Tag Archives: SS7

Security News Bites for the Week Ending February 8, 2019

Text Messaging for Two Factor Authentication is Under Attack

We have talked on occasion about a basically theoretical attack against text messages as the second factor for authentication.  It is likely that the feds know more than they are telling us about that since the National Institute of Standards and Technology has deprecated the use of text messaging for two factor for new systems.

Now we are seeing a large, in the wild, attack against real two factor authentication, specifically in banking.

Britain’s National Cyber Security Centre (NCSC), part of their GCHQ spy-guys, admitted that they are aware that this is being exploited.   As are the telephone carriers.

The attack vector still requires a very sophisticated hacker because it requires the attacker to compromise some phone company and inject fake SS7 commands into the system for the targeted phone number.  Hard, but far from impossible.

Still, in light of this being a real-world-empty-your-bank-account kind of attack, financial institutions should begin the transition away from text messaging to two factor apps (like Google Authenticator and others) to protect client accounts sooner rather than later.  Source: Motherboard.


Unnamed Energy Company (Duke) Fined $10 Million for Security Lapses

An unnamed energy company received the largest fine of its type ever at $10 million for security lapses,  including letting unauthorized people into secure areas and allowing uncleared computers to connect to secure networks, sometimes for months at a time.

The fine covers 130 violations.

The reason the company is unnamed is that it is likely the list of identified vulnerabilities is not complete and the identified holes are not all closed.

The WSJ reports that the company is Duke Energy.  So much for keeping their name out of the media.

This certainly could explain why many people say that the bad guys already “own” our energy utilities.  Source: Biz Journals.


Another Cryptocurrency Debacle

I keep saying that attacks on Cryptocurrency will not be on the math (encryption) but rather on the systems and software.

This week QuadrigaCX filed for the Canadian version of bankruptcy protection saying that they stored the vast majority of their assets in offline storage wallets and the only person who had the key was their CEO, who died suddenly.

They claim to have lost access to $145 million in a variety of cryptocurrencies and do not have the money to repay their customers.

Some users and researchers are skeptical of this story (really, no backup?  To over $140 million)?  Seems hard to swallow.

The researchers, after looking at the block chain, say that they can find no evidence that QuadrigaCX has anything close to $100 million in Bitcoin and perhaps the founder’s death was faked as an exit scam.

Assuming this all plays out the way it seems, customers are going to be waving bye-bye to $145 million of their cold, hard crypto coins.  Source: The Hacker News.


Apple to Release iOS 12.1.4 to Fix Facetime Bug This Week

In what has got to be the worst iPhone bug in a long time – one that allowed hackers to eavesdrop on iPhone users by exploiting a Facetime bug until Apple deactivated group calls on Facetime worldwide – Apple seems to be slow to respond.  Uncharacteristically.  Very.  Slow.

My guess is that the problem was technically hard to fix even though it was technically easy to exploit.  In any case, iOS 12.1.4 should be out this week and it is supposed to fix the security hole. Source: ZDNet .


Online Casino Leaves Data on 100+ Million Bets Unprotected

Security Researcher Justin Paine found a public Elastic Search database unprotected online.

Contents include information such as name, address, birthdate, email, phone, etc. as well as bet information such as winnings amount.   When ZDnet reached out to the companies involved – there seems to be multiple companies with some common ownership and based in Cyprus and operating under a Curacao gaming license, they did not immediately reply, but the server went dark.

The company, Mountberg Limited, did reach out later thanking Justin for letting them know, but not making any statement about their client’s data.  Source: ZDNet .


Germany Tells Facebook Not to Combine User Data Without Explicit Permission 

The Europeans are not happy with U.S. big tech.

In a ruling NOT related to GDPR, Germany’s Federal Cartel Office (FCO) says that Facebook cannot combine Instagram, Whatsapp and third party data into the user’s Facebook profile without explicit user permission and having the user check a box that says, something like, “we are going to do some stuff; you should read our 19 page description” is not adequate.

The regulator says that by doing this Facebook is abusing its monopoly power.  Facebook, not surprisingly disagrees and says that the regulator is out of line.  Stay tuned.  If this rule stands, it could have a big impact on all companies that aggregate data from third parties without fully telling their clients.  Source: BBC .

Researchers Discover Flaws That Allow Eavesdropping Of Cell Calls

Signalling System 7 or SS7 has long known to be vulnerable to hackers.  SS7 is the control system protocol that telephone companies use to route and transfer calls between companies and, in the cellular world, between towers.

Since SS7 was designed in the early 1980s, no one was terribly concerned about security.  Hackers – or foreign spies – could use SS7 to reroute calls, eavesdrop on calls, intercept text messages and locate users anywhere in the world for example.

As carriers harden their own systems (the front doors), they leave the side doors (the SS7 signalling system that they use to talk to each other) not only unlocked, but propped open.

The Washington Post reported that systems are widely available that allow someone to track where a user is, anywhere in the world, if they have their cell phone powered on.

The GSM Alliance, an industry trade group did acknowledge vulnerabilities for an earlier WaPo article and said that they are planning to replace SS7 over the next DECADE due to vulnerabilities and technical issues.

That means, for at least the next decade, assume that any skilled hacker or spy, anywhere in the world, can eavesdrop on your calls and text messages.

The researchers demonstrated decrypting a call with a German Senator – with his permission.   They also said that they could perform mass eavesdropping using a network of antennas.

While there are subtleties and nuances to what can and cannot be done and there are ways that users can better protect themselves, in the absence of users taking extra precautions, they should assume cell phone conversations are not private.


Information for this post came from The Washington Post.

SS7 flaws enable listening to cell phone calls and reading texts

SC Magazine is reporting that a flaw signaling System 7, the telephone industry standard for setting up, managing and tearing down phone calls allows anyone to listen in on cell phone calls, read texts and locate a user.

Two separate researchers have identified the flaw and are going to demonstrate it at a hackers conference in Hamburg.

SS7, a protocol built in the 1970s by the major phone companies and now an international standard was built long before security was a concern.

The Washington Post reported that countries were buying systems to exploit these weaknesses and use it to locate cell phone users.

One should assume that every major spy organization knows about this and has been using it forever.

This “hack” was tested on 20 carrier’s networks around the globe with 100 percent success.

The logical conclusion would be that you should assume that cell phone conversations, absent an extra layer of security are guaranteed compromised.

An additional fun fact is that the conversations can be recorded and decrypted later.