The SS7 Flaw Has a Fix, If Phone Companies Would Just Do It | WIRED
Recently, hackers managed to drain bank accounts across Germany. They did so not by hacking the banks themselves, but by exploiting a long-known flaw in a global telephony protocol known as Signaling System 7. It’s the kind of attack that researchers have warned about for years—and may finally be the one the gets the telecom industry to clean up its giant SS7 mess.
Part of the global telecom backbone, SS7 enables carrier interoperability. It’s what lets you receive an SMS text from your friend whether you’re at your house, in a moving car, or halfway around the world roaming on a foreign network. And for years, analysts have warned that third parties can breach SS7, enabling spying and data interception. Or, in this case, the redirection of two-factor authentication codes that a bank intends for its customers.
As German newspaper Süddeutsche Zeitung first reported, once hackers obtained a bank customer’s username, password, and telephone number, they were able to use SS7 vulnerabilities to reroute the two-factor codes that act as the last line of defense against fraud. This time, they targeted German carrier O2-Telefonica, but it could have been anybody. Which is all the more reason to fix SS7 once and for all.
“It’s the first time now that we have non-ignorable evidence of SS7 abuse,” says Karsten Nohl, chief scientist at the German firm Security Research Labs, who has been researching and publicizing the dangers of SS7 vulnerabilities since 2014. “I think that’s a good development in the sense that if customers lose money, that must be acted on, whereas as long as they were ‘just’ being spied on, you could sweep that under the rug.”
Patching the Hole
The SS7 problem stems from its original setup. Because it’s a way for telecoms to talk to one another—like T-Mobile asking Verizon to deliver an SMS text—it was designed to trust any request. For instance: Carriers often “ask” one another for the whereabouts of a certain device so they can calculate the nearest cell tower to route a call. These sorts of automated interactions happen all the time, but with little to no vetting. If a scammer poses as a telecom and asks that same location question, he’ll get the same answer a real carrier would, enabling illicit tracking.
Nohl and others argue that overcoming SS7 insecurity requires implementing a series of firewalls and filters that can stop these types of attacks. That’s more complicated than it sounds. First, setting up automated filters risks blocking legitimate communications, an inconvenience at best. “The overwhelming amount of SS7 traffic is legitimate, [so] carriers need to be measured as they implement solutions in order to avoid collateral network impacts,” an FCC working group concluded in March.
Some SS7 experts warn, though, that the process of truly strengthening SS7 security takes a more nuanced approach than just filtering given the complexities involved. “It’s doubtful that there’s an easy filtering that would completely wipe out these kinds of attacks,” says Philippe Langlois, CEO of the telecom security firm P1 Security. “We’re not talking about adding a firewall rule and saying, ‘OK, now it’s done.'”