Cyber Threat 'Flash Report': SS7 Risks & Impacts

This 'Flash Report' article is an extract from the full “SS7 Risks & Impacts” technical report produced by the CI-ISAC National Intelligence Office (NIO) and made available to our membership.

Executive Summary

A collection of protocols called Signalling System 7, or “SS7”, is used by telecommunications networks to manage calls and messages. Mobile carriers employ SS7 to route calls and messages between mobile devices and create links with other networks. Numerous services, including call forwarding, roaming, and SMS messaging, are made possible through the SS7 protocol, a fundamental component that supports mobile devices.

SS7 attacks are significant as they exploit fundamental design flaws in the SS7 protocol to infiltrate and intercept voice and SMS communications on cellular networks. Like a Man in the Middle (MITM) attack, SS7 assaults target mobile phone communications rather than Wi-Fi transmissions. An attacker can overcome two-factor authentication and access the victim's account by intercepting an SMS verification code sent by a bank or service provider.

SS7 has been exploitable by sophisticated Threat Actors for several years; however, in recent months, commodity “hosted” services have appeared online, which makes this capability available to anyone willing to pay for it. Attackers can initiate legitimate calls/SMSs from any mobile number, opening the door to social engineering, identity theft, financial fraud, and other nefarious acts.

Encrypted messaging/calling apps such as Signal, WhatsApp and FaceTime/iMessage are not susceptible to the SS7 interception method.

Risk Scenarios

With the volume of data breaches affecting Australian citizens in recent years, there is a high probability that a significant portion of the population’s mobile numbers has been leaked online. This, coupled with data leaks containing email/password combinations and extensive use of SMS as a 2nd factor of authentication, means organisations need to prioritise uplifts to address the threat.

Soft (Google Authenticator, MS Authenticator, etc) and hard (Yubikey, etc) tokens present a more robust second factor to harden authentication. However, one should remember the risk to recovery workflows. Many ‘soft’ tokens/services secured by MFA have a recovery option via SMS, which then opens up the same risk as SMS-based 2FA, depending on specific configurations.

In addition to the 2FA/MFA bypass risks, Threat Actors now have the ability to silently eavesdrop on calls made over regular cellular networks, which may provide them access to sensitive information depending on the conversation taking place. Executives and other senior stakeholders should be aware of this emergent risk and ensure any conversations of a business-sensitive nature are conducted via internal tooling or encrypted channels.

Finally, ‘SIM porting’ is a tactic used by cyber criminals to permanently move a users’ phone number from one provider to another, with the view to intercepting calls and messages. By leveraging SS7, attackers have another tool in their arsenal to intercept confirmation calls & messages from users' telco provider prior to a port taking place.

Mitigations:

Based on our technical analysis, the best course of action for individuals and organisations is to prioritise uplift initiatives to remove SMS-based authentication from their workflows. The SS7 exploits leverage a fundamental design limitation in the framework, and as such cannot be ‘patched’ as with many commodity vulnerabilities.

Good cyber hygiene, monitoring of suspicious access and enforcing multi-factor authentication that does not rely on insecure methods such as SMS are all proactive steps organisations can take in light of the increased risk being posed by the recent availability of SS7 exploits. Additional compensating controls such as anti-fraud detections, segmentation and environmental monitoring may also reduce the residual risk depending on the specific sector targeted.

Where possible, any communications (calls, texts) should be conducted via secured corporate platforms, and personal devices should use encrypted messaging applications such as Signal, iMessage or WhatsApp.

Conclusion:

Australia is not immune to the SS7 vulnerability, which is a global problem and presents a real and current risk to any organisation or individual relying on SMS-based authentication to secure their services. CI-ISAC’s National Intelligence Office has confirmed with a primary source that as of Feb '23, SS7 is exploitable in Australia. The availability of services enabling this exploit means that security leaders should prioritise efforts to understand the implications for their own systems ahead of an SS7-related incident occurring.

‘Forewarned is Forearmed’, and by joining a trusted cyber community of Critical Infrastructure owners and operators responsible for protecting their assets, you can join the movement to share contextual intelligence and proactively approach cyber defence. Cyber threat activity shared into the CI-ISAC ecosystem by one member has the potential to help others across the sector and the broader CI community stop similar attacks before they impact operations.

CI-ISAC, as a not-for-profit, member driven organisation, with a mission to serve its members and in turn their customers by building a trusted community and leveraging the best technology in its intelligence platform, and drawing on resources and resilience through its industry peer-to-peer network to anticipate, mitigate, and respond to cyber threats.

More information on CI-ISACs sovereign intelligence-sharing capability can be found on the official website:?https://www.ci-isac.com.au?, or by emailing?[email protected].