Someone checked and, yup, you can still hijack Gmail, Bitcoin wallets etc via dirty SS7 tricks

Two-factor authentication by SMS? More like SOS

By John Leyden


Once again, it's been demonstrated that vulnerabilities in cellphone networks can be exploited to intercept one-time two-factor authentication tokens in text messages.

Specifically, the security shortcomings lie in the Signaling System 7 (SS7) protocol, which is used to by networks worldwide to talk to each other to route calls, and so on.

There are little or no safeguards in place on SS7 once you have access to a cell network operator's infrastructure. If you can reach the SS7 equipment – either as a corrupt insider or a hacker breaking in from the outside – you can reroute messages and calls as you please. Someone working for, or who has compromised, a telco in Morocco, for instance, can quietly hijack and receive texts destined for subscribers in America.

Infosec outfit Positive Technologies, based in Massachusetts, USA, obtained access to a telco's SS7 platform, with permission for research purposes, to this month demonstrate how to commandeer a victim's Bitcoin wallet. First, they obtained their would-be mark's Gmail address and cellphone number. They then requested a password reset for the webmail account, which involved sending a token to the cellphone number. Positive's team abused SS7 within the telco to intercept the authentication token and gain access to the Gmail inbox. From there, they were able to reset the password to the user's Coinbase wallet, log into that, and empty it of crypto-cash.

Minimum personal information about a victim – just their first name, last name, and phone number – was enough to get their email address from Google's find-a-person service and hack a test wallet in Coinbase.

Earlier this year, crooks exploited these aforementioned weaknesses in SS7 to log into victims' online bank accounts in Germany and drain them of funds. The cyber-robbers intercepted texts with login authentication codes sent to customers of Telefonica Germany before using the stolen information to carry out unauthorized transactions, as we previously reported.

Why are creepy SS7 cellphone spying flaws still unfixed after years, ask Congresscritters


"Exploiting SS7-specific features is one of several existing ways to intercept SMS," said Dmitry Kurbatov, head of the telecommunications security department at Positive Technologies.

"Unfortunately, it is still impossible to opt out of using SMS for sending one-time passwords. It is the most universal and convenient two-factor authentication technology. All telecom operators should analyze vulnerabilities and systematically improve the subscriber security level."

Banks try to strike a balance between usability and security. Tokens in text messages are easy to receive and type in. For sensitive accounts, using a phone for authentication will be risky if SS7 hijacks increase. However, if the choice is phone authentication or no two-factor authentication at all, it's a good idea to use the phone for security reasons – or, even better, find a service that offers second-factor authentication from an app, key fob or other gizmo.

Ultimately, login token stealing, via SS7, is still rare. Most headaches with SMS tokens are caused by people getting locked out of their stuff, rather than having it all stolen.

"We should stop using SMS for 2FA, but also worth noting: for providers the biggest problem with 2FA is account lockouts, not bypasses," said Martijn Grooten, a security researcher and editor of industry journal Virus Bulletin. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Facebook stuck with IRS bill after court tosses $7 BEEELLION appeal

Not even Zuckerberg can escape the tax man

It's US Tax Day, so of course the IRS's servers have taken a swan dive

Updated 59% of our systems are obsolete, agency boss tells congressional hearing

Bethesda blunders, IRS sounds the alarm, China ransomware, and more

Roundup Plus, US Congress wants more cybersec training, better breach laws

Cisco sneaks hardcoded secret root backdoor into vid surveillance kit

Who watches the watchers? Anybody who has the login

Bulk surveillance is always bad, say human rights orgs appealing against top Euro court

Liberty and pals seek to prove intrusive spy powers can never be justified

Micron gets edgy with 256GB surveillance SD card reveal in China

But still outclassed in capacity by SanDisk's tiny whopper

IRS tax bods tell Americans to chill out about Equifax

Your personal data was probably already in crims' hands

Who watches Sony's watcher? Boffins poke holes in surveillance kit

Command injection and stack buffer overflow flaws bedevil cam range

SanDisk's little microSD card sucks up 400GB

iPhone charging and backup base unit also on cards

Two years and $19bn later: What happened to WD's SanDisk enterprise flash advantage?

Analysis Market position evaporating in front of our eyes