You are probably a user of SMS Two Factor Authentication (2FA). The idea of 2FA is to use multiple “factors” to prove you are indeed who you claim to be. The factors are what you know (password), what you have (eg phone), what you are (biometrics such as fingerprint, eye iris, voice etc). An attacker will need to spoof all the factors to fake a client authentication.
You log into your DBS bank website, the bank sents your phone a SMS pass code. You change or reset your Apple ID password, Apple sends you a SMS verification code. SMS for 2FA is used by Google, Yahoo, Amazon and almost everybody who cares about security.
SMS 2FA is popular because everybody who does online transactions has a phone and it is quicker than using a security token. We have come to trust SMS 2FA. You think “Even if my computer or phone has malware (eg keyboard loggers that steal passwords), the hacker is still unlikely to get my SMS code”.
Sadly, this is no longer true, in light of recent security developments.
If your password is not secure because of device malware (or via HTTPS man-in-the-middle, as in my last post), and your SMS messages can be obtained by an attacker, then an attacker can access your bank account and lock out your email, facebook etc, among other mischief.
Below is a discussion of known techniques that an attacker can use to obtain the SMS pass code.
1. SS7 Vulnerabilities
Signalling System 7 (SS7) is the global network that telcos such as Singtel and AT&T use to pass mobile/phone traffic with one another. It is what enables a subscriber of Singtel to call or SMS a subscriber of Starhub, and it enables global roaming. SS7 is separate from the internet, though a telco may own both SS7 and internet infrastructure. The problem with SS7 is the same problem with internet: it was conceived in the days when there were few operators, everybody trust everybody (not true today!), and security is not a design requirement. Naturally SS7 protocols contain various vulnerabilities.
State actors aka government-sponsored hacking have probably been aware of these SS7 vulnerabilties for a long time, but it was only recently that such vulnerabilities have come into public attention, with the efforts of researchers such as Tobias Engel.
Essentially SS7 allows any attacker to make a legitimate request to your telco that forwards your sms to the attacker’s phone.
An attacker can gain access to SS7 network in the first place by either paying for it from any telco provider in the world (SMS gateway providers pay for the same kind of access, apparently it can be as cheap as only a few hundred euros/mth), or by hacking the telco mobile infrastructure (see the Regin malware later).
The problem with SS7 vulnerabilities is that these are due to a system-wide lack of protocol security. Even if the telco found a way to detect or patch a particular attack, I suspect an attacker can find another way to achieve the same ends. SS7 is slowly being replaced by LTE’s Diameter protocol, but Diameter apparently inherited many of the same design flaws.
See Tobia Engel’s presentation in Chaos Conference 31 (Dec 2014) on SS7 vulnerabilities
Another link on the SS7 attacks
http://www.theregister.co.uk/2014/12/26/ss7_attacks/
2. Hacking the telco infrastructure
Can the attacker hack the telco infrastructure and gain access to various components in the mobile network, such as the mobile switching center (MSC) or even the base transceiver stations (BTS)?
Well, it has been done already, though it is probably state actors that are responsible. For example, the Regin malware gained access to telcos in the Middle East.
http://www.securityweek.com/regin-attack-platform-targeted-gsm-networks
http://www.wired.com/2014/11/mysteries-of-the-malware-regin/
Thanks to Snowden again, the British government has allegedly gained access to the telco Belgacom, though a combination of sophisticated reconnaissance, hijacked tier 1 routers, HTTPS man-in-the-middle and phishing.
https://firstlook.org/theintercept/2014/12/13/belgacom-hack-gchq-inside-story/
With access to the telco infrastructure, it will be easy to read SMS, setup SMS forwarding etc. And erase the log traces afterwards.
Invasion of privacy aside, state actors are unlikely to be interested in your bank account (unless you are a terrorist). The worry here is that criminal organisations and prehaps even hacktivists will be able to do the same after a while. Sure, criminals and hacktivits may take a few years to catch up, but unfortunately telecom infrastructure are capital intensive and they don’t upgrade often.
