Billions has been invested, super speed reached, yet none of the security holes have been fixed. Positive Technologies has warned that its research confirms vulnerabilities in the world’s mobile infrastructure still exist, despite billions being invested to upgrade mobile networks to Diameter to carry 4G and 5G traffic. The unaddressed flaws leave mobile communications, and the security practices founded on them, vulnerable allowing hackers to intercept and divert SMS messages – including passcodes meant to validate identity and authorise transactions; eavesdrop on phone conversations; locate users; instigate denial of service attacks against the whole network; plus other illegitimate actions. Earlier this year attackers stole funds from bank accounts having redirected one time passcodes (OTPs) sent by banks in Germany, via text message (SMS), confirming that real world attacks have been devised and can be successfully executed.
“The mobile network infrastructure is based on a set of telephony signalling protocols, developed in 1975, when security wasn’t a consideration but was less of a risk as only a few people had access. Today that’s no longer true. Access has spiralled yet security is still non-existent,” explains Michael Downs, Director of Telecoms Security (EMEA) of Positive Technologies. “With Diameter [the new protocol for 4G and 5G networks] used to support thousands of emerging IoT applications – from cars to connected cities, these lax security practices leave us all vulnerable as hackers can easily exploit these flaws.”
Earlier this year it was confirmed that attackers in Germany had accessed the global mobile infrastructure and diverted one time passcodes sent from banks, via SMS message, to authorise transactions and steal money out of compromised accounts. Speaking about this development Michel adds, “This incident shows that these vulnerabilities in the mobile infrastructure open mobile users to the same kind of mass cybercrime threats that Internet users have suffered for years. There’s zero security, with zero control, which equals zero trust. Networks must accept the threat, educate themselves about the attack vectors being used and move to monitor and neutralise the problem. In the meantime, given it’s been proven fallible, using mobile channels as an additional layer of security has to be paused.”
In August 2016 NIST stopped recommending two-factor authentication systems that use SMS due to, what it described as, out of band verification using SMS being deprecated. US Senator Ron Wyden (D-OR) and Representative Ted Lieu (D-CA) have both written to America's communications watchdog, the FCC, asking why reported flaws in global SS7 cell networks have not been addressed.
Positive Technologies has published a whitepaper detailing its findings: https://www.ptsecurity.com/ww-en/premium/diameter-research/