The German mobile operator O2 confirmed that hackers used an exploit of the SS7 protocol to steal Two Factor Authentication (2FA) SMS codes sent by online banking websites to confirm fund transfers. They could successfully steal money from O2 customers bank accounts doing fund transfers at night.
A two-steps hack
The attack, however, had to be conducted in 2 steps. First, the hackers needed to steal the login and passwords of the customers to connect on their online banking systems. Then, they diverted the confirmation SMS sent by the bank (one-time password – OTP) to successfully perform fund transfers and steal money from the accounts.
The thieves created a signaling access with a fake telecom provider and configured a SS7 redirection of SMS traffic for the victim’s phone number to a handset controlled by them.
The vulnerability was first reported back in 2014 by Tobias Engel in his presentation SS7: Locate. Track. Manipulate. during the “Chaos Communication Congress” hacker conference in Hamburg.
Keep in mind that SS7 was designed in the 1980’s when there was no concern over security between the very few state networks that were interconnected back then. Even after its evolution to add SMS and other supplementary services, no authentication or modern security mechanism has been added and it is today possible to:
- Locate mobile phones based on their MSISDN
- Modify subscriber voice/data services configuration in the HLR
- Intercept and re-route or listen to calls based on incoming number
- Intercept incoming SMS
- Re-route calls
Two factors authentication by SMS one-time-passwords is insecure. But more than that, hackers and government agencies can listen and intercept all communications done over traditional voice call and SMS from anywhere in the world. They can also track mobile phones up to a cell-level precision and possibly triangulation, even if the phone GPS and mobile data are not activated.