Ryan Silver badge

      Re: pragmatism

      Answered with a question... Which is more expensive to the major telcos involved? Patching, red tape or the occasional fine?

  10. Kernel

    Nothing new here!

    "The hackers first spammed out malware to victims' computers, which collected the bank account balance, login details and passwords for their accounts, along with their mobile number."

    There's no problem with SS7, provided the numpties don't give out the crucial information first!

    1. MJB7

      Re: Nothing new here!

      "There's no problem with SS7, provided the numpties don't give out the crucial information first!"

      They didn't give it out. It was stolen from their computers via malware.

      1. Roland6 Silver badge

        Re: Nothing new here!

        >They didn't give it out. It was stolen from their computers via malware.

        and the role of SS7 in getting the malware on to the computer?

        ...

        1. Anonymous Coward
          Anonymous Coward

          Re: Nothing new here!

          " the role of SS7 in getting the malware on to the computer?"

          Probably none, but you don't really expect politicians to ever let you get away with blaming voters for anything when there are perfectly good non-voting devices to blame, do you?

  11. Nisseparlemo

    Another reason to why SIP based applications/services are gaining momentum. I would consider using something like um-labs.com. end-to-end encryption.

    1. Anonymous Coward
      Anonymous Coward

      Wrong.

      If you are to call my mobile, once it leaves your carrier (or maybe not even that far down, simply the remote PBX) it is no longer encrypted.It is only encrypted in your leg. So all you will do is encrypt the rogue traffic.

      Not only that a lot of them only encrypt the RTP, not the SIP....and even more fun, some forget about RTCP as well.

  12. EnviableOne
    FAIL

    Banks fault

    NIST have been warning about SMS second factors for a while.

    Why arent they using TOTP?

    1. Anonymous Coward
      Anonymous Coward

      Re: Banks fault "Why arent they using TOTP?"

      If I recall correctly, TOTP was cancelled in 2006.

      Does the "indifferent bop" over to the coat rack...

  13. Anonymous Coward
    Anonymous Coward

    There is a simple reason this never got fixed

    How did you think friendly outfits like the NSA and GCHQ established warrant free phone intercepts?

  14. Anonymous Coward
    Anonymous Coward

    SMS - used for many passwords

    The attack was an SMS interception of the mobile banking TANs.

    The problem is that SMS is used by many service providers for delivering sensitive information e.g. Amazon, twitter, facebook, microsoft, google, they all have password recovery systems using SMS. Some of them can serve to get to your money, how many pages have single-sign on enabled for facebook or similar? So even if this is "only" a banking attack in Germany, that does not necessarily mean, that US is safe from this kind of attacks....

  15. Uberseehandel

    Encryption Is Not Convenient

    Much of the time, telco encryption is deliberately weakened (set the 16 leading bits of the key to 0), so that officially interested parties can freely access users and conversations they wish to monitor. It is so much more convenient that way, no warrants, no oversight.

    Right from the outset, the MNOs did not wish to know about SMS, they didn't notice, in any material sense of that word, its capability when GSM was introduced, but they did shut down the (ISDN compliant) dual SIM capability (because customers use it to save costs). MNOs had to be brow-beaten into accepting that users would make use of it, especially when roaming. Believe it or not, they took the same approach to data, remaining in denial about customer take-up until too late.

    There are a number of organisations which have official and court approved access to telco switches. However, the number of staff who have access to the data centres which process the telco back-end systems is huge. A number are outsourced. I know of one that outsources its data centre processing to a company that has been bought by its principal competitor. They remain quite relaxed about this, despite ample evidence that there is much to be concerned about.

    MNOs should not be allowed out.

  16. Anonymous Coward
    Anonymous Coward

    I doubled guessed this might happen...

    .... so I have no money.

    They can raid it all they like, and try and empty my account even more. T'other half tried and she failed and if she can't get anything out of me, nobody can.

  17. 1998tj

    How do you protect your accounts then?

    So, if two-factor authentication via SMS isn't safe, how should I protect my account then? Yeah, I follow the basic rules of not opening sketchy emails, not giving pw's over phone, having complex pw's, etc. But, I'm just curious if there are any other layers of protection I can add here?

