You are here

You are here

Another reason to stop SMS 2FA—think about this

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings Your humble blogwatcher, d/b/a RJA
Thinking emoji
 

SMS as a second factor in 2FA/MFA is a bad idea. Really bad. But you’ve heard me say so many, many, many times.

This time, let’s look at a new way for hackers to intercept your users’ SMS messages. And this one’s a doozy.

If you didn’t act last time, I’m sure you will now. In this week’s Security Blogwatch, what’s old is new again.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: approximately pie.

NNID abuse in NANP

What’s the craic? Joseph Cox and Lorenzo Franceschi-Bicchierai report—A Hacker Got All My Texts for $16:

Looking down at my phone, there was no sign it had been hacked. I still had reception; the phone said I was still connected to the T-Mobile network. … But the hacker had … effortlessly redirected my text messages to themselves. … I never received the messages intended for me, but he did.

I hadn't been SIM swapped. [It didn’t] rely on SS7 exploitation. … Instead, the hacker used a service [that] helps businesses do SMS marketing … to reroute my messages to him. This overlooked attack vector shows [the] gaping holes in our telecommunications infrastructure, with a hacker sometimes just having to pinky swear they have [your] consent.

[I] created an account for verification purposes, but Sakari suspended the account after contacted for comment. … "Sakari takes privacy and security extremely seriously, and we [have] a robust process for verification on top of this," [said] Adam Horsman, co-founder of Sakari. … "We appreciate you bringing this to our attention, and have updated our hosted messaging process to catch this in the future. … We agree there are improvements needed … to improve security and trust. … Regulation from the FCC … would greatly improve the security and effectiveness of the ecosystem."

Sakari … receives the capability to control the rerouting of text messages from another firm called Bandwidth … through its relationship with another company called NetNumber [which] owns and operates the proprietary, centralized database that the industry uses for text message routing, the Override Service Registry (OSR).

OMFSM. Mitchell Clark adds—It’s an industry aimed at businesses, but it’s open to nefarious uses:

The attack uses … services that are aimed at businesses to silently redirect text messages … to hackers, giving them access to any two-factor codes or login links that are sent via text message. Sometimes, the companies … don’t send any sort of message to the number that’s being redirected, either to ask permission or even to notify the owner. … It could be quite a while before you notice … — more than enough time for attackers to compromise your accounts.

[Sakari] has reportedly fixed the exploit, but there are many others like it — and there doesn’t seem to be anyone holding the companies to account. [It’s another] reminder that SMS should be avoided for anything security related. … It’s better to use an app like Google Authenticator or Authy.

Yes, it is. And jfrunyon echoes that reminder:

SMS 2FA adds only a negligible amount of security, if your company does 2FA via SMS you're doing nothing more than lulling your users into a false sense of security. Don't do it. Support proper 2FA. (And while you're at it, allow your users to decide how much they care about their account. Don't make the decision for them.)

Standard is better than better. tlhIngan gets NISTy: [You’re fired—Ed.]

NIST updated their guidelines in 2016 deprecating SMS based two factor authentication. … This was big news years ago with people thinking NIST was being paid off to say that, but I guess the eggheads there know what they're talking about.

Who discovered the problem? Jered “Lucky225” Morgan lays it all out:

Most infosec professionals are aware of … so-called “SIM Swap” attacks, SS7 attacks, Port-out fraud, etc. All of these attacks however do require some level of sophistication.

There is however another vulnerability that is not particularly well known. … The SMS may need to be routed to a different carrier than the carrier of record. … There are many VoIP providers that offer “off net” “text enablement.” … There are a plethora of other wholesale VoIP providers that allow you to become a reseller with little to no verification, [using] “blanket [letters of authorization]” where … the reseller [promises it has a letter of authorization] on file for any number.

No SIM Swap, SS7 attacks, or port outs needed — just type the target’s phone number in a text box and hit submit. … Within minutes you can start receiving SMS text messages for them. They won’t even be alerted. … Despite the fact that I publicly disclosed this in 2018, nothing has been done to stop this.

The point here is until NetNumber is regulated by the FCC (and the various other telecom regulatories that NetNumber operates in), nothing in their database can be trusted. They make unilateral policy decisions on the fly for whatever purpose suits them.

tl;dr? Dr. Dissent Doe dashes off this ditty:

If this story doesn’t scare you, I don’t know what will.

So this is basically a problem with number portability? Aren’t there FCC regulations? closeparen says yes, but:

The regulation seeks to promote competition and consumer choice. An onerous verification process would undermine that goal. Security is not a consideration.

This is sort of the point with regulation. The regulator makes the rules it thinks are best according to the considerations it thinks are important at the time. If someone later shows up with different considerations, they can go to hell.

Who is to blame? The legacy Bell System, according to quetwo, who nixes security by obscurity:

Just like everything else that the Bells created, it's all based on the theory of security that as long as people don't know it exists, it can't be exploited. And that you try to make sure only good actors have access to the system. You can expect this to become more of an issue, since there are quite a few companies that are designed to SMS enable land-line numbers that can be used for this attack.

How do we fix it? You can’t get there from here. So fmajid has a low-tech idea:

SMS is irredeemably broken, like all telco-designed garbage protocols. The only way you can incentivize companies to stop using it as security theater is to shift liability so any losses incurred by SMS jacking is automatically the liability of the company using SMS—just as nowadays any credit card fraud is borne by the company that is not using the EMV chip to secure a transaction.

Meanwhile, iamhassi stereotypes thuswise:

But try explaining to grandma how to use Google authenticator. Phone calls are still easier for the technology challenged.

The moral of the story?

Stop using SMS, robocalls, or Caller ID for authentication or identification: It’s not secure—and it never has been.

And finally

It’s somewhere between 3.106 and 3.215

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

This week’s zomgsauce: Markus Winkler (via Unsplash)

Keep learning

Read more articles about: SecurityIdentity & Access Management