SMS interception through vulnerabilities in the SS7 signaling protocol

[Stabout]

Critical vulnerabilities in the SS7 signaling protocol have been known for several years. For example, in 2014, Russian Positive Technologies experts Dmitry Kurbatov and Sergey Puzankov at a conference on information security clearly demonstrated how such attacks occur. An attacker can listen to calls, establish a subscriber’s location and fake it, conduct a DoS attack, transfer money from an account, intercept SMS.

The problem is that the SS7 signaling network was developed in 1975 (for routing messages when roaming) and the protection mechanisms against such attacks were not originally laid in it. It was understood that this system is already closed and protected from external connections. In practice, this is not so: you can connect to it. Theoretically, you can connect to it in any Congo or any other country - and then you will have access to the switches of all operators in Russia, the USA, Europe and other countries. Including the interception of incoming SMS of any subscriber is carried out in such a way, as described by Positive Technologies. At the same time, the attacker does not need sophisticated equipment: a Linux computer with an SS7 packet generator, which can be found on the Internet, is enough.
After the registration of the subscriber at the "fake" MSC / VLR address, all SMS messages intended for the subscriber will arrive at the attacker's site.
An attacker can:
send a response on the receipt of the message (the sending party will have the impression that the SMS has been delivered to the recipient);
Do not send a receipt report and re-register the subscriber to the previous switch (in this case, in a few minutes the message will be sent to the recipient again);
send a report on receipt, re-register the subscriber to the previous switch and send him a modified message.
This attack can be used to:
interception of one-time passwords of a mobile bank;
interception of recovered passwords from Internet services (mail, social networks, etc.);
receiving passwords for your personal account on the mobile operator’s website
Once again, Kurbatov and Puzankov described all this in 2014 (!), But only now the guys from Süddeutsche Zeitung discovered that such attacks were actually carried out, and two-time authentication via SMS no longer provides any security.
In fact, only special services could use this option before, but now anyone can use it who has a Linux computer. The newspaper Süddeutsche Zeitung writes that access to the SS7 switch can be bought in some places for 1000 euros. Using a bribe, you can still get the global title (GT) identifier of a mobile operator - this is also possible in some poor corrupt countries, where officials sometimes allow themselves to break the law for personal gain.
The attackers recognized the bank details of the victims using phishing or malware, and then used the SS7 vulnerability to receive a one-time transaction confirmation code (mTAN), which the bank sends via SMS.
An investigation of a German newspaper not only talks about the theft of money from bank accounts, but points to the fundamental vulnerability of SMS as an authentication factor: “I am not surprised that hackers took the money that they had at their fingertips. I’m only surprised that it took so long for the thieves in online banking to join the espionage agents and exploit the vulnerabilities of the SS7 network, ”says Karsten Nohl, another well-known specialist in mobile network security and SS7. At the same conference in 2014 in Russia, he read a report on attacks on mobile networks, and also repeatedly spoke on this topic at other conferences. In particular, he spoke about SS7 vulnerabilities at the Chaos Communication Congress hacker conference in 2014 and even listened to cell phone calls from Congressman Ted W. Lieu (with his consent) for demonstration purposes.
It is very important that numerous online services, banks and other organizations immediately stop using SMS for authentication, because this channel is already officially recognized as unsafe (NIST recommendations). For example, Google uses the more reliable Google Authenticator mobile application, but still sends SMS codes to enter the account, which completely undermines the security system, given the actively exploited vulnerabilities in SS7.

[delazo]

Thanks for sharing! This was some really good food for thought!

[alban]

что там про рашку? в ру мусора с ноута снифят всё на растоянии, без ss7.
ss7 юзают за границей, и мало у кого в руках была тема для фрода.

[Vladx3]

Quote:

Originally Posted by vmstar

Critical vulnerabilities in the SS7 signaling protocol have been known for several years. For example, in 2014, Russian Positive Technologies experts Dmitry Kurbatov and Sergey Puzankov at a conference on information security clearly demonstrated how such attacks occur. An attacker can listen to calls, establish a subscriber’s location and fake it, conduct a DoS attack, transfer money from an account, intercept SMS.

The problem is that the SS7 signaling network was developed in 1975 (for routing messages when roaming) and the protection mechanisms against such attacks were not originally laid in it. It was understood that this system is already closed and protected from external connections. In practice, this is not so: you can connect to it. Theoretically, you can connect to it in any Congo or any other country - and then you will have access to the switches of all operators in Russia, the USA, Europe and other countries. Including the interception of incoming SMS of any subscriber is carried out in such a way, as described by Positive Technologies. At the same time, the attacker does not need sophisticated equipment: a Linux computer with an SS7 packet generator, which can be found on the Internet, is enough.
After the registration of the subscriber at the "fake" MSC / VLR address, all SMS messages intended for the subscriber will arrive at the attacker's site.
An attacker can:
send a response on the receipt of the message (the sending party will have the impression that the SMS has been delivered to the recipient);
Do not send a receipt report and re-register the subscriber to the previous switch (in this case, in a few minutes the message will be sent to the recipient again);
send a report on receipt, re-register the subscriber to the previous switch and send him a modified message.
This attack can be used to:
interception of one-time passwords of a mobile bank;
interception of recovered passwords from Internet services (mail, social networks, etc.);
receiving passwords for your personal account on the mobile operator’s website
Once again, Kurbatov and Puzankov described all this in 2014 (!), But only now the guys from Süddeutsche Zeitung discovered that such attacks were actually carried out, and two-time authentication via SMS no longer provides any security.
In fact, only special services could use this option before, but now anyone can use it who has a Linux computer. The newspaper Süddeutsche Zeitung writes that access to the SS7 switch can be bought in some places for 1000 euros. Using a bribe, you can still get the global title (GT) identifier of a mobile operator - this is also possible in some poor corrupt countries, where officials sometimes allow themselves to break the law for personal gain.
The attackers recognized the bank details of the victims using phishing or malware, and then used the SS7 vulnerability to receive a one-time transaction confirmation code (mTAN), which the bank sends via SMS.
An investigation of a German newspaper not only talks about the theft of money from bank accounts, but points to the fundamental vulnerability of SMS as an authentication factor: “I am not surprised that hackers took the money that they had at their fingertips. I’m only surprised that it took so long for the thieves in online banking to join the espionage agents and exploit the vulnerabilities of the SS7 network, ”says Karsten Nohl, another well-known specialist in mobile network security and SS7. At the same conference in 2014 in Russia, he read a report on attacks on mobile networks, and also repeatedly spoke on this topic at other conferences. In particular, he spoke about SS7 vulnerabilities at the Chaos Communication Congress hacker conference in 2014 and even listened to cell phone calls from Congressman Ted W. Lieu (with his consent) for demonstration purposes.
It is very important that numerous online services, banks and other organizations immediately stop using SMS for authentication, because this channel is already officially recognized as unsafe (NIST recommendations). For example, Google uses the more reliable Google Authenticator mobile application, but still sends SMS codes to enter the account, which completely undermines the security system, given the actively exploited vulnerabilities in SS7.

do you have ss7 ?