Despite all of the attention that large companies, such as Facebook, give to cybersecurity, both through advanced technology and simple things like reminding you to change your password regularly, a major and little-known security vulnerability remains wide open. To complicate matters further, this security vulnerability applies not only to Facebook, but to any site or web service that uses SMS-based authentication systems. It is a vulnerability in a set of telephony signaling protocols commonly called the SS7 network.
What is SS7?
Signalling System 7 is a communications system developed in 1975 that provides global telecommunications network services—it is the worldwide path through which landline phones transmit voice calls and through which mobile phones transmit data. The SS7 network was never designed with security in mind; it trusts messages sent over it regardless of where they come from, making it easy for hackers and cyber criminals to exploit.
The process requires only some information about the victim’s device, such as its phone number and a few other technical details. From that point, fooling the SS7 service into diverting calls, data, or even encrypted WhatsApp and Telegram messages to the hacker’s device. End-to-end encryption doesn’t offer much in the way of security in this situation since hackers can effectively fool the network into confirming their devices are legitimate.
Why is SS7 so Vulnerable?
It is evident that SS7’s designers did not imagine a need to encrypt data or even have a firewall in place. The telecommunications environment of 1975 simply did not call for such elaborate security measures. Now that the network is the primary global system for transmitting this type of data, however, an important question arises: Whose responsibility is it to upgrade its security?
A deceptively simple answer would be the government. However, the United States lacks the tools and the jurisdiction to do this, especially since the Telecommunications Act of 1996 effectively deregulated the domestic market. SS7 is a global network—is America going to fix every telecommunications security flaw in every country in the world?
The next possible answer would be the telecommunications giants: Verizon, Vodafone, Sprint, Telefonica, etc. These companies would seem to share the responsibility, but the size of the network creates complex problems when it comes to regulating the manner in which these upgrades take place.
Apart from simple issues, such as who pays for the improvements and how they can be structured so as to be compatible with one another, there is the major issue of incentive. None of the telecommunications companies have a clear incentive to secure the SS7 network. Even if one company completely secures the elements of the network it uses, vulnerabilities in another company’s infrastructure compromise those improvements. Nevertheless, Vodafone and Telefonica are working on improving SS7 security, according to Forbes.
How to Protect Your Accounts, Data, and Identity
Since the vulnerabilities present in the SS7 network are so wide-ranging, two-factor authentication is an absolute must-have. Any site featuring a two-factor authentication method that does not rely on SMS can be considered safe from SS7 vulnerabilities. Additionally, not sharing personal phone numbers on public resources can help keep that vital piece of information out of hackers’ hands.
Alary Clinitech is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks, and news. Contact us at (416) 291-7377 or send us an email at email@example.com for more information.
Thanks for helping us upgrade our Macs and get them working exactly as our business needs! Fast, convenient and very knowledgeable! You’re the best!
Alary Technologies has been our IT support team for the past year at the START Clinic for Mood and Anxiety Disorders. They have done a excellent job in upgrading our system, organization, and supporting us in technical computer matters. Compared to other IT companies we have worked with, Alary Technologies comes on top. Ahmed Kufaishi the Managing Director at Alary Technologies is solution focused, knowledgeable and makes an effort to really understand his clients’ needs. It has been a pleasure to work with Ahmed and Alary Technologies. I would recommend their services to other companies and clinics.
“We continue to work with Alary Technologies due to the fact that they are quite educated and knowledge based with current upgrades, and their commitment to their customers.”
Ahmed has been providing our company with expert IT services for close to 3 years. He has guided us through hardware upgrades, server back up procedures and was instrumental in brokering a custom software program that fully automated some key functions in our business. Ahmed has always been thoroughly professional in all his dealings with us and has provided consistent and sound advise for all of our IT requirements. We consider Ahmed and Alary Technologies to be an important partner for our business.
It is refreshing to work with someone who can organize things and describe in plain language. I have a large and growing knowledge base for my work as an architect. I have realized that I can’t do everything, that I do need a team member who can look after this one relatively small by crucial part of my practice.