We have written about the almost infinite possibilities for surveillance and malicious activity presented by flaws in the Signaling System 7 (SS7) protocol used by virtually all mobile networks worldwide. A security research firm recently demonstrated how the same exploit can be used to drain a Bitcoin wallet. Which certainly drives home the point about how easy subverting (otherwise reliable) security systems can be.
One of the main reasons Bitcoin is so valuable is because it is secure. And it really is – blockchain technology is rightfully lauded as the future of online security and banking. But it is much simpler things that apparently allow for it to be broken. To use Bitcoin, you need a wallet. To use the latter, you need an account that is linked to an email. And emails are accessible with a username and password. Which, if forgotten, can be restored by the service provider. And here is where we find a weak link in the chain.
Public information may be enough to get your wallet hacked
In their demonstrated attack, the researchers from cybersecurity firm Positive Technologies gain access to a Bitcoin Wallet linked to a Gmail account. They do it by using just the following previously known information about the targeted person:
- Mobile phone number
Notice how none of this is information that is hard to obtain. You can check anyone’s names on Facebook, and people literally give out their phone numbers to anyone. The described attack doesn’t require anything else: no social engineering and phishing, no physical proximity, no brute-forcing of passwords. Not even your email address.
First, they go to Google’s site and fill in the phone number to see which email is associated with it. Once they know the email, they try to log in and use the “forgotten password” option. A few clicks away, Google lets you reset your password using a code they send you via an SMS text message.
How can SS7 be used to access a Bitcoin Wallet?
Here is where SS7 comes into play. This protocol is the glue linking different operators’ and countries’ mobile networks together to allow roaming. But it is also easy to hack into using just a laptop and an SS7 hacking API. Once in, a hacker can monitor the unencrypted traffic related to an IMSI mobile identity. In this case, the researchers use the phone number to get the IMSI and then they read the incoming SMS messages (because they are unencrypted).
With the acquired code they reset the Gmail password and log into that account. Then they do the same password-reset operation at the online wallet platform, in this case, Coinbase. The new password gets sent to the email the researchers gained access to in the previous step. And voila – they have the credentials to the target’s Bitcoin wallet. (Watch a video demonstration of the hack here.)
Sounds like a nightmare scenario if you have precious Bitcoin. What makes the whole hack possible is the fact that Google uses SMS for two-factor authentication (2FA). These text messages are unencrypted and could be read by anyone tech-savvy enough to gain elevated access to your network. Exploiting SS7 is one way to do that. Using an IMSI-catcher is another, but that requires physical proximity to the target.
The lesson from the whole thing is that you should never rely on unencrypted channels for anything. If you are going to have 2FA, do not use SMS for it.