Get the myAT&T app
brightshade's profile

Mentor

 • 

23 Messages

Friday, May 19th, 2017 7:34 PM

AT&T Wireless SS7 hacking weaknesses?

What is AT&T doing to protect customers from SS7 hacking like CBS' 60 Minutes demonstrated last year?(http://multimedia.cbs.com/news/60-minutes-hacking-your-phone/)

 

Wired magazine explained the wireless network security weakness shortly afterward at https://www.wired.com/2016/04/the-critical-hole-at-the-heart-of-cell-phone-infrastructure/

 

As demonstrated on 60 Minutes, SS7 weaknesses can be used to eavesdrop on phone calls. It can also be used to intercept SMS text messages used for Two Factor Authentication (TFA) by everyone from banks and brokerages to services like Gmail. (See https://arstechnica.com/security/2017/05/thieves-drain-2fa-protected-bank-accounts-by-abusing-ss7-routing-protocol/)

 

What is AT&T doing to protect us customers????

 

AT&T appears to be silent about the risks to customers. 

ACE - Sage

 • 

115.9K Messages

7 years ago

You have more chance of getting hit by lightning during a shark attack.  Did you actually read the full article?

 

ACE - Expert

 • 

23.9K Messages

7 years ago


@brightshade wrote:

What is AT&T doing to protect customers from SS7 hacking like CBS' 60 Minutes demonstrated last year?(http://multimedia.cbs.com/news/60-minutes-hacking-your-phone/)

 

Wired magazine explained the wireless network security weakness shortly afterward at https://www.wired.com/2016/04/the-critical-hole-at-the-heart-of-cell-phone-infrastructure/

 

As demonstrated on 60 Minutes, SS7 weaknesses can be used to eavesdrop on phone calls. It can also be used to intercept SMS text messages used for Two Factor Authentication (TFA) by everyone from banks and brokerages to services like Gmail. (See https://arstechnica.com/security/2017/05/thieves-drain-2fa-protected-bank-accounts-by-abusing-ss7-routing-protocol/)

 

What is AT&T doing to protect us customers????

 

AT&T appears to be silent about the risks to customers. 


@brightshade

 

omg get your tin hat out......  you have a better chance of being in a plane crash then getting hacked like this....  Below is what I like.....

 

Capture.PNG

Mentor

 • 

23 Messages

7 years ago

No answers, just ridicule for asking the question? The question wasn't about probabilities.

 

Unlikely as the WannaCry / WanaCrypt0r / WCry ransomware from last week that was based on stolen NSA hacking tools?

 

I guess the hospitals and others affected thought ransomware enabled by NSA hacking tools was as probable as being struck by lightening, being bitten by a shark, or being in a plane crash?

 

The source for the screen grab : https://www.wired.com/2017/05/fix-ss7-two-factor-authentication-bank-accounts/

 

Another quote from the same article: “It is unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security,” Lieu said in a statement on Wednesday about the German bank fraud. “Everyone’s accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw.” (My emphasis added.)

 

 

ACE - Expert

 • 

23.9K Messages

7 years ago

Wow. If those it admins would have applied the patches when they were made available well then they would not have been infected. That malware exploit was made public and that's when patches should have been applied.

If you don't like how the. Ss7 is being delt with you can go-to Verizon or Sprint. Although lte is GSM based.

Mentor

 • 

23 Messages

7 years ago

Again, the question was, "What is AT&T doing to protect us customers?" -- not what Verizon or Sprint are doing.

 

From https://www.wired.com/2016/04/the-critical-hole-at-the-heart-of-cell-phone-infrastructure/

"Verizon and Sprint use different protocols to exchange most of their data, so in theory are less vulnerable. But McDaid notes that all mobile networks will eventually migrate to a different signaling system called Diameter. That system “uses a lot of the same concepts and design as the previous SS7 network,” he notes, including the assumptions of trust that plague SS7."

ACE - Expert

 • 

16.5K Messages

7 years ago


@brightshade wrote:

 

What is AT&T doing to protect us customers????

AT&T appears to be silent about the risks to customers. 


If they explain publicly exactly what they are doing, it makes it easier for people to get around it.

 

Or is that what you are doing, trying to social engineer what they did so you can do a workaround???

 

 

ACE - Expert

 • 

23.9K Messages

7 years ago

And as I said you don't like how att is doing it switch to Verizon or Sprint. You seem to be worried about it.

ACE - Sage

 • 

115.9K Messages

7 years ago

Tin can and string.

  @brightshade   I think the point is, why would anyone want to hack any one particular phone?   With a few billion to pick from, a hacker has a goal.  To pick on a particular number from a particular person.  So to begin with your cell number is not published as long as you don't do so.  

 

Mentor

 • 

23 Messages

7 years ago

If they explain publicly exactly what they are doing, it makes it easier for people to get around it.

Or is that what you are doing, trying to social engineer what they did so you can do a workaround???

With that kind of logic, Microsoft, Google, and every other vendors would keep patches a secret and https://cve.mitre.org would not exist.

 

@lizdance40

why would anyone want to hack any one particular phone?

The answer to this question is recent history, when the phone belongs to: a government official; someone running for elected office; a celebrity; a journalist; a friend or relative of any of the above; a senior executive with a corporation; anyone working in a cybersecurity position.

 

ACE - Sage

 • 

115.9K Messages

7 years ago

Right..... and do you know the personal cell number of a public official?   

Not me, because the only number they publish is their office number.  

Remember they already had the number for the iphone they sent to Ted Lieu.  That story might have impressed me if they hacked his actual phone.  Even the evening news is out for ratings; facts are negotiable and often sacrificed with a good stunt.  

Lets spend a minute, or 60, and consider it might have been a slow news week and 60 Minutes picked a rabbit out of the hat.   

 

Not finding what you're looking for?
New to AT&T Community?
New to the AT&T Community? Start by visiting the Community How-To.
New to the AT&T Community?
Visit the Community How-To.