SS7 Network Vulnerabilities Big Business

[FrgMstr]

Issues surround SS7 network vulnerabilities are nothing new, but it seems as though using these holes for tracking smartphones is getting to be big business around the world. These companies are selling location services. Last month is was discussed about how SS7 network vulnerabilities we being used to access back account even when 2fa is enabled. All this probably equates to one more good reason to not do you banking on your cell phone.


On Thursday the Federal Communications Commission encouraged service providers to implement security measures to counter the exploitation of SS7. The measures are voluntary, however. (A lobby group representing AT&T, T-Mobile and other telecom companies recently pushed back against Homeland Security’s call for greater regulation of this area).
“Protection is still lacking in most places,” Nohl said.
So, for the time being, SS7 remains wide open for surveillance companies to tap and use to spy.

 

[Mugato]

That was a little hard to read.

I do all my banking in person!

 

[nutzo]

Hackers first sent malicious software to victims' computers, which stole the bank account balance, login details and passwords for their accounts, along with their mobile numbers.
Then they purchased access to a rogue telecommunications provider and redirected the victim's mobile phone number to a handset device controlled by them.
The next step is usually in the middle of the night when the victim is sleeping. Hackers then log into target bank account and transfer the money.

So they have to hack your computer 1st and steal your account/password and then connect this information to your cell phone number.

This is why I still have a land line and have my accounts connected to it. Old school protection.

 

[Bullitt]

Yeah, the bigger part of the problem is that the old-school telco guys who built and maintain the telephony systems have no clue or idea how to secure or implement their new-ish IP based SS7 platforms. Because its TDM they don't know IP data, so they don't ask. In the old days, SS7 links required physical point-to-point so the issues that are present now, did not exist.

So they have to hack your computer 1st and steal your account/password and then connect this information to your cell phone number.

This is why I still have a land line and have my accounts connected to it. Old school protection.

No, the vulnerability still exists with landline as well. You just need a backdoor into the SS7 network and you can potentially get calls redirected (for that sweet sweet 2 stage authenticator).

Basically, think of the SS7 network as DNS and Routing protocols all rolled up into one thing, except for telephone calls.

 

[gxp500]

Lobbying should be outlawed.

 

[Spidey329]

Lobbying should be outlawed.

You're going to need a lot of lobbying dollars to make that fly.

 

[Dead Parrot]

Even landlines won't help much. Most landline calls become IP based packets at some point. Most cell phone calls become landline IP packets at the cell tower. Most IP standards were designed in a era where we thought the Internet would be a friendly place. Basically, we're boned until we can implement a protocol designed with security as one of the prime concerns.

 

[jedijeb13]

I remember seeing an interview with either the new CIA director or DHS director and they were asked what one thing they would avoid because of privacy matters and they immediately answered they would never do any banking online period.

 

[gxp500]

You're going to need a lot of lobbying dollars to make that fly.

They american people will be the lobbyists, it can be done, but then i'll wake up.