Researchers have been warning for years about critical issues with the Signaling System 7 (SS7) that could allow hackers to listen in private phone calls and read text messages on a potentially vast scale, despite the most advanced encryption used by cellular networks.
Despite fixes being available for years, the global cellular networks have consistently been ignoring this serious issue, saying that the exploitation of the SS7 weaknesses requires significant technical and financial investment, so is a very low risk for people.
However, earlier this year we saw a real-world attacks, hackers utilised this designing flaw in SS7 to drain victims’ bank accounts by intercepting two-factor authentication code (one-time passcode, or OTP) sent by banks to their customers and redirecting it to themselves.
If that incident wasn’t enough for the global telecoms networks to consider fixing the flaws, white hat hackers from Positive Technologies now demonstrated how cybercriminals could exploit the SS7 flaw to take control of the online bitcoin wallets to steal all your funds.
Created in the 1980s, SS7 is a telephony signalling protocol that powers over 800 telecom operators across the world, including AT&T and Verizon, to interconnect and exchange data, like routing calls and texts with one another, enabling roaming and other services.
Here’s How Hackers Hacked into Bitcoin Wallet and Stole Fund
While demonstrating the attack, the Positive researchers first obtained Gmail address and phone number of the target, and then initiated a password reset request for the account, which involved sending a one-time authorization token to be sent to the target’s phone number.
Just like in previous SS7 hacks, the Positive researchers were able to intercept the SMS messages containing the 2FA code by exploiting known designing flaws in SS7 and gain access to the Gmail inbox.
From there, the researchers went straight to the Coinbase account that was registered with the compromised Gmail account and initiated another password reset, this time, for the victim’s Coinbase wallet. They then logged into the wallet and emptied it of crypto-cash.
Fortunately, this attack was carried out by security researchers rather than cybercriminals, so there wasn’t any actual fraud of bitcoin cryptocurrencies.
This issue looks like a vulnerability in Coinbase, but it’s not. The real weakness resides in the cellular system itself.
Positive Technologies has also posted a proof-of-concept video, demonstrating how easy it is to hack into a bitcoin wallet just by intercepting text messages in transit.
Different SS7 Attack Scenarios
This attack is not limited to only cryptocurrency wallets. Any service, be it Facebook or Gmail, that relies on two-step verification are vulnerable to the attacks.
The designing flaws in SS7 have been in circulation since 2014 when a team of researchers at German Security Research Labs alerted the world to it.
The flaws could allow hackers to listen to phone calls and intercept text messages on a potentially massive scale, despite the most advanced encryption used by cellular network operators.
Last year, the researchers from Positive Technologies also gave demonstrations on the WhatsApp, Telegram, and Facebook hacks using the same designing flaws in SS7 to bypass two-factor authentication used by those services.
At TV program 60 Minutes, Karsten Nohl of German Security Research Labs last year demonstrated the SS7 attack on US Congressman Ted Lieu’s phone number (with his permission) and successfully intercepted his iPhone, recorded call, and tracked his precise location in real-time just by using his cell phone number and access to an SS7 network.
Although the network operators are unable to patch the issues anytime soon, there’s little a smartphone user can do.
Avoid using two-factor authentication via SMS texts for receiving OTP codes. Instead, rely on cryptographically-based security keys as a second authentication factor.