On the May 3rd the Süddeutsche Zeitung reported that subscribers on the O2-Telefonica network in Germany had been targeted by criminals who had successfully stolen money from their personal bank accounts. These criminals accessed banking security data via the O2-Telefonica signalling system (SS7) which is a standard set of protocols used by all mobile operators and throughout the telecoms industry for connecting fixed and mobile networks. SS7 controls and monitors key information on a subscriber’s whereabouts for routing calls and data and it thereby provides the basis for hackers to intercept calls and data without the knowledge of the legitimate subscriber.
A preventable attack – is complacency the cause?
This attack was entirely preventable as SS7 has been a recognised security weak point in mobile networks since 2014 and there are third party firewalls available to prevent these attacks and protect mobile subscribers. So why have few mobile networks deployed them when they have a clear responsibility to protect their subscribers? Could it be that as a SS7 firewall increases cost without increasing revenue there is a degree of complacency here amongst hard pressed operators? Should the regulators therefore be stepping in on behalf of the victims or will the mobile consumer become aware and churn to protected networks?
How was it achieved? – the Dummies guide to SS7 hacking
For the technically minded let’s look at how this attack was conducted. The objective was to intercept the 2FA (two factor authentication) code sent to the customer by the bank; this code is a one-time only authorisation code sent to the customer’s previously nominated mobile which is a process designed to authenticate the genuine customer’s control of the proposed transaction and it forms the final part of the security process in most payment transactions.
Prior to hacking the mobile network the criminals had first collected the bank account balance, login details and passwords for their accounts, together with their mobile numbers through spamming malware onto their personal computers. All they then had to do was initiate the transactions and intercept the all important 2FA codes.
So they then hacked into Telefonica’s signalling system and updated all the targeted mobile subscribers profiles, specifically their location in the Mobile Operator’s Home Local Register (HLR) making the Mobile Network Operator (MNO) direct messages to the fraudsters rather than to the devices belonging to the genuine subscribers. With fraudulent transactions initiated the 2FA codes were then sent straight to the criminals who were then able to complete the payments. In technical terms, this was done by mimicking the ‘UpdateLocation’ SS7 procedure in order to substitute the current serving Mobile Switching Center (MSC) information with that of the attacker’s MSC.
How might it have been prevented – with a SS7 firewall like HAUD
A comprehensive Signalling Firewall such as HAUD would have prevented this fraud first and foremost by hiding the Mobile Subscribers’ identities. This is achieved using the enforced Home Routing mechanism where the International Mobile Subscriber Identity (IMSI) is masked with a virtual, temporary one. This is a mandatory parameter for SS7 modification commands such as ‘UpdateLocation’. In addition to this an SS7 Firewall such as HAUD also provides a mechanism to verify that requests are originating from the real and actual location of the subscribers.
What else could happen to subscribers on an unprotected network? – Lots
If banking fraud is not enough to worry about, the dangers are widespread and without effective protection subscribers are at risk of many types of fraud including:
- Retrieval of identity information and location etc.
- Interception of incoming and outgoing mobile calls
- Manipulation of supplementary services (e.g. Unstructured Supplementary Service Data – USSD, which is used by various operators to perform billing and financial transactions
- Disruption of service
The crucial item of information that an attacker needs to perform these types of hacks is the International Mobile Subscriber Identity (IMSI), which is a number that uniquely identifies every individual SIM card that exists on the GSM network. There are several methods by which an attacker can get access to an IMSI. Several involve the use of network messages in illicit ways that would not be seen during normal network operation. Some messages are only intended to be used within an operator’s network, others are intended to be exchanged between roaming subscribers and their corresponding home network exclusively. Many of these message types can be abused and IMSI information obtained. Any good SS7 firewall will tightly control and validates the use of these network messages so as to prevent an attacker getting hold of IMSI information.
The industry needs to act – solutions are available
Mobile network operators must act now to stop this highly preventable crime; it is their responsibility. The success of the O2-Telefonica attack will attract the interest of other criminal gangs and the hundreds of mobile networks around the world without SS7 firewalls are wide open to attack so stand by for further news headlines and a better informed mobile consumer. Operator priorities will inevitably place emphasis on revenue generating and cost cutting projects which pushes other projects lower down the list and this has been demonstrated over the last few years in this case since SS7 was highlighted as an issue. The cost of not protecting against SS7 hacking will be seen in some quarters as indirect or not an immediate problem but it will be too late to do anything about it when subscribers start churning to neighbouring, protected networks. To date levels of consumer trust has been remarkably high as we increasingly depend on our mobile devices for running every aspect of our lives but this trust is largely based on ignorance of the degree of risk we are exposed to. This will change with growing consumer awareness and headlines like this week will only accelerate that process.
There are several good SS7 firewalls on the market including HAUD so there are no excuses for waiting any longer.