from the whoops-a-daisy deptKarl Bode
Back in 2017, you might recall how hackers and security researchers highlighted long-standing vulnerabilities in Signaling System 7 (SS7, or Common Channel Signalling System 7 in the US), a series of protocols first built in 1975 to help connect phone carriers around the world. While the problem isn't new, a 2016 60 minutes report brought wider attention to the fact that the flaw can allow a hacker to track user location, dodge encryption, and even record private conversations. All while the intrusion looks like ordinary carrier to carrier chatter among a sea of other, "privileged peering relationships."
Telecom lobbyists have routinely tried to downplay the flaw after carriers have failed to do enough to stop hackers from exploiting it. In Canada for example, the CBC recently noted how Bell and Rogers weren't even willing to talk about the flaw after the news outlet published an investigation showing how, using only the number of his mobile phone, it was possible to intercept the calls and movements of Quebec NDP MP Matthew Dubé.
India’s largest bank has secured an unprotected server that allowed anyone to access financial information on millions of its customers, like bank balances and recent transactions. The passwordless database allowed us to see all of the text messages going to customers in real-time, including their phone numbers, bank balances, and recent transactions.
But while major telecom carriers try to downplay the scale of the problem, news reports keep indicating how the flaw is abused far more widely than previously believed. This Motherboard investigation by Joseph Cox , for example, showed how, while the attacks were originally only surmised to be within the reach of intelligence operators (perhaps part of the reason intelligence-tied telcos have been so slow to address the issue), hackers have increasingly been using the flaw to siphon money out of targets' bank accounts, thus far predominately in Europe:
"In the case of stealing money from bank accounts, a hacker would typically first need a target’s online banking username and password. Perhaps they could obtain this by phishing the target. Then, once logged in, the bank may ask for confirmation of the transfer by sending the account owner a verification code in a text message. With SS7, the hackers can intercept this text and enter it themselves. Exploiting SS7 in this way is a way to circumvent the protections of two-factor authentication, where a system not only requires a password, but something else too, such as an extra code."
Again the flaw isn't new; a group of German hackers widely demonstrated the vulnerability in 2008 and again in 2014. It's believed that the intelligence community has known about the vulnerability even earlier, and the hackers note that only modest headway has been made since German hacker Karsten Nohl first demonstrated it. Some mitigation efforts have been put into place, but not quickly or uniformly enough to constrain the exploitation of the flaw:
"The fundamental issue with the SS7 network is that it does not authenticate who sent a request. So if someone gains access to the network—a government agency, a surveillance company, or a criminal—SS7 will treat their commands to reroute text messages or calls just as legitimately as anyone else’s. There are protections that can be put in place, such as SS7 firewalls, and ways to detect certain attacks, but room for exploitation remains."
Senator Ron Wyden wrote to the FCC (pdf) in May of last year stating the agency hadn't done enough to pressure carriers into fixing the problem, but nothing much appears to have happened in the wake of that letter. Much like the cellular industry's location data scandals , it's likely going to take a few more high profile scandals to create enough momentum to drive actual change.