SS7 A to Z - OTP bypass, Telegram/ WhatsApp hacking/ Prevention/ Installation!

 What is ss7 ?

SS7 (Common Channel Signaling System No. 7 or C7) has been the industry standard since, and hasn’t advanced much in decades. It’s outdated security concepts make it especially vulnerable to hackers.

SS7’s success has also, in a way, been its curse. At least when it comes to cyber security. The SS7 protocol is used everywhere, and is the leading protocol for connecting network communication worldwide. 

As such, SS7 is an attacker’s best friend, enabling them access to the same surveillance capabilities held by law enforcement and intelligence agencies.

How does ss7 work?

The set of SS7 telephony signaling protocols is responsible for setting up and terminating telephone calls over a digital signaling network to enable wireless cellular and wired connectivity. It is used to initiate most of the world’s public telephone calls over PSTN (Public Switched Telephone Network).

Over time other applications were integrated into SS7. This allowed for the introduction of new services like SMS, number translation, prepaid billing, call waiting/forwarding, conference calling, local number portability, and other mass-market services.

Components and elements that make up the SS7 Protocol Stack –

What are SS7 attacks?

SS7 attacks are mobile cyber attacks that exploit security vulnerabilities in the SS7 protocol to compromise and intercept voice and SMS communications on a cellular network. Similar to a Man In the Middle attack, SS7 attacks target mobile phone communications rather than wifi transmissions.

How do SS7 attacks work?

SS7 attacks exploit the authentication capability of communication protocols running atop the SS7 protocol to eavesdrop on voice and text communications. All cyber criminal would need to successfully launch an SS7 attack are a computer running Linux and the SS7 SDK – both free to download from the Internet.

Once connected to an SS7 network, the hacker can target subscribers on the network while fooling the network into thinking the hacker device is actually an MSC/VLR node.

What’s in it for the Hackers?

When a hacker successfully performs a MitM phishing attack, they gain access to the same amounts and types of information that are usually reserved for the use of security services. Having the ability to eavesdrop on calls and text messages, as well as device locations empowers hackers to gain valuable information.

A common security precaution used by many is one of the targets of SS7 attacks. Two-factor authentication (also known as 2FA) via SMS using SS7 is inherently flawed as these SMS messages are unencrypted and hackers know how to intercept them. With the code from the SMS in their hand, a cyber-criminal can potentially reset your password to Google, Facebook, Whatsapp account or even your bank account.

HOW TO BYPASS OTP WITH SS7 ATTACK 

BYPASSING OTP ?

OTP IS MOSTLY A 4/6 DIGIT NUMERICAL/ALPHANUMERIC CODE USED AS ANOTHER WAY OF AUTHENTICATING A USER ALONG WITH THE CREDENTIALS.

STONE AGE

People used to just enter their email and pass to login.

It still is there for majority of sites but some have 2FA[OTP] as optional and some have it mandatory.

WHY OTP??

BECAUSE PEOPLE CAN HACK/CRACK YOUR EMAIL/PASS EASY

WITH OTP EVEN IF THEY CAN, THEY WONT BE ABLE TO LOGIN

WHAT'S THE OTHER WAY ROUND THIS?

There are tons of other ways to bypass OTP but the most popular and bit of HQ is SS7 Attack.

Comment down below the thread if you want me to write those up too.

So Where were we:

SS7 Tunneling/Attack = Same as MITM but operates on telephonic communication rather than data/wifi communication.Those who got no idea what MITM is can go through my previous thread about it.

Now Why is SS7 HQ

Because the global telephonic communication runs on it.

Old Protocal but hasnt been changed much.

What Tools needed for this Attack?

A Linux OS and SS7 SDK[They re on the Internet]

The Inside Workaround?

Take an Example: Our Freind Roobbin is having some cash piled up in his bank account...Forget it...FBI gonna bust my ass for this example.

Our freind roobbin got an app in his phone which lets him login to his account after entering the credentials and an OTP generated on Real-Time.

We as usual gets the credentials by 

hacking/cracking

But when we treid to log-in to the app using just the email/pass it generated the OTP[Take an example of Hotstar or BLockChain or anything that requires OTP].

When there is some kinda communication via our phone to any other service over the Network, Our Unique Phone address is stored in HLR[Home Location Register] and it acts as a medium to transmit data...See what i learned in "Wireless Communication" is coming in handy right now .The Enggineering guys would know if they had the subject taken.

Ok to be straight .....Phone sends data to HLR and checks the unique address of our mobile device,

Then from there the HLR sends the request to VLR[Virtual Location Register - It temporarilhy stores our mobile info till connection time out].

