Serious concerns about potential security flaws in the current global cellular network have been suspected for several years, but have been mostly disregarded as theoretical. In February 2014, suspicions grew significantly when a phone call by a US Ambassador was mysteriously leaked onto YouTube, believed to have been intercepted by someone using the suspected flaws in Russia. Since then, security research teams have confirmed the flaws are very real and made their findings public but have gotten relatively little attention, like the study released in February by AdaptiveMobile.
These flaws are now getting more public attention because of a recent 60 Minutes report where German security researchers used the flaws to spy on US Congressmen Ted Lieu, who agreed to help.
In the report, 60 Minutes sent a new phone to Congressman Lieu for him to use for communicating with his staffers, knowing they were participating in the test. They then gave the German hackers nothing but the phone number attached to the phone, challenging them to prove that intercepting SMS messages and phone calls really is that simple. The German hackers were successful.
Because of these security concerns, the US National Institute of Standards and Technology (NIST) has stated in their latest Digital Authentication Guideline that authentication via SMS messages should not be used. According to NIST:
“Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance.”
These security concerns apply to all uses of the current global telecom network, so it is important to understand why popular SMS authentication is insecure.
Why SMS Authentication is Insecure
SMS messages (for most carriers, including Verizon and AT&T) are sent over the Signal System 7 (SS7) global telecom network. The SS7 network helps connect calls, among other functions, and has flaws in the original design that make the privacy of all phone calls and texts of the world’s billions of cellular customers vulnerable to being intercepted and redirected.
The flaws in the design make it possible for users of a cellular carrier in one part of the world to access information used by carriers on the same SS7 network anywhere else in the world with relative ease. The system was designed in the 1980s as a global network to be used by only a known few large mobile carriers and is now used by thousands of groups of all sizes and purposes around the world. The current system is known to have been exploited for locating users of the network and intercepting their communications. The system is planned to be replaced over the next decade. Learn more about the flaws with SS7
These design flaws make it possible for SMS messages containing passcodes to be intercepted, allowing the codes to be used to hijack services that send verification codes via SMS. Today these SMS codes are commonly used to login, reset passwords, and perform other sensitive actions with services like Facebook, Gmail, Twitter, and many others.
SMS messages are also often visible on the screen of mobile devices even when the device is locked, making stolen devices a greater security risk for your accounts. Fortunately, there are many other options available for both authenticating and using the cellular network securely.
In general, these cellular network vulnerabilities apply to communications sent to a phone number, such as traditional phone calls and SMS messages. Communications sent to and from secure accounts, like the instant messaging and voice calling with the Facebook Messenger service or Facetime and iMessaging from Apple, allow you to have more secure communication over an insecure cellular network.
The NIST guidelines recommend the use of secure apps or biometrics, like a fingerprint reader or increasingly popular facial recognition, to secure your account.
Many services like Facebook and Google offer secure authenticator apps to generate codes that do not use insecure SMS-based communication. Use of these authentication apps substantially improves the security of your accounts with little extra effort and is highly recommended.
Companies like Apple and Okta offer authentication via push notifications to mobiles devices, making securing accounts even easier and faster.
Google also recently released its own push notification authentication called Google Prompt, which is an excellent way to secure Google accounts.
Until a more secure global cellular network is designed and put in place, SMS authentication is not a secure way to authenticate and should be disabled. Authentication that relies on a mobile phone number of any kind should be decommissioned from use immediately and thoughtfully replaced with authentication options that offer better security based on each individual use case.
For help securing your enterprise with the latest innovative and reliable authentication methods, contact us.
Venafi, a product vendor for Internet Security, recently revealed results from a global survey of CIOs that believe security defenses are less effective and that they expect to suffer from an attack. The underlying issue, according to Venafi, is due to the prevalence of unprotected and unmanaged cryptographic keys and digital certificates. CIOs admitted in the survey that they are “spending millions of dollars on layered security defenses,” effectively trusting keys and certificates without being able to differentiate between trusted and compromised keys.
Even more troublesome is Gartner’s prediction that by 2017, approximately 50% of the attacks against an enterprise network will come from encrypted traffic, bypassing controls put in place to stop attacks. This prediction means that tools like IDS, behavior-anomaly detection, next-generation firewalls will only function at about 50% capacity, letting through half of the attacks. Additionally, the Ponemon Institute recently revealed that approximately 54% of organizations said: “they lack policy enforcement and remediation for keys and certificates.”
While the survey does point out worrying figures about the underlying digital trust that enterprises rely on, it is important to note that there are ways to rebuild confidence in your keys.
3 Steps to Rebuild Confidence in Your Cryptographic Keys and Certificates
1: Know and understand where your keys are located
Many CIOs in the survey admitted to not knowing where all of their keys and certificates are located. Having a program in place to manage and monitor keys, who has access to them and most importantly, where they are located, will help build confidence in your cryptographic key management program. Knowing that your keys are accounted for will help you reduce the risk of untrusted keys.
2: Establish policies and procedures for how certificates and keys are handled
Having policies and procedures for key management, including those that ensure formal assignment of key management responsibilities in a key custodian role, will make employees managing cryptography more accountable. An established procedure will ensure that key management is handled the right way every time and when there is turnover, the next employee will be following the same procedure, and so on. The main takeaway is that the policies must be, without doubt, enforceable, and the procedures must be known, aligned with policy, implemented, and followed accordingly by key management staff.
3: Log and document all key management activities
Every time key management activity is performed (updated, changed, expired), that activity needs to be logged and documented. Metrics should be collected to get an idea of what is normal behavior and what is not. Suspicious activity or suspected key compromise should be reported and investigated.
While these are just some of the ways to protect your keys and certificates, it goes without saying that attacks coming over SSL/TLS are a real concern (as evidenced by the Heartbleed bug). The survey, which was conducted by an independent market research company, provides some important data on the health of cryptographic key management across industries, according to respondent CIO’s. Given the reliance on cryptography to protect sensitive data, protecting cryptographic keys and understanding encrypted data flows are smart first steps to combating these evolving attacks designed to evade your perimeter defenses using the same techniques used to protect your sensitive data.
Did You Like This Post?
Subscribe to CyberSheath’s blog today to receive email updates as new posts become published.