32 comments

[ 3.0 ms ] story [ 70.4 ms ] thread
There's so many fun things you can do w/ telecom networks that it's a bit sad to see the phreaking community dead nowadays or relegated to just "modifying" roms.

You could enable any phone to be a receiver for SMS and literally see the network traffic around you on the SMS paging channel. The phone real time operating system actually discards messages that do not match your number (to put it very very high level.)

https://silo.tips/download/exploiting-open-functionality-in-...

Also, great reads if you can find them: Qualcomm standard PDF's.

For GSM simply receiving everything on PCH does not buy you much, because even ignoring encryption (IIRC even PCH is encrypted) most of traffic there is simply RR sublayer signaling (RR PAGING REQUEST and RR IMMEDIATE ASSIGNMENT messages and nothing much else).

What the linked presentation describes is somewhat obvious DoS attack on the infrastructure that depends on ability to cheaply inject larger number of SM-MT messages into the network which authors assume will exhaust the downlink capacity of the network. My assumption is that in such case the first resource that will actually get exhausted is uplink capacity of RACH as the paged MS will attempt to allocate SDCCH in order to complete the paging procedure. I also assume that any currently deployed implementation of GSM has reasonable enough QoS implementation that this cannot happen in practice (especially in relation SMS because various SMS-related accidental RR exhaustions were somewhat common in early implementations). By the way nothing prevents you from causing cell-level DoS of similar type by simply spamming the RACH (except the fact that your local equivalent of FCC will be very unhappy and will be knocking on your door in surprisingly short time).

"You could enable any phone to be a receiver for SMS and literally see the network traffic around you on the SMS paging channel. The phone real time operating system actually discards messages that do not match your number ..."

This is literally true, and actually, you can do it with an SDR device and the GNURadio liveCD.

However, this data will all be encrypted. Even on 2G networks, you can't just camp at a cellular base station and watch SMS fly by ...

At least from my point-of-view a lot of these activities went away as the feds started clamping down. When you can get a prison sentence for serializing URLs it just doesn't make sense to risk it anymore.
For me the lightbulb went off in college with NIS and NFS when I realized the network expects me to tell it my user name so I can mount my home directory. Before that point I thought of these systems as well designed, unhackable things - after all, they had real multitasking right? Not like the dinky DOS machines I grew up with. But after that point the veil was lifted. And the older/more legacy a system was the worse it was.
> "In the case of stealing money from bank accounts, a hacker would typically first need a target’s online banking username and password. Perhaps they could obtain this by phishing the target. Then, once logged in, the bank may ask for confirmation of the transfer by sending the account owner a verification code in a text message. With SS7, the hackers can intercept this text and enter it themselves. Exploiting SS7 in this way is a way to circumvent the protections of two-factor authentication, where a system not only requires a password, but something else too, such as an extra code."

While SS7 does seem like a problem, I think the bigger issue is using SMS for 2FA.

Banks with local branch offices are especially well placed to do better. They can offer Yubikey to their customers, and also since they can see customers in person, they have a way to provision new ones if an old one gets lost (customer comes in and shows government ID, etc).

>While SS7 does seem like a problem, I think the bigger issue is using SMS for 2FA.

These are banks. It took them over a decade to only finally implement SMS 2FA. It'll be another 2 before they implement U2F or TOTP.

Actually, shockingly, Vanguard offers U2F support which is quite the minority for financial firms :D

Meanwhile american express still makes passwords case insensitive AND trims the fucking lengths behind the scenes.

These are US Banks.

In the meantime, I have been banking with a 'calculator' for over 15 years which accepts my bank card, I enter the PIN and it spits out a code.

Same, except rather than "typing in the challenge number" it has an image sensor that I point at my bank's login page after typing in my account and card number, because it generates a 50x50 RGB challenge image.
I have one of those too ( different bank ) and it sucks because it does not play well with F.lux.
If you've got a keyboard, I believe you can use Alt+End to temporarily disable f.lux, rather than having to clicky-click-click through the taskbar menus. Doesn't work on a laptop, though. (Might only work on Windows as well.)
> These are banks. It took them over a decade to only finally implement SMS 2FA.

A lot of the slowness is driven by regulation and especially the slow decision-making that leads up to regulation.

In the UK for example, I cannot think of a single bank that uses SMS as a 2FA channel for internet banking.

