Back in 2014, the television program ran a report on a vulnerability in cell phone services that can allow hackers to access, and even text to and from, a smartphone.
Since at least that time, cell phone companies have known about that weakness in their SS7 system—but they haven’t done anything about it.
Using this vulnerability, hackers in Germany recently accessed people’s bank accounts directly from their phones—without even having to work enough to get through their computer security systems.
Other hacks have include intercepting text messages containing the second factor of two-factor authentication, allowing the hackers access to passwords and the ability to mimic users inside the user’s own systems.
There are a lot of other very bad things that have come out of the hacks using this vulnerability, but you get the point, hopefully.
Cell phones, in the sights of the wrong people, can be even more vulnerable to attack that a computer system—and, once the hacker is in a phone, those phones can lead right into the back door of any computer system.
What is SS7, you ask?
Signaling System Number Seven, or SS7, is the worldwide cell phone infrastructure that connects one cell network to another (it goes by different names in different countries). It is what allows you to receive text messages from any phone in the world at any place you are. The vulnerability that hackers have been exploiting for the last few years is “a feature, not a bug” of every cell phone service on the planet.
Numerous reports have found that the cell companies know about the vulnerability and have for years (allegedly) but (allegedly) refuse to fix it. This weakness is built in, and is actually the strength of the system—SS7 is designed to ease communications, so its settings automatically trust a request for communication from another source. While this open communication setup can be exploited by hackers, at the same time, the phone companies won’t close it, other than through some work-arounds, because closing that hole goes against the entire idea of the system.
That doesn’t help victims of these hacks.
In the German hack, the hackers obtained passwords and other information by intercepting text messages, and then used the SMS-based second factor of two-factor authentication to break into bank accounts.
This is different from, more dangerous than, and less detectible than regular “smishing,” which is the text message version of email phishing. In both of those cases, the advice is the same—don’t click on any links contained in emails or texts where you don’t know the sender, and immediately delete them and mark them as spam.
The SS7 vulnerability, however, is worse, because, by the time it’s been detected, it’s already too late.
The only real solution to this problem is for each smartphone owner to take responsibility for securing each individual phone, by using only private, app-based texting and then revoking the option for SMS two-factor and account recovery entirely.
Everybody with a smartphone needs to do this, and right now. Kimmell Cybersecurity can work with you to apply these security measures quickly and easily. Give us a call.