The Key Vulnerability Hackers Use to Steal Facebook Accounts and More  

Despite all of the attention that large companies, such as Facebook, give to cybersecurity, both through advanced technology and simple things like reminding you to change your password regularly, a major and little-known security vulnerability remains wide open. To complicate matters further, this security vulnerability applies not only to Facebook, but to any site or web service that uses SMS-based authentication systems. It is a vulnerability in a set of telephony signaling protocols commonly called the SS7 network.

Hackers SS7

What is SS7?

Signalling System 7 is a communications system developed in 1975 that provides global telecommunications network services—it is the worldwide path through which landline phones transmit voice calls and through which mobile phones transmit data. The SS7 network was never designed with security in mind; it trusts messages sent over it regardless of where they come from, making it easy for hackers and cyber criminals to exploit.

The process requires only some information about the victim’s device, such as its phone number and a few other technical details. From that point, fooling the SS7 service into diverting calls, data, or even encrypted WhatsApp and Telegram messages to the hacker’s device. End-to-end encryption doesn’t offer much in the way of security in this situation since hackers can effectively fool the network into confirming their devices are legitimate.

Why is SS7 so Vulnerable?

It is evident that SS7’s designers did not imagine a need to encrypt data or even have a firewall in place. The telecommunications environment of 1975 simply did not call for such elaborate security measures. Now that the network is the primary global system for transmitting this type of data, however, an important question arises: Whose responsibility is it to upgrade its security?

A deceptively simple answer would be the government. However, the United States lacks the tools and the jurisdiction to do this, especially since the Telecommunications Act of 1996 effectively deregulated the domestic market. SS7 is a global network—is America going to fix every telecommunications security flaw in every country in the world?

The next possible answer would be the telecommunications giants: Verizon, Vodafone, Sprint, Telefonica, etc. These companies would seem to share the responsibility, but the size of the network creates complex problems when it comes to regulating the manner in which these upgrades take place.

Apart from simple issues, such as who pays for the improvements and how they can be structured so as to be compatible with one another, there is the major issue of incentive. None of the telecommunications companies have a clear incentive to secure the SS7 network. Even if one company completely secures the elements of the network it uses, vulnerabilities in another company’s infrastructure compromise those improvements. Nevertheless, Vodafone and Telefonica are working on improving SS7 security, according to Forbes.

How to Protect Your Accounts, Data, and Identity

Since the vulnerabilities present in the SS7 network are so wide-ranging, two-factor authentication is an absolute must-have. Any site featuring a two-factor authentication method that does not rely on SMS can be considered safe from SS7 vulnerabilities. Additionally, not sharing personal phone numbers on public resources can help keep that vital piece of information out of hackers’ hands.

OffSite IT is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks, and news. Contact us at (866) 828--6674 or send us an email at info@offsiteIT.com for more information.

Alexssa

I first hired John directly as an employee back in 1999.
He was an excellent addition to a growing team at a small technology company. Subsequent to the sale of the company, John branched out on his own and started an IT consulting firm. Since that time, I have not used anyone else. John is capable, personable, has integrity and is also very likable. I would recommend him without reservation.”

  Kevin DiCerbo   

Connect With OffSite IT

  • Los Angeles / Orange County 22607 La Palma Avenue Suite 409 Yorba Linda, CA 92887
  • Chicago 6912 Main Street Suite 214 Downers Grove, IL 60516
  • 1-866-828_-6674 info@offsiteIT.com