It’s time to stop using SMS for anything.

By now most infosec professionals are aware of various ways SMS text messaging can be hijacked. For example so-called “SIM Swap” attacks, SS7 attacks, Port-out fraud, etc. All of these attacks however do require some level of sophistication, whether it be high level access to SS7, or account information or social engineering to successfully port out the phone number to a new provider or swap the sim on the existing account.

There is however other vulnerabilities that are not particularly well known. For VoIP numbers in particular, which may be assigned to a CLEC or VoIP wholesaler, the SMS may need to be routed to a different carrier than the carrier of record. This is accomplished in two different ways. One is an ALT SPID, which NPAC defines as “The four-digit identifier of a second service provider associated with a telephone number or thousand block. It identifies the wholesale service provider customer to which the PSTN service provider has assigned the number. The second service provider in turn may either assign the number to its retail customer or to another service provider for its use.” ALT SPIDs are vulnerable and susceptible to change and can be used to hijack SMS, but it too does require carrier-level access to make changes directly to NPAC. In particular, and importantly, it requires the current provider’s co-operation for the new carrier’s ALT SPID to be added in NPAC.

Which brings us to an alternative SMS routing provider, NetNumber. NetNumber has a product called NetNumber ID (NNID), it’s a 6 digit number similar to an ALT SPID that identifies the carrier to route to for SMS. Net Number explains it in this 2019 Q&A:

We quickly found that every industry database, in every country around the world, has its own model for identifying a communications service provider. The Local Exchange Routing Guide (LERG) database uses a 4-digit Operating Company Number (OCN), the Number Portability Administration Center (NPAC) portability database uses 10-digit Local Routing Number (LRN), most Home Location Registers (HLRs) utilize a 5 or 6-digit Home Network Identity (HNI), etc.

In order to make these databases useful for global routing, the NetNumber team created a globally unique naming convention called NetNumber ID (NNID) that is now widely used by fixed-line, mobile, cable/ Multiple System Operator (MSO) and Over the Top (OTT) service providers to route calls and messages on a global basis. The NetNumber data service team maintains and constantly updates the assignment of NNIDs to every service provider in the world so that our customers can easily identify a destination operator using our global data sources. NNID has become so popular and widely adopted that it has become common to hear service providers say that they “route on NNID.”

As a result, there are many VoIP providers that offer “off net” “text enablement”. Companies such as ZipWhip that promise to let you “Text enable your existing business phone number.” so that customers can text your main business line whether it be VoIP, toll-free or a landline number. There are a plethora of other wholesale VoIP providers that allow you to become a reseller with little to no verification, many of them allow agreements known as “blanket LOAs” where you as the reseller promise that you have an LOA on file for any number you want to text enable for your resellers or end-users. In essence, once you have a reseller account with these VoIP wholesalers you can change the Net Number ID(NNID) of any phone number to your wholesale provider’s NNID and begin receiving SMS text messages with virtually no authentication whatsoever. No SIM Swap, SS7 attacks, or port outs needed — just type the target’s phone number in a text box and hit submit and within minutes you can start receiving SMS text messages for them. They won’t even be alerted that anything has happened as their voice & data services will continue to work as usual. Surprisingly, despite the fact that I publicly disclosed this in 2018, nothing has been done to stop this relatively unsophisticated attack.

NetNumber does have the ability to ‘lock’ specific numbers/carriers from being hijacked, however this doesn’t really solve the issue. As an unregulated quasi-authority for SMS routing they have made mistakes in the past. For example, this specific issue of number hijacking was highlighted in a QSI Consulting Exploratory Paper when ZipWhip had been using anti-competitive tactics to insert themselves as the sole SMS text provider for toll free numbers. “The arrangements between the mobile providers and Zipwhip created a de facto monopoly provider