In Germany, hackers stole money from users' bank accounts using SS7 vulnerabilities

Image: Michael Coghlan , CC

According to the publication Süddeutsche Zeitung, the attackers organized an attack on the subscribers of the German mobile operator O2-Telefonica, as a result of which money was stolen from bank accounts of a number of users. During the attack, hackers managed to intercept codes for two-factor authentication using the SS7 signaling protocol vulnerability.
')
Previously, experts from Positive Technologies reported serious security problems on SS7 cellular networks and demonstrated SMS interception using the vulnerabilities they contained.

How did the attack develop

The attack developed in January 2017 and was carried out in two phases. At first, the attackers infected the victim's computer with a banker trojan that stole the username and password of the bank account, and also viewed the account balance and the user's mobile phone number. The attackers had previously acquired access to the SS7 networks on the black market, which allowed them to appear as a roaming partner of the German operator and register subscribers on a fake network. For the mobile operator, it looked as if the subscribers simply went abroad and got access to the roaming partner. After such registration, all incoming SMS messages in open form are sent to a fake network, that is, to attackers.

At the next stage - often at night, in order to reduce the likelihood of detecting their actions - the fraudsters logged in to the user's bank account, made money transfer operations, using codes from intercepted SMS as confirmation.

The representative of O2 Telefonica confirmed to the journalists the fact of a successful attack and said that it was organized from a “network of a foreign mobile operator”.

SS7 security: everything is bad

The SS7 (OKS-7) system was developed forty years ago and has several security flaws - for example, it lacks encryption and authentication of service messages. As a result, attackers who gain access to the SS7 gateway (this is not so difficult to do) can exploit these security flaws.

Attacks via SS7 can be carried out from anywhere on the planet, which makes this method one of the most promising for an intruder. The attacker does not need to physically be close to the subscriber, as is the case with a fake base station, so it is almost impossible to calculate it. High qualification is also not required: many ready-made applications for working with SS7 are available on the network. At the same time, operators cannot block commands from individual nodes, since this has a negative impact on the entire service and violates the principles of roaming.

A study by experts from Positive Technologies on the security of SS7 networks of leading mobile operators in the EMEA and APAC regions showed that the problem with subscriber security is very serious.

So, in relation to participating in the study, telecom operators and their SS7 networks, attacks related to data leakage of subscribers (77% of successful attempts), network malfunctions (80%) and fraudulent activities (67%) could be implemented. Incoming SMS messages could be intercepted in the networks of all research participants, the goals reached nine out of ten attacks (89%).

Experiments like this show that using SMS to transmit one-time authentication codes in the presence of open SS7 serious vulnerabilities threatens users who receive such codes. That is why the American Institute of Standards and Technology (NIST) has come out in favor of not using SMS as one of the elements of two-factor authentication.