Signalling System No.7 (SS7) has caused many debates about its vulnerabilities, but new research has brought to light what is potentially a major flaw. Just from knowing your phone number, a malicious user could empty your Bitcoin wallet and even reset your Gmail password.
What is SS7
SS7 is an international standard that is used for the setting and ending of phone calls over the Public Switch Telephone Network (PTSN). The standard carries all the required information for configuring calls. It is also used for the transportation of text messages.
SS7 was developed in 1975 but the first vulnerabilities showing it was hackable wasn’t found until 2008. In 2014 concerns were raised that it could be used to track phones and movements anywhere in the world with around 70% accuracy.
This new flaw is built up on an old vulnerability. Research firm Positive Technologies were able to steal data from an account registered to Coinbase. This was done by gaining access to text messages that contained authentication codes; once they were obtained the hacker could then start carrying out financial transactions.
A worrying lack on information was also required to carry out this attack. To select a user you only need to know their first name, last name and their mobile number.
How to get around this
This vulnerability has been around for a while and it would seem that there isn’t much that can be done to stop the number being monitored and texts and calls being intercepted. This attack however requires multi-factor authentication codes to be sent via text, if the multi-factor authentication codes use an app or another method this attack becomes a lot harder to pull off. Unfortunately though for many services it is still impossible to opt out of receiving one time passwords or multi-factor authentication codes
For more information please visit: https://www.hackread.com/how-ss7-flaw-can-be-used-to-hack-gmail-bitcoin-wallet/