Cybercriminals Empty Bitcoin Wallets Using Nothing But Phone Numbers
For a long time now, the security industry has known about the vulnerabilities of Signalling System 7 (SS7). The SS7 is a global set of telephony protocols that was first developed in 1975 and is primarily used to connect one mobile phone network to another. The system enables phone networks to exchange information needed to make calls and send text messages to different networks, and allows users on one network to roam on another while traveling.
The systematic flaw in SS7 has been known for a long time now - at least publicly since 2014. However, not much is being done since the attackers require access to the SS7 network, meaning that no one but the governments and sophisticated threat actors can potentially misuse it. While that isn't a consolation in itself since it leads to targeted spying and surveillance programs, the latest reports have also revealed that access to SS7 is being "sold" on some dark net websites to "common" cybercriminals.
Why are we talking about SS7, again?
Researchers at Positive Technologies have shown how they can empty bitcoin wallets using nothing but SS7 vulnerabilities. By acquiring access to the SS7 network (Positive's researchers had access to it "for research purposes to identify vulnerabilities and help mobile operators make their networks more secure"), they were able to reset Gmail passwords using the text-based two-factor authentication process.
The video posted by the research team (shared at the end of this post) shows how easy it is to hack into a bitcoin wallet by doing nothing but intercepting text messages in transit. Once they reset the Gmail password of the victim's account using the eavesdropped text message code, they were also able to reset a Coinbase account, which was registered with a Gmail account.
This process only makes use of known flaws and shows once again that cybercriminals can use this access to text messages to gain control of entire Google accounts, or basically any account and service that offers text-based authentication. Not to forget those services that are associated with your emails. From bank accounts to cryptocurrency wallets to enterprise accounts, a lot of data is at a potential risk of being targeted by sophisticated or state-backed hackers.
While these were security researchers who didn't actually steal anything from the targeted bitcoin wallet, one more step and they could have emptied it out completely.
"This hack would work for any resource - real currency or virtual currency - that uses SMS for password recovery," Positive researcher Dmitry Kurbatov told Forbes. "This is a vulnerability in mobile networks, which ultimately means it is an issue for everyone, especially services relying on the mobile network to send security codes."
Getting access to SS7 may not be too difficult
Cybercriminals have already used SS7 flaws to launch attacks, with one reported attack in Germany where criminals looted from bank accounts and another where (benevolent) hackers used the flaw to target a Congressman and were able to "record calls and texts, track the Congressman’s location even with the GPS turned off using cellphone tower triangulation, and log the phone numbers of everyone who called his phone".
Notorious surveillance companies like Israeli firm Ability Inc have been openly selling services to spy on targets using SS7 network flaws. Cybercriminals who can't afford elite firms like Ability can gain access to it using services sold on the dark web, many of which, however, did turn out to be scams. "The risk lies in the fact that cybercriminals can potentially buy access to SS7 illegitimately [on] dark web," Kurbatov added.
The research team added that criminals can also just attack the network directly instead of spending millions on buying this access.
"It's much easier and cheaper to get direct access to the SS7 interconnection network and then craft specific SS7 messages, instead of trying to find a ready-to-use SS7 hijack service."
While bitcoin wallets are popular in these attacks because of their irreversibility, the attack works on just about every other service. The telecom companies are taking their time to move away from this protocol. But, since basically nothing has happened in the last 3 years, internet users have to realize the inherent insecurity of relying on text messages for security and tech companies also need to force their consumers to move on to better options like authentication apps (e.g. Google Authenticator) and stop promoting text messages as a security feature.
If anything, two-factor authentication using text messages is putting your online security at even more risk.