Long back we had published a report how anybody can hack WhatsApp using the SS7 flaw. The SS7 flaw has existed for eons now along with fixes but the GSM and Telecom companies are neither inclined nor bothered to patch their infrastructure against the flaw.
Now a cybersecurity company called Positive Technologies has come out with a video detail how anyone can hack any Gmail account with simply a name and a mobile number using the SS7 flaw. After hacking the Gmail account of the victim, the researchers then proceed to steal a Bitcoin Wallet using the same SS7 flaw. The Positive researchers sent their video to Thomas Fox-Brewster, an ace investigative reporter from Forbes along with the details how to achieve the hack.
The vulnerability lies in Signalling System 7, or SS7, the technology used by telecom operators, on which the highly secure messaging system and telephone calls rely. SS7 is a set of telephony signaling protocols developed in 1975, which is used to set up and tear down most of the world’s public switched telephone network (PSTN) telephone calls. It also performs number translation, local number portability, prepaid billing, Short Message Service (SMS), and other mass market services.
SS7 is vulnerable to hacking and this has been known since 2008. In 2014, the media reported a protocol vulnerability of SS7 by which both government agencies and non-state actors can track the movements of cell phone users from virtually anywhere in the world with a success rate of approximately 70%. In addition, eavesdropping is possible by using the protocol to forward calls and also facilitate decryption by requesting that each caller’s carrier release a temporary encryption key to unlock the communication after it has been recorded. Researchers created a tool (SnoopSnitch) which can warn when certain SS7 attacks occur against a phone and detect IMSI-catchers.
In the PoC video, the researchers used a phone number to first crack Google’s email service, Gmail. Once the email account was identified, the researchers sent a password request to Gmail servers. As per the protocol, Gmail sent the one-time authorization codes to the victim’s phone. Positive Technology researchers then used the SS7 flaw to intercept the SMS text containing the OTP. Once they got the OTP, hacking the victim’s Gmail account and resetting the password was easy. They immediately chose a new password and took control of the Gmail account.
Using these details they headed to the Coinbase website. Here also they used the same modus operandi, i.e. do another password reset using the email they had hacked. Coinbase also sent an OTP to the victim’s smartphone which was similarly hacked by the researchers using the same SS7 flaw. Once they had access to the OTP, they could reset the password to the victim’s Bitcoin Wallet and had access to all the bitcoins saved in the wallet.
“This hack would work for any resource – real currency or virtual currency – that uses SMS for password recovery,” said Positive researcher Dmitry Kurbatov told Forbes. “This is a vulnerability in mobile networks, which ultimately means it is an issue for everyone, especially services relying on the mobile network to send security codes.”
Accessing SS7 hackers has also become easy with easily available IMSI catchers. Kurbatov told Forbes that there are many websites on the dark web like Interconnector which sell SS7 services. “The risk lies in the fact that cybercriminals can potentially buy access to SS7 illegitimately [on the] dark web,” Kurbatov noted.