SS7 Fakes VLR Address and put the hackers machine address in it.So, basically we are tricking the system into beleiving our address to be the users address we need to get the OTP from.

Now you know what...HLR will transmit the details to the fake VLR and hackers gonna get all the details flowing in and out the the victims mobile !

TELEGRAM AND WHATSAPP HACKING

HACKING WITH SIGNAL SYSTEM 7 (SS7) :

Both WHATSAPP and TELEGRAM messaging services have an end-to-end encryption for chats in order to protect the privacy of their users and improve their security.

Is it enough to keep eyes far from them?

No, according to a recent research conducted by techroods hackers can impersonate victims and reply to both WhatsApp and Telegram chat messages.

Hackers can exploit the SIGNAL SYSTEM 7, aka SS7, which is a set of protocols developed in 1975 that allows the connections of one mobile phone network to another. The information passed from a network to another are needed for routing calls and text messages between several networks.

The SS7 performs out-of-band signaling in support of the call establishment, billing, routing, and information exchange functions of the public switched telephone network (PSTN).WHICH is now also use by BLACK HAT HACKERS for BOUNCING their networks

Experts discovered that hackers can exploit a flaw in the SS7 protocol to steal the victim’s identity on the messaging services with just basic skills.

The principal instant messaging services, including WhatsApp and Telegram, rely on the SMS authentication as the primary security verification mechanism, which is routed through SS7 signaling. This means that hackers exploit the SIGNAL SYSTEM 7 to compromise the verification mechanism and take over the victim’s account and impersonate him.

As explained by the experts, the rarest aspect of the story is that hacker does not need high-skills or a special equipment for such attack.

The hackers used a common Linux distro and a publicly available SDK for their tests.

“An intruder doesn’t need special equipment. a hacker used a popular Linux based computer and a publicly available SDK for generating SS7 packets. + After performing an initial attack using SS7 commands, the intruder is able to execute additional attacks using the same methods.” states the paper from Positive Technologies. “For instance, if an intruder manages to determine a subscriber’s location, only one further step is required to intercept SMS messages, commit fraud, etc. + Attacks are based on legitimate SS7 messages.

How hacker can access your bitcoin wallet?

 How Hacker Can Empty Ur Bitcoin Wallet Using Ur Phone no & Email

Security of SMS-based two-factor authentication has been long-debated. Despite flaws in Signalling System No. 7 (SS7), which is an internationally used telecom protocol to route texts and calls, it continues to be used at a large scale in banking and other services.

The security researchers Positive Technologies have shown how a bitcoin wallet can be hacked using SS7 vulnerabilities. By getting their hands on SS7 network, the hackers were able to reset the Gmail passwords using SMS-based two-factor authentication.

A big flaw in SMS-based 2FA is that the one-time password can be accessed on a variety of devices and services, which might have their own flaws. Thus, the attack surface increases. On the other hand, the true 2FA, which is like a push notification popup, sends the verification prompt to one device.

 By intercepting the text messages in transit, the hackers can take control of your Gmail account and any other service associated with it.

Not just cryptocurrency wallets, this flaw puts your banking and social media accounts at risk. “This hack would work for any resource – real currency or virtual currency – that uses SMS for password recovery,” the researchers told Forbes.

Getting access to the SS7 network is the biggest barrier one needs to cross. The cybercriminals can buy the access on the dark web. In the past, at least at one occasion, SS7 was used to empty bank accounts. According to Forbes, many surveillance companies are also selling services to spy using SS7 flaw.

What should the user do?

As stressed earlier, SS7 flaw has been known to the telecom industry from a long time. So, unless they don’t take steps to make it more secure, the users need to take steps on their own. You can use tools like Google Authenticator, Google prompt, or security key for extra security.

How to prevent ss7 attack?

1) Avoid SMS services as much as possible instead try to use encrypted services with end to end encryption (Signal Private Messenger recommended). 

2) Avoid using Calling on the cellular network as much as possible. Use Encryption messenger's calling on an encrypted network. (Again Signal Recommended) 

INSTALLATION OF SS7 IN RED HAT LINUX:-

1. Log on as root.

2. Download the Dialogic NaturalAccess SS7 Monitor Software from www.dialogic.com

3. Unzip and untar the download file by entering the following commands:

TYPE: SETTING : - gzip -d filename.tgztar -xvf filename.tar

where filename is the base portion of the name of the file that you downloaded.

4. Run the monitor_install script located in the directory in which you opened the tar file, and follow the prompts from the script.

Note: Do not change the default install location

 5. Run one of the following commands to implement the environment changes: • . /etc/profile.d/txbase.sh Reboot the system. For additional release information, refer to the release_notes.pdf file located in the software

Thanks for reading

Credit:NayanDubey

Telegram

YouTube