A previously-known security vulnerability in Signaling System 7 (SS7), the protocol that governs how mobile phones exchange calls and text messages worldwide, has been exploited by hackers to infiltrate the bank accounts of European victims, it has been revealed.
For years, SS7, or Common Channel Interoffice Signaling 7 (CCIS7) in the UK, has been open to hacking. If accessed, the global networking protocol can give hackers (and governments) the ability to snoop on text messages, listen to phonecalls and track users' locations.
Now, according to German newspaper Süddeutsche Zeitung, the worst fears of the security community have come true. In mid-January 2017, it reported, hackers exploited SS7 to circumvent multi-factor authentication that banks were using to protect customers' online accounts.
Using the flaw in a two-step cyberattack, cyber-thieves were able to intercept SMS messages containing crucial passwords the banks were sending to customers.
Süddeutsche Zeitung found that accounts were drained, however the identities of the victimised banks - and the amount of cash stolen - remain unclear.
Multiple sources provided Süddeutsche Zeitung insight into the attacks, while O2-Telefonica, one of the impacted mobile firms, confirmed the incident took place.
"Criminals carried out an attack from the network of a foreign [mobile] provider in mid-January," a representative with Germany's O2-Telefonica said, adding: "The unauthorised attack redirected incoming SMS messages for selected German customers to the attackers."
The attack was two-fold. First, the hackers used phishing tactics and malware to access account numbers, passwords and balances. Then, they were able to use the bug in the SS7 network to redirect authorisation text messages to separate mobile devices before logging in.
"This incident is a sharp wake-up call," said Michael Downs, director of telecoms security at Positive Technologies.
"It is a sign that it's getting easier for attackers, motivated by greed and nefarious intent, to access once closed parts of the global mobile infrastructure to not only steal money, but also track location, eavesdrop on private communications and even take down entire areas," he added.
"While no-one denied vulnerabilities existed, the sector believed the risk was minimal," he continued. "However, as this incident shows, they clearly open mobile users up to the same kind of mass cybercrime problem that internet users have suffered from for years."
Downs warned the protocol that runs 4G, and potentially future 5G networks, may also be at risk.
"It is similarly vulnerable despite being designed as a platform for thousands of emerging IoT applications – from cars to connected cities. Networks must accept the threat, educate themselves [...] and move to monitor and neutralise the problem. If they don't, the brave new future where everything is connected, will suffer."
The security gaps in SS7 have been known for years, first being shown off by security experts including German hacker Karsten Nohl. In one famous demonstration last year, Nohl illustrated the scope of the hack by testing it on US politician Ted Lieu during a segment on 60 Minutes.
The hackers tracked his location, spied on calls and listened to conversations – all with just a phone number. "Mobile networks are the only place in which this problem can be solved. There is no global policing of SS7. Each network has to move to protect their customers," he said at the time.
It remains to be seen if this fresh SS7 incident will be this much-needed catalyst for change.