Researchers steal bitcoin by exploiting SS7 vulnerabilities

Hackers have exploited a security weakness in global telecom networks to break into a Gmail account, take control of a bitcoin wallet and steal over $4,000 in the cryptocurrency.

Researchers from the cybersecurity firm Positive Technologies demonstrated the technique exploiting flaws in Signalling System No. 7 (SS7), a nearly 50-year-old set of protocols used to perform most of the world’s telephone calls and text messages, among other functions. SS7 has long been a target for sophisticated hackers intent on eavesdropping and attacking targets around the world.

The attackers only needed a victim’s full name and phone number in order to eventually hack a wallet at the popular bitcoin exchange Coinbase and take the virtual currency for themselves. The research focuses in on the issue of multi-factor authentication relying on text messages that can be intercepted by exploiting flaws in SS7 as demonstrated by Positive Technologies.

“The inherent security vulnerabilities within the SS7 network, coupled with this simple example of a simulated attack on a bitcoin wallet, shines a light on the vulnerabilities of some two-factor authentication implementations,” Mike Schuricht from the security firm Bitglass told CyberScoop. “This is a reminder that there is still more to be done when it comes to deploying a seamless, easy-to-use, yet secure multi-factor authentication solution. Service providers are very much aware of these vulnerabilities and many already support more secure MFA tools, such as Google Authenticator and hardware tokens.”

In addition to Google Authenticator, the hardware token-manufacturer Yubico saw a “huge spike” in orders last year and landed a $30 million investment in June 2017. Both forms of authentication are recommended by experts over codes sent by text messages.

Here’s a demonstration of the exploit in action:

https://www.youtube.com/watch?v=mLh1Nmqa6OM

“We work in close coordination with telecom operators to discover threats before hackers do, in order to protect subscribers,” Dmitry Kurbatov, head of the telecommunications security department at Positive Technologies, said. “Exploiting SS7 specific features is one of several existing ways to intercept SMS. Unfortunately, it is still impossible to opt out of using SMS for sending one-time passwords. It is the most universal and convenient two-factor authentication technology. All telecom operators should analyze vulnerabilities and systematically improve the subscriber security level.”

After years of warnings about SS7 vulnerabilities, hackers in 2017 broke into German bank accounts by exploiting SS7 vulnerabilities. Earlier this month, Sen. Ron Wyden, D-Ore., sent letters to the major American telecom firms demanding to know how the companies planned to protect their networks and customers from vulnerabilities in the half-century old SS7 protocol.

“I understand that some wireless carriers are further along in the process of implementing protections against SS7 attacks than others. However, information about the progress that each carrier has made, and the extent to which their customers remain vulnerable to SS7 spying is not currently available to the general public, nor even to DHS,” the letters read. “The continued existence of these vulnerabilities and the ease with which they can be exploited by hackers and foreign governments poses a serious threat to U.S. national and economic security.”

After the Germany bank hacks, there were familiar calls from cybersecurity experts to end the practice of using SMS text messages as multifactor authentication for important accounts like, for instance, banks.

“While this is not the end of 2FA, it may be the end of 2FA over SS7, which comprises a majority of 2FA systems,” Cris Thomas, a strategist at Tenable Network Security, said following the breaches. “Vulnerabilities in SS7 and other cellular protocols aren’t new. They have been presented at security conferences for years … there are other more secure protocols available now that systems can switch to as attacks on SS7 become increasingly common.”

“This latest attack serves as a warning to the mobile community about what is at stake if these loopholes aren’t closed, and provides a rallying-cry to mobile carriers to act fast and work with vendors to protect their customers and their networks,” Mark Windle, director of Texas-based telecom firm Mavenir, said.

Even earlier in 2017, Rep. Ted Lieu, D-Calif., worked with Wyden to send a  letter to then-Homeland Security Secretary John Kelly asking that DHS investigate SS7 vulnerabilities and the impact on American government and companies. There has been no response so far.