SS7 SMS Attacks, a Throwback to the Phreaking of the 70s
This article will be hard for you to read. Not in the way all my other articles are hard to read. This one will be emotionally hard. And let me give you the call to action right now (in the government we call it the Bottom Line Up Front (BLUF)).
The BLUF is this. You will need to do two things. First, you will need to log into all your bank, other financial accounts, and your email accounts. Set the security to Multi Factor Authentication turned on and make sure you ARE NOT using SMS or text message for delivery of the One Time Passcode. The second thing you will need to do if you are in a relationship where you do not trust your partner, is to either reset your phone to factory settings, or dispose of the phone and buy a new one. Then ensure they NEVER have access to your phone unlocked. Ever.
Now, the reason for all this. The technical parts that follow are necessarily grossly oversimplified. In 1975, the telecommunications industry developed a security protocol to reduce the impact of “phreaking”. Phreaking was a way to trick the telecom network into allowing long distance calls for free. The protocol was not secure. It hasn’t really been updated. And it is all over your cell phone. It’s called SS7. By abusing it, anyone can intercept your phone connection from anywhere in the world and access your text messages and phone calls, without installing any malware. And you will never know.
So, if you use text messages (SMS) for that One Time Passcode from your bank, all an attacker needs are your phone number, username, and password. They can render you penniless. Your financial accounts and your email accounts are probably the most important part of your digital life. Treat their logins with the utmost care.
That’s the first part. The second is this. If you are now, or have ever been, in an abusive or otherwise untrustworthy relationship what follows might sound familiar. Bob, (names have been changed for privacy) met Jane, the girl of his dreams. He thought it was cute when Jane insisted that they share their phone PIN codes. The cuteness ended there. Eventually Jane began to insist on more and more control over Bob’s life. Without reciprocating. Eventually, Bob found all the contacts in his phone had been deleted. All the female contacts. And Jane had changed her PIN.
It’s just a PIN code. You don’t have anything to hide is your initial thought. But this sweet new addition to your life may have a dark side. This adorable partner could (with as little as $175) install spyware on your phone. Or buy a phone for you with the spyware already installed. The spyware literally gives them access to everything. Including both cameras and the microphone.
People make a huge fuss over the need to keep Social Security Numbers (SSN) private. But did you ever think the secrecy of your phone number would be more important than your SSN? When it comes to your phone number, in the words of Gandalf, “Keep it secret. Keep it safe.” Fortunately, unlike your SSN, you can get a new phone number.
In addition to factory resetting the phone, setting up non-SMS-based MFA for your online accounts, you should SERIOUSLY consider using the Signal app for all your communications. For the SS7 hack, it will help by encrypting all your communications (voice and video calls, and text messages) so eavesdroppers can’t eavesdrop.
There are many more details. I’m more than happy to chat about it if you want to email me. Just no phone calls.