August 31, 2021

Secrets Behind SMS 2FA

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vel ut congue varius congue aliquet leo. Netus neque nibh semper in diam viverra nibh.

Everything Sounds Peace and Fine

Due to the rising threat of cybersecurity incidents, people would likely prefer to setup security measurements to enhance their computer's security level. It makes hackers need to spend more time and tools to break through, sometimes they will just give up and search for the next target. It's good news that people gain awareness of cyber incidents, but some people treat these security measurements as a cure-all pill, this is incorrect. when you are using your laptop or desktop to invest in stocks or digital currency waiting to earn more money, hackers are already outside the "wall" ย trying to exploit your account or device.

2FA, referring to 2-factor authentication, is now common sense for users, people no longer treat it as a time-wasting action due to the fear of cyber incidents. Common 2FA includes Email verification, SMS OTP verification, or a generated verification code from a related application. Especially for SMS 2FA, it is often considered the safest solution for logon security, since it is difficult for a hacker to intercept an SMS. But difficult doesn't mean impossible, hackers aimed to the SMS center's vulnerability instead of the victim's phone

A person may have their Email connected to several devices at the same time, making it much easier to be compromised, but SMS will only to your phone number.

SS7 Vulnerability

SS7 is a protocol to assist senders to send a message to the receiver. Let's break it into easy words how it works instead of a bunch of technical stuff

How does the sender know where am I?

It is impossible for a sender to send a message to you without knowing where you are. But no matter if you are in your office or sitting on a toilet, the SMS can always be directed to your phone. How? That's because your phone is always telling the SMS center "Where you are". While your phone periodically registers your location to the SMS center, you will never miss an important message

But as long as the phone is beside me, isn't it safe enough?

This is the problem, the SS7 protocol does not verify the registering user's identity. Because the location registration service is not always connected to the SMS center, there will always be a gap between every registration period.

The attacker will impersonate the victim using the SAME PHONE NUMBER, telling the SMS center the "user" (which is now impersonated by the attacker) where he is, thus the SMS center will redirect the SMS to the hacker instead of the victim. By this way, the attacker can try to log in to the victim's account by cracking the account's credentials, hijack the SMS and attempt to login.

Won't it cause an error when the same phone numbers register at different locations?

Actually, no. Based on computer operation logic, the SMS center will deal with requests by queues, so in a very, very short period, the location will be updated to the attacker's location to receive the SMS, then be returned after the attack is launched. Though the victim cannot receive any SMS messages, which is short enough for a victim to hardly discover.

Which platform are targeted based on this vulnerability?

While SS7 is a wide adopted protocol, it doesn't matter which service you ultilize but the telecom operators. So EVERY service which adopts SMS 2FA is a potential target for 2FA bypassing.

According to some reports, hackers can bypass Whatsapp/Telegram, Facebook/Instagram, Gmail, and other services which use SMS 2FA.

The "Where you are" issue is also considered a vulnerability. In 2014, it was reported that hackers can track down a victim's location with a 70% success rate via this protocol's vulnerability. Please read this article to learn more

How can I prevent to be attacked?

Sadly, because the vulnerability is based on the telecom operator, there is no way that we can prevent this kind of attack. But there are still some measurements to reduce the possibility to be targeted.

First we need to know how much it takes to launch an attack...

According to our research, it takes at least 500 USD for a phone number (and has an expiration time), the attacker usually will not randomly pick a victim but target a juicy account.

Prevent at the Beginning!

Before the attacker needs to launch the SMS 2FA bypassing, the attacker will need the victim's phone number in advance, which means that users will need to be very careful when sharing their phone number with services, institutions, or people

Stronger Password Control

In normal cases, the attacker will need to crack the password of the service in advance so they can enter the 2FA verification phase. A strong password can increase the difficulty for attackers to hack your account. For hackers, time is money, they won't waste time on things that take too much time unless the target value.

Another thing that should be noticed is that do not use same passwords on all service accounts, especially for Email accounts or service which contains personal identity, these services gather too much confidential information which can give clues for attackers to hack other accounts.

Adopt TOTP (if the service allows)

TOTP, standing for Time-based One Time Password. While SMS and other methods generate the OTP via the service servers, general OTP has a higher possibility to be hijacked or intercepted. On the other hand, TOTP is generated from the user's phone, and it rotates every short period. The attacker cannot bypass the 2FA authentication unless he obtains the user's phone or have remote control via malwares.

It is adopted by several services already, such as Steam, Bitfinex, or Garena, but not all services adopt this mechanism. Furthermore, it brings low-efficiency to users to run an application since they will need to install an additional OTP generator, and will always need to run the application when the user needs to access the service.

Last force...be aware of your New Login Notifications

Many services will send an Email to notify you that there is a new login record. ONLY IF the hacker didn't compromise your Email account and logout all devices, the notification is always the last way to know that there is an unknown logged in device.

This is mechanism is common in various services nowadays, especially for Email, banking, financial, and digital currency services. It will be annoying to receive this message every time you log in to your account, but it will always notify you just in case someone logs in.

References

WhatsApp Encryption Rendered Ineffective by SS7 Vulnerabilities

https://www.ptsecurity.com/ww-en/about/news/whatsapp-encryption-rendered-ineffective-by-ss7-vulnerabilities/

A Step by Step Guide to SS7 Attacks

https://www.firstpoint-mg.com/blog/ss7-attack-guide/

Invasive phone tracking: New SS7 research blows the lid off mobile security

https://www.zdnet.com/article/invasive-phone-tracking-new-ss7-research-blows-the-lid-off-personal-security/

2FA/OTP Bypass

https://www.firstpoint-mg.com/blog/ss7-attack-guide/

It's time to be Xecure

Get in touch