10

I'm reading about an SS7 issue: SS7 flaw allows hackers to spy on every conversation.

It seems to me that any phone on the world can be intercepted so the hacker can listen to your phone call or read your text message. As far as I know, google, authy provides a way to access into account through the registered phone number. So if a user is having gmail account and authy that eventually lead to a phone number, he is screwed? His online bitcoin wallet, and even his bank account may very well be compromised?

Castaglia
  • 560
  • 8
  • 19

2 Answers2

10

Yes.

Why do I say this? It is important to understand what all these vulnerability's are and why they exists (I will be calling the victim "subscriber"):

Why do they exists:

SS7 was designed and developed in 1975 as a protocol for telecommunication for call operating centers. Since we are talking here about 1975, the security of the protocol was not really considered in the planning. Later when mobile phones came along they needed a protocol to use and since SS7 was around and was proven to work there was no reason not to use it. So they implanted it into the GSM network architecture and added a few things (SMS, roaming and later on also mobile data).

Now lets understand the vulnerabilities:

  1. Obtaining a subscribers location:
    A hacker can set up a fake HLR (Home Location Registrar) and claim that he is looking for a subscriber and send a request using the MAP messaging service (Request returns location data regarding the subscriber location and a few more things) and this data will return the Cell ID, the Mobile Country Code (MCC), Mobile Network Code (MNC) and the Location Area Code all related to the target subscribers current location. This was built so anyone wanting to communicate with the subscriber (Route a call to the subscribers location).
    Note: Most of the big companies have disabled this feature and found different way to deal with MAP requests.

  2. Retrieving subscribers SMS's:
    An attacker will pose as a MSC (Mobile Switching Center) and claim to have the subscriber in its network, this will result in the subscribers mobile carrier redirecting traffic meant for the subscriber to the attacker.

  3. Put subscriber offline:
    Hacker once again poses as a HLR and claims that subscriber is in his network. Since a subscriber can only be in one place at a time, this will result in disconnecting the subscriber at his current location resulting in the subscriber not having connection.
    This was designed so carriers can update the HLR DB regarding the subscriber's location so relevant services can be routed to the subscriber.

Conclusion:

As you can see, the SS7 protocol was designed with poor security and until it is not updated with fixes and solutions the vulnerability's will exists.

Note:

  • I only covered the main vulnerabilities even though there are many more. You can read more about the vulnerabilities over here.
  • Many carriers have found creative ways to patch these security holes. It is fair to assume that most of them have not we can see that by the proven research's that are out there.
Bubble Hacker
  • 3,615
  • 1
  • 11
  • 20
4

The answer is yes. As explained in this link a similar exploit has been made on Facebook.

If you have a phone number linked to your Facebook account, a hacker just needs your phone number and just by hitting the "reset my password" button and intercepting the confirmation code sent to your phone he will have full access.