Vulnerabilities in Mobile Networks Opens Bitcoin Wallets to Hackers

Positive Technologies shows how hackers can gain access to bitcoin wallets using architecture flaws in SS7

Cryptocurrencies offer unprecedented transaction speeds and remittance security, but this is compromised by the weak security of digital wallets storing them. Positive Technologies has demonstrated an attack on a user account of Coinbase — one of the largest bitcoin exchanges in the world, which manages assets of over 9 million clients, with more than 20 billion USD in various digital currencies combined on their accounts.

Minimum personal information about a victim – their first name, last name, and phone number – was enough to hack a test wallet in Coinbase. By exploiting SS7 vulnerabilities to intercept SMS with one-time passwords, PT researchers were able to learn the email address linked to the wallet, obtained control over it, and gained access to the wallet itself.  Once they had the account password for the wallet, they were easily able to withdraw cybermoney.

Positive Technologies was one of the first to pay attention to SS7 security flaws. Attacks exploiting these vulnerabilities can be launched from anywhere, which is a great benefit to attackers. In spring 2017, the first cases of attacks exploiting SS7 were registered in Germany, in which money was stolen from bank accounts. Cybercriminals intercepted texts with online banking authentication codes sent to customers of Telefonica Germany (O2), a German mobile operator, and used them to carry out unauthorized transactions.

“We work in close coordination with telecom operators to discover threats before hackers do, in order to protect subscribers. Exploiting SS7 specific features is one of several existing ways to intercept SMS. Unfortunately, it is still impossible to opt out of using SMS for sending one-time passwords. It is the most universal and convenient two-factor authentication technology. All telecom operators should analyze vulnerabilities and systematically improve the subscriber security level,” says Dmitry Kurbatov, Head of telecommunications security department at Positive Technologies.

The attack method is demonstrated in this video: https://vimeo.com/232678861/b1295b6384