Some card providers (Amex for instance) do currently provide one time codes for card purchases via SMS, in an attempt to be compliant with PSD2’s Strong Customer Authentication (SCA) rules, but I suspect this’ll change soon because the EBA has already indicated that SMS based SCA is not acceptable[1].

It’s worth remembering that ultimately, SCA or not, banks and do bear liability for fraud not due to the customer’s negligence (in the UK at least), so that’s the ultimate backstop to whatever tech they choose to deploy.

[1] https://www.ensygnia.com/blog/2019/7/11/sca-otc-not-ok-says-...

Slowness is not an excuse if you're going in the wrong direction. SMS "2FA" is a crutch that has allowed the banks to limp along with their antiquated security model still based around the concept of trusting people who physically show up at a branch. Banks should have never implemented SMS "2FA". If a system cannot provide a security guarantee, you don't implement it anyway and then pretend that it does.
Back over ten years ago when my bank first supported 2FA via SMS, SS7 attacks were something for professionals/nation states only. These days it's commoditized, that is what changed.
This sounds akin to the handwaving of "that exploit is only hypothetical" that necessitated full disclosure.

The eventual democratization of SS7-based attacks was entirely foreseeable. If I were to use plaintext http to access a bank website today, I would be reasonably confident that there would be no immediate problem. But given a year or two of this practice being normalized, the market would find ways to infiltrate consumer ISPs, the bank's upstream, hijack routing prefixes and DNS, etc. And what are text messages but a similar non-e2e protocol? The chief difficulty seems to be that telco standards are hidden away and obscured by horrible complexity, rather than being published as straightforward RFCs.

Ten years ago I was working in that industry and it was already known the attacks are plausible even for not particularly resourceful attackers, because it’s already been done.
What about just plain old social engineering? Get a hold of someones phone, and that 2 factor authentication becomes 1 factor. This sort of thing is not that hard in a world where college students routinely leave all their crap out in the library.

Duo and all the other 2 factor methods are such jokes. I worked in a hospital that used duo for everything from logging into your workstation to accessing the intranet. Many people had duo set to call their office phone 6 inches from their computer. All someone would have to do is sit down in that desk for 10 minutes, lift the handset and press '1,' and have a field day on protected patient data.

Google uses Vanguard for its retirement plans, and I suspect (but don't know for sure) that they may have leaned on Vanguard to implement U2F.
Should probably add a (2019) tag. This isn't exactly recent
Much of the 5G progress happens in the core network and network interconnects.

As far as I remember, there will be some sort of "layered" encryption. The innermost layer is the user's payload, end-to-end encrypted between operators. Each service provider (responsible for transporting the data) adds patches with modifications and a signature by the service provider.

Not sure if that actually made it into the standard yet. I think the motivation is that roaming requires cost-effective routing, fraud detection,.. so there's a whole business ecosystem around that.

Long story short: I think people are working on this

> Much of the 5G progress happens in the core network and network interconnects.

It's a bit silly to wait for a completely different radio transport before thinking of carrier and backhaul improvements, which are almost completely orthogonal.

> Long story short: I think people are working on this

Given the specifics of the sorts of flaws in these network standards, it's hard to come away feeling that they were anything short of intentional. I get the impression that “working on it” more or less amounts to improving plausible deniability by making the backdoors less obvious.

> It's a bit silly to wait for a completely different radio transport before thinking of carrier and backhaul improvements, which are almost completely orthogonal.

Development on radio access and core network does indeed happen in parallel, and as far as I know, the core network overhaul was not delayed to wait for the radio-layer.

But marketing-wise, the radio-layer is what makes the phone show a 5G icon.

Telecoms are not hardened against phishing attacks and are some of the dinosaur centric industries. Please, and I ask very nicely, if you work for a tech company, do everything you can to fight implementing SMS as an authentication factor. It not private, nor authenticated, has no delivery guarantees, easily spoofed, easily intercepted, and easily forged.

One only has to look at Jack Dorsey getting jacked to prove this is an inevitability for every single one of your users.

SS7's security model is basically the same as BGP. Peers assume they can trust one another. The cost for entry here in Canada is about $50,000. Pay that to the incumbent telco and you can basically have an SS7 connection of your very own, and announce cell phone numbers to the rest of the world.

Electronic Funds Transfer is similarly based on trust. I can withdraw funds from any bank account just by knowing the account number. The only incentive is that you don't want to lose your account, but once you've been through the process of setting things up, it's quite easy to see how the system could be gamed.

Maybe someday we'll be able to trust the underlying protocols our lives are built on top of.