3

Hackers are able to steal 2FA SMS messages by exploiting SS7. As far as my understanding goes, this means gaining access to the SS7 system and then broadcasting a message akin to "This number is roaming on my network, send me all their SMS messages!"

Would this work for a Google Voice number? If my understanding above is correct, Google knows it'll be sending the SMS to the Google Voice app and not to some other network, so I would guess it might be immune to SS7 exploitation. Or does the hacker only need to say the number is roaming to whoever is generating the SMS message?

I'm aware of the other downsides to using Google Voice as a second factor for 2FA, and am mitigating them by using an alternate Google account for which I have a strong, separate password that I only ever enter when logging into the app on my mobile device, and nowhere else, ever. I trust Google's security a hell of a lot more than the TelCo's. This way customer service won't give out my info or re-route the number just because someone knows my mother's name. I personally view keylogger attacks as unlikely on an non-jailbroken iPhone, and I hope I might be at least a bit more protected from atrocious SS7 holes.

Please don't respond to this telling me to use Google Authenticator or a hardware key - This is not in the scope of my question and I already do so where possible.

Mohamed Hafez
  • 161
  • 3
  • You appear to have gotten your answer [here](https://support.google.com/voice/thread/6698619) (outside of SE). If you summarize the results of that in an answer to yourself here, you can accept that answer and leave it as a useful answer for others. – Royce Williams May 25 '19 at 16:46
  • Honestly I think that's just a generic answer the Google rep gave me "Google Voice is no more or less secure than SMS". Specifically for the case I mentioned, can incoming SMS to Google Voice be redirected, after reading the document the Google rep posted, my hunch is "no" for the reasons described in that thread, but I couldn't get a straight answer. I'm not an expert on this in any way, I've just done a days worth of internet research, so I'm not comfortable putting that as an answer – Mohamed Hafez May 25 '19 at 21:20
  • The answer they gave you is complete and specific. For SMS-to-SMS transmission to work, any SMS must eventually dump out into the same SS7 network shared by all SMS sources and destinations, so the routing hijack attack vector applies. If it's SMS, it's vulnerable in this way - whether provided by Google Voice or anyone else. – Royce Williams May 25 '19 at 21:28
  • Maybe you're asking whether an SMS sent both *from* a Google Voice number, and *to* a Google Voice number, might simply skip SS7 entirely? That's the only use case I can think of that might track to what you have in mind. – Royce Williams May 25 '19 at 22:58
  • So if you read how about how the re-routing attack works in [the document from that thread](https://www.gsma.com/membership/wp-content/uploads/2018/07/SS7_Vulnerability_2017_A4.ENG_.0003.03.pdf), and also [this doc](https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf), it seems like the rerouting attack depends on an attacker telling the Google Voice HLR "hey, this number is roaming on my network, forward me their SMS". A carrier that gives out real SIM cards might have to honor that request, but Google knows their numbers don't roam, I doubt they would honor that request – Mohamed Hafez May 25 '19 at 23:25
  • Did you figure a better answer eventually? I believe what other people in this thread are saying is that in order for Google voice to receive an sms it has to broadcast "this number lives here", but there is no way to "pin" the number, so anyone else could also say "oh, and also here". – Ben Usman Jun 22 '19 at 20:12
  • @BenUsman so that's not how the specific attack described in the document I linked to from my previous comment works. According to G Suite customer support Google Voice is not susceptible at least to the attack described there (because they do not respond to other networks claiming the mobile number is roaming on their network) – Mohamed Hafez Jun 23 '19 at 02:52

0 Answers0