There is also an interesting case of hacking equipment that you buy/rent from the telco. In this case, one can buy a signal booster from Verizon that can be hacked to allow call/SMS intercepts.
http://www.reuters.com/article/2013/07/15/verizon-hacking-idUSL1N0FL08620130715
3. Rogue Cell Tower aka IMSI-Catcher
This attack requires the attacker to be in the vicinity of the victim. The attacker setups a rogue base transceiver station (BTS) aka cell tower. The hardware costs can be as cheap as US$1500 and it is getting cheaper everyday. There is even an open source project (openBTS) for the software needed.
If the signal received by the victim phone is strong enough, and if the user set the phone to use automatic network selection (which is the default), the phone will connect with the rogue cell tower. There are likely to be only a few telco operators in a given area, so even if some users configure a fixed network operator, the attacker can just go for the most popular telco and get a stream of victims.
So say there is already a Singtel cell tower in my area. If a rogue cell tower broadcast itself as a Singtel BTS, and its signal is strong enough, my phone will connect to the rogue cell tower. This problem exists because the cell tower does not need to authenticate itself to the phone.
The rogue cell tower will relay the victim’s calls/SMS to the real mobile network. The attack does not stop here however. As 3G/4G traffic is encrypted, the rogue cell tower will force the victim’s phone to downgrade the connection to 2G aka GSM. In GSM mode, the rogue cell tower may set the encryption to off. Even if it is not turned off, GSM encryption can be routinely cracked by a notebook today. With no or low encryption, all calls / SMS can be intercepted and decoded. Now the rogue cell tower has become a man-in-the-middle. It is capable of receiving incoming SMS/calls on the victim’s behalf.
This attack has been occurring for some time. Recently, rogue cell towers had been found in Norway’s Parliament area and also in Washington.
http://www.aftenposten.no/nyheter/iriks/Secret-surveillance-of-Norways-leaders-detected-7825278.html
Click to access DabrowskiEtAl-IMSI-Catcher-Catcher-ACSAC2014.pdf
Below contains info on how GSM can be routinely cracked, by researcher Karsten Nohl who first brought the world’s attention to it
https://srlabs.de/decrypting_gsm/
How small can a rogue cell tower be? The Ettus USRP software defined radio is a popular hardware platform. The attacker can hide the below equipment in many places …
Source: http://www.uwicore.umh.es/
4. Hacking SMS Gateway Service Providers
Lastly, DBS, Yahoo and Google are unlikely to own their SMS gateways (well Google maybe). They are likely to buy the services of third party SMS gateway vendors. These providers provides an API (Application Programming Interface) over the internet for their customer code to access.
How secure are these third party vendors? Are they already compromised? There are a few high-profile security breaches recently that occurred, not due to vulnerabilities in the victim company, but in the company’s vendors. For example, there was customer data theft from StanChart Singapore via its Fuji Xerox printer vendor. The recent data theft in retailer Target occurred because attacker gained access into Target via one of its vendors.
An attacker with access into the SMS gateway providers have access to all sms sent by a company.
Mitigations
1. Use Google Authenticator App or similar
People like using SMS 2FA because the phone is always around. Security tokens will offer the best security, but the customer may misplace it, and certainly the customer will not be carrying 3-5 different security tokens (different banks, credit cards, amazon etc) around wherever he/she goes. So the best solution is to have something like the free Google Authenticator App. A company can replace the SMS 2FA with Google Authenticator (which is already an option by Amazon and other online services) or have their own app that does the same thing (for banks, they already have banking apps, so it is not difficult to build the functionality in)
2. Improve SS7 posture
I think telco can go a long way to monitor and stop attacks in the SS7. Having said this, this will probably be an expensive investment, which telcos may not be motivated to spend, and the problem with SS7 is one of fundamental design, which means it may be an endless patch.
3. Vet your SMS gateway vendors
Ask for security audits, call in the pen testers, ask about security defenses and network activity monitoring within the vendor etc. Third party vendors are an extension of your company as far as security and data risks are concerned, so they should be treated as such.
4. Use biometrics
Looking forward, there are some developments in user-friendly biometrics. The iPhone and Samsung fingerprint sensor, if implemented properly, is a wonderful authentication mechanism. There is also a new startup that uses a “live” photo capture of your face for user authentication. These can be used to replace the SMS 2FA or be used in a “three factor authentication” : password + google authenticator or similar + fingerprint/ biometric.
SGWhiteHat 