Dual/Multi factor authentication is an essential method to add another layer of security for authenticating the identity where the user not only authenticates through the credentials (username/password) but also through a secret code. There are various modes to transact this ‘secret code’ (commonly OTP -one-time password) and one of which is using cellular signals to transmit the OTP to the recipient. This mode utilizes the SS7 protocol. Recently, applications have increased the usage of OTPs even at the first level of authentication, to log-in using the OTPs. This article gives you insight awareness on SS7 vulnerability and gives a food for thought, should the 2FA authentication continue using this medium?
What does SS7 do?
Signaling System 7 (SS7) is an international telecommunications standard that defines how network elements in a public switched telephone network (PSTN) exchange information over a digital signaling network. Nodes in an SS7 network are called signaling points.
SS7 allows phone networks to exchange the information needed for passing calls and text messages between each other and to ensure correct billing. It also allows users on one network to roam on another, such as when travelling in a foreign country.
What can hackers do with access to SS7?
Once hackers have access to the SS7 system they can have access to the same amount of information and snooping capabilities as security services.
They can transparently forward calls, giving them the ability to record or listen in to them. They can also read SMS messages sent between phones, and track the location of a phone using the same system that the phone networks use to help keep a constant service available and deliver phone calls, texts and data.
Should a hacker gain entry to the SS7 system on any number of networks, or if they are used by a law enforcement agency as part of its surveillance, anyone with a mobile phone could be vulnerable
What are the implications for users?
The risk of surveillance with access to the SS7 system and a phone number.
One of the biggest dangers, beyond someone listening to calls and reading text messages, is the interception of two-step verification codes that are often used as a security measure when logging into email accounts or other services sent via text message.
Banks and other secure institutions also use phone calls or text messages to verify a user’s identity, which could be intercepted and therefore led to fraud or malicious attacks
How to protect snooping via SS7?
There is very little you can do to protect yourself beyond not using the services.
For text messages, avoiding SMS and instead using encrypted messaging services that allow you to send and receive instant messages without having to go through the SMS network, protecting them from surveillance.
For calls, using a service that carries voice over data rather than through the voice call network will help prevent your calls from being snooped on.
Your location could be being tracked at any stage when you have your mobile phone on. The only way to avoid it is to turn off your phone or turn off its connection to the mobile phone network and rely on Wi-Fi instead.
As German newspaper Süddeutsche Zeitung first reported, once hackers obtained a bank customer’s username, password, and telephone number, they were able to use SS7 vulnerabilities to reroute the two-factor codes that act as the last line of defense against fraud. Security experts say that the same SS7-centric hacking techniques used against German banks will become increasingly prevalent in the future, forcing organizations to reconsider how they authenticate user activity.
Two-factor authentication (also known as 2FA) is a type (subset) of multi-factor authentication. It is a method of confirming users’ claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are.
Two-factor means you as the user have to have a second thing with you to serve as the second factor. Some services offer a physically unique device to serve as the second factor – often something along the lines of an “RSA Token” – a small device about the size of a USB flash drive that displays a number, which changes every minute or so. Less common is a token the size and shape of a credit card that does the same.
But think about the number of important accounts you have: banks, credit card accounts, email accounts, social media accounts. Carrying one “second factor” around might not be a nuisance but carrying a dozen around becomes impractical. What is something almost everyone has though, and has with them at almost all times? A cell phone.
Service providers caught onto this a few years ago and began implementing a form of two-factor authentication in which the provider sends a SMS or text message with a typically six-digit code to enter along with your password. Similar to a physical code generator, the SMS code is only useful for about a minute before it changes to something else.
More recently, companies have produced Android and iOS authenticator apps that emulate the function of a code generator. Functionally though, they behave the same: they give a one-time-use token that is good for about a minute and must be used along with the password in order to log into an account.
The designing flaws in SS7 allows an attacker to divert the SMS containing a one-time passcode (OTP) to their own device, which lets the attacker hijack any service, including Twitter, Facebook or Gmail, that uses SMS to send the secret code to reset account password.
Disclaimer- “The views are solely of the author and not of the employer or any organisation”