    Many years ago, I used to have an Etrade account and they gave me one of those RSA security device keychains that generated a random number (which I needed to enter along with my pw). Not sure if that type of "offline" solution is more secure, but I don't see those things offered any more by U.S. banks. My banks in the U.S. all use two-factor via SMS.

  18. GHotmail

    The problem with SS7 and as discribed in detail by NIST exsist in cases that the bank sends the code via one way SMS. Utilizing Two Way SMS eliminates such SS7 hacking methods because getting the SMS reply from the client allows additional checks and balances that are not available in one way SMS. One provider for Two Way SMS is Spriv.com

  19. John Gaskill

    The "solution" is simple.

    Fine the carriers, HEAVILY, for allowing known vulnerabilities to continue. Businesses operate on a cost-benefit ration. If mitigation is too costly, they will not see to it, instead accepting fines and lost business as a minor "cost".

    Make the fines so astronomical as to be a true incentive to mitigate the vulnerabilities and protect their customers.

    Nothing else will work.

    1. Anonymous Coward
      Anonymous Coward

      Re: The "solution" is simple.

      "Make the fines so astronomical as to be a true incentive to mitigate the vulnerabilities and protect their customers."

      Er, it's the customers that end up paying the fines in almost any instance of corporate 'punishment'. Is that going to change any behaviours?

      Something more effective than corporate fines is long overdue. Maybe personal and individual fines for the responsible directors (in the same way as corporate 'leaders' get personal and individual bonuses because when things go right it's their actions that made it happen, yes?).

      Or if they'd rather not pay the personal and inididual fines, just lock them up for a week or two.

      1. izmiaz

        Re: The "solution" is simple.

        well, fines to whom? Regardless what SS7 is, I would not find it OK to make this now a TelCo bashing:

        - first you need someone to break into your phone/computer and get your online banking data. With all known issues about security n the Internet, this is a matter of personal responsibility. Not only technology of the 70 (SS7) meets 2017 here, but also a common technical understanding of the average user limited to the past millenium is needed to make such an attack possible.

        - It is the BANKS who - despite better knowledge in their IT departments I suppose - implemented an authentication system that is convenient but not secure! Banks normally are never responsible for anything, we know since a while, that they earn on ANY transaction regardless who pays to whom ....

        - Use TAN generators, or the good old paper-TAN-letter (you can personally pick it up on your bank) or anything else that is secure! Those systems existed long before smartphones and they worked well, even allowing you internet banking.

        - Now it happened in O2, but SMS works pretty much the same in all European operators.

        BTW: Install Tor browser and get access to a different internet. Many SS7 hosts are compromised and we have boxes connected to the global SS7 network that should definitely not be there. I think that statement about renting an E1 link is by today as outdated as SS7 itself ... you dont need that patience. In the worst case, pay 10kEUR and you get what you need, SS7 access included.

        AND: You can do much more, as e.g. track locations or tap calls as well. This has long been published and was even commercialized in countries like US. Any surprises now ?

    2. izmiaz

      Re: The "solution" is simple.

      I think its not that simple. You would need to change this in ALL carriers and fine on an international level. Who ever rote the letter of guarantee, that SMS is a secure communication? It was invented as a side product when having some spare signalling capacity in the E1s and then suddenly overrun by its own success. So, if you allow roaming with e.g. Uganda (not to mean they are particularly bad there), you have to understand that you can not expect them to interact with latest technology on an ARPU of 12EUR/month/subs .... Or you simply dont allow certain traffic, which brings other complains onto stage.

      Yes, it can be solved on carrier level. But the particular case to me just indicates a flaw in the authentication method, not in the carrier of information.

  20. Anonymous Coward
    Anonymous Coward

    Author totally ignores SMS Home Routing [3GPP TR 23.840, V7.1.0 (2007-03)] implemented as a mitigation.

    And ignores SS7 firewalls.

    1. izmiaz

      SS7 Firewalls are not yet widely deployed and mostly available by startups who do not have the capability to intergate this technology on a large scale, unfortunately. But it is work in progress.

      SMS home routing can work to some extend, but hey, see my other post: Its not SMS that is the problem (then we could switch to whatsapp, hein?)

      The problem is, that your bank tries to tell you that this is a great way to authenticate your transactions. THE BANKS, once more, not the TelCos are to be blamed here!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon