O2 Germany SS7 hack – what’s the big deal?

Well O2 Germany recently announced that hackers, using their mobile networks SS7 protocol, successfully attacked German banks. This same attack could happen any bank using any mobile network in any country. Scary Stuff!

What is SS7?

The Signalling System no 7 (SS7) is a very old and complicated technology which was designed to do telecom “stuff”. When developed in 1975, people carried cash in their pockets, banks had a strong wooden front door and a big safe to hold its money. Signatures and identity papers were still usable forms of ID, but even though ID was available, it was largely unnecessary as everyone knew their local bank manager. Robbing a bank involved guns, balaclavas and a fast car.

It would be another 6 years before Internet Protocol (IPv4) would be defined, 14 years before Tim Berners-Lee would invent the Internet (or was it Al Gore?!) and over 35 years before the first mobile banking apps appeared. SS7 has been the workhorse of the telecom’s industry for decades, enabling telecom exchanges inter-work to power our phone calls, SMS messages and later mobile data.

Is SS7 secure?

Yes, for what it was intended. But telecom operators are no longer closed systems. While still somewhat restricted, it’s relatively easy gain access to an open SS7 connection. And that’s the problem. SS7 signals drive and control the telecom world but SS7 is really bad at restricting who or what can send SS7 control signals into a mobile network.

As a result, a hacker with an open SS7 connection has the power to control critical functionality within a mobile network from halfway around the world.

Can SS7 security be improved?

Sure there are some limited SS7 firewalls which mobile operators can deploy, but they can be challenging to implement. For example, the O2 Germany hack spoofed the functionality used when customers roam onto a foreign mobile network. Any SS7 firewall blocking this type of functionality would likely cause problems for the networks customers when they tried to roam abroad.

The good news is that SS7 is slowly becoming redundant as newer protocols are introduced with 3G, 4G and now 5G. Unfortunately operators need to maintain the existing SS7 functionality or things will just break; so SS7 won’t be going away any time soon.

Why is this suddenly a problem?

Security experts have warned for years that SS7 could be exploited to seriously compromise a banks network. Till now, compromising SS7 was only interesting to security services or nerdy hackers showing off their technical prowess. But that all changed when banks began to involve mobile phones in banking services.

As a result organised crime invested billions looking for new ways to rob banks and their customers. Unofficial reports suggest over 80% of Smart Phones are infected with malware – much of which is focused on compromising banking and payment services.

The recent Smart Phone malware explosion and SS7 attacks are not a coincidence. It’s less than 2 ½ years since the launch of one particular mobile payment service. And the surge in mobile banking over this time sees over 70% of customers using their phone to bank. But hackers have a development cycle too; it takes around 2 years to design, build and perfect any software – including a good mobile banking virus or SS7 attack. Add six months to plan and execute the robbery…

So the cats out of the bag – what does this mean?

Without going too technical, it’s a relatively trivial exercise (1 download, a YouTube video and a bit of research) to:

  • redirect or listen into phone calls
  • redirect or read SMS messages
  • And I believe with a little more work, intercept and manipulate mobile data, such as the mobile data from a Smart Phone banking or social network App.

Be concerned. A disgruntled ex can now watch a video to learn how to stalk their ex. Unethical newspapers could listen into sensitive Brexit negotiator phone calls or access someone’s tax returns online. It’s become a relatively trivial exercise to hack major social networks, email services, popular mobile messaging apps, picture sharing services and many of our favourite online services.

Some of the fraud systems banks rely on are now void. For example, banks sometimes check the location of a cardholders’ mobile to confirm the phone is in the same country as the credit card purchase.

Make no mistake, the penny is finally starting to drop that this is one of the biggest vulnerabilities the Internet has ever seen.

Implications for business

Aside from losing millions and facing a customer backlash, businesses operating in the European Union face a mammoth ~13 month headache to fix their security for compliance with:

  • GDPR (fines up to Eur20m or 4% of global revenue)
  • The Network Information Security Directive (fines up to Eur10m or 2% of global revenue)
  • The Payment Services Directive 2 (PSD2)

Can this be fixed?

Yes. The solution is 3 Factor Authentication.

Relying on a single factor of authentication doesn’t work:

  • Knowledge factors such as passwords are utterly compromised
  • Once copied with the ability to re-play them, biometric factors such as fingerprints, Iris scans etc will fail too
  • SS7 is complicated; incorrectly designed mobile network or mobile based solutions become easily compromised device factors

Sure there are some quick wins which can quickly mitigate the current problem without significant cost or effort, but a correctly designed 3 Factor Authentication service which uses mobile network data will serve businesses for years to come.