Despite all of the attention that large companies, such as Facebook, give to cybersecurity, both through advanced technology and simple things like reminding you to change your password regularly, a major and little-known security vulnerability remains wide open. To complicate matters further, this security vulnerability applies not only to Facebook, but to any site or web service that uses SMS-based authentication systems. It is a vulnerability in a set of telephony signaling protocols commonly called the SS7 network.
What is SS7?
Signalling System 7 is a communications system developed in 1975 that provides global telecommunications network services—it is the worldwide path through which landline phones transmit voice calls and through which mobile phones transmit data. The SS7 network was never designed with security in mind; it trusts messages sent over it regardless of where they come from, making it easy for hackers and cyber criminals to exploit.
The process requires only some information about the victim’s device, such as its phone number and a few other technical details. From that point, fooling the SS7 service into diverting calls, data, or even encrypted WhatsApp and Telegram messages to the hacker’s device. End-to-end encryption doesn’t offer much in the way of security in this situation since hackers can effectively fool the network into confirming their devices are legitimate.
Why is SS7 so Vulnerable?
It is evident that SS7’s designers did not imagine a need to encrypt data or even have a firewall in place. The telecommunications environment of 1975 simply did not call for such elaborate security measures. Now that the network is the primary global system for transmitting this type of data, however, an important question arises: Whose responsibility is it to upgrade its security?
A deceptively simple answer would be the government. However, the United States lacks the tools and the jurisdiction to do this, especially since the Telecommunications Act of 1996 effectively deregulated the domestic market. SS7 is a global network—is America going to fix every telecommunications security flaw in every country in the world?
The next possible answer would be the telecommunications giants: Verizon, Vodafone, Sprint, Telefonica, etc. These companies would seem to share the responsibility, but the size of the network creates complex problems when it comes to regulating the manner in which these upgrades take place.
Apart from simple issues, such as who pays for the improvements and how they can be structured so as to be compatible with one another, there is the major issue of incentive. None of the telecommunications companies have a clear incentive to secure the SS7 network. Even if one company completely secures the elements of the network it uses, vulnerabilities in another company’s infrastructure compromise those improvements. Nevertheless, Vodafone and Telefonica are working on improving SS7 security, according to Forbes.
How to Protect Your Accounts, Data, and Identity
Since the vulnerabilities present in the SS7 network are so wide-ranging, two-factor authentication is an absolute must-have. Any site featuring a two-factor authentication method that does not rely on SMS can be considered safe from SS7 vulnerabilities. Additionally, not sharing personal phone numbers on public resources can help keep that vital piece of information out of hackers’ hands.
OffSite IT is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks, and news. Contact us at (866) 828-6674 or send us an email at info@offsiteIT.com for more information.
