One Time Passcodes Sent via SMS Intercepted and Used to Hack Accounts

Positive Technologies’ researchers able to compromise many popular social media sites by hacking SS7 network, intercepting an OTP, resetting passwords and taking ownership of accounts

Positive Technologies, a leading provider of vulnerability assessment, compliance management and threat analysis solutions, today confirmed its researchers have exploited a flaw in the SS7 protocol to intercept one time passcodes (OTP) used by many online services to reset passwords. Facebook, WhatsApp, Telegram, Twitter and many other online services, offer password resets via SMS message but instead of strengthening security, this ability actually introduces a vulnerability that hackers can, and will, exploit. Positive Technologies’ researchers have videoed themselves demonstrating the hack against Facebook and WhatsApp accounts, with the owner’s permission, proving the dangers of this authentication method.

Alex Mathews, technical manager EMEA of Positive Technologies explains, “The fact that the SS7 network has security flaws is indisputable as has been proven by many researchers, including our own. The issue is that the telecoms industry, as a whole, appears to be turning a blind eye. Rather than fixing the underlying vulnerability, many services are being encouraged to add a layer of protection built on this flawed global telecommunications network. The result is that, instead of strengthened security, in some instances adding a mobile phone number actually introduces the door hackers can exploit. For example, with Facebook, if you do not elect to have a passcode sent to your phone then a hacker could not take over your account using the SS7 vulnerability.”

In a video demonstrating the compromise, Positive Technologies researchers attempt to log-in to a user’s Facebook account. The service then offers to text a code to the mobile number registered with the account to reset the password and it’s this option that allows hackers a way in using the SS7 vulnerability. Hackers exploit the SS7 vulnerability to spoof a mobile phone on the network which then receives the OTP SMS. Having gained access to the Facebook account, the hackers then reset all other information associated with the account – such as password, etc., effectively locking the legitimate owner out.

The same attack methodology can be applied to any account that allows password resets using SMS OTP. Millions of usernames and mobile phone numbers are offered for sale in underground forums, stolen in any number of breaches that organisations suffer almost daily.

As illustration of the damage that can be caused, prolific twitter user – Katy Perry, had her account hacked recently with her 89 million twitter followers sent racist and homophobic messages, slurs directed at other celebrities and reports that her new song had also been leaked.

It’s not just celebrity accounts that will be targeted as hackers can abuse the trust social platforms cultivate to send malicious links that connections will trust, that can then spread malware and other malicious programs.

Alex concludes, “While our research has proven the concept for social media accounts, potentially any online account that can be reset via SMS OTPs could be compromised, for example corporate credentials, online banking, etc. The issue is further compounded as there are a number of security experts currently advocating users enable SMS OTPs as additional protection, we would strongly recommend users don’t! “