Researchers Drain Bitcoin Account Using Known Mobile SS7 Flaw
Positive Technologies used a known flaw in the SS7 mobile messaging protocol to take over a Gmail account and the Coinbase account linked to it
Security researchers have demonstrated the ease with which a mobile messaging network security flaw can be exploited to take control of users’ online accounts.
The flaw involves the SS7 (Signalling System 7) communications protocol, used to route messages across the world’s mobile networks. The protocol’s insecurity was first disclosed in 2014, and was used to pilfer funds from German bank accounts earlier this year.
Flaws can still be exploited
Now researchers from Positive Technologies have released a video in which they demonstrate that the flaws are still easily exploitable.
Dmitry Kurbatov, the firm’s telecommunications security lead, said the demonstration is a reminder of the insecurity of SMS-based two-factor authentication, which remains the most common way to send the one-time passwords increasingly used to verify transactions.
But he noted that the issues with SS7 aren’t the only way attackers can intercept SMS messages, which are considered less secure than device- or application-specific two-factor authentication methods because they’re sent to any device registered to a given mobile phone number.
“Exploiting SS7 specific features is one of several existing ways to intercept SMS,” Kurbatov said in a statement. “Unfortunately, it is still impossible to opt out of using SMS for sending one-time passwords. It is the most universal and convenient two-factor authentication technology.”
For the demonstration, Positive targeted a Coinbase account used to handle Bitcoin and other digital currencies.
Password reset
They then obtained the Gmail address linked to the target’s Coinbase account and the mobile phone number linked to the two-factor authentication of both the Gmail and Coinbase accounts.
With this information in hand they triggered a password reset for Gmail and intercepted the SMS message sent to verify the action. And once the Gmail account was under their control they triggered a password reset for the Coinbase account, once again accepting an authentication code sent via SMS. They then logged into the Coinbase account and could have emptied it of funds.
For the demonstration’s purposes Positive obtained a mobile operator’s permission to access its network, but hackers would do so by either purchasing a black-market SMS hijack service or attacking the network itself and sending illicit SS7 instructions to reroute messages.
Kurbatov said the technique would work for any account that relies on SMS messages for password recovery.
The use of two-factor authentication is still, however, considered to add a layer of security, and since many service only offer SMS-based two-factor Kurbatov said users can protect themselves by using a separate phone number for receiving security messages.
The attacks in Germany earlier this year used a slightly more complex method that involved sending phishing messages to targets to obtain their bank login credentials.
SMS interception
The thieves then used an SS7 exploit on Telefonica Germany’s network to intercept the authentication messages sent when they carried out a transaction, according to Süddeutsche Zeitung, which reported the incidents in May, citing unnamed sources.
The thefts, which were confirmed by Telefonica Germany, spurred telecommunications and banking representatives to meet in Berlin in April to discuss a solution, the paper reported.
Telefonica Germany said at the time that the malicious SS7 messages were transmitted by an illicit network that has since been blocked.
German researcher Karsten Nohl, who initially disclosed the SS7 issues at the end of 2014, last year demonstrated how it could be used to hack into users’ mobile phones, eavesdrop on their calls and determine their location.
Nohl demonstrated the flaw for CBS news programme 60 Minutes in the US by hacking an off-the-shelf iPhone provided by the programme to Representative Ted Lieu, a California politician who’s part of a House of Representatives committee that oversees IT issues.
Provided only with the phone number of the new handset, Nohl, based in Berlin, was able to record Lieu’s conversations, read his text messages and track his movements within districts of Los Angeles.
Do you know all about security in 2017? Try our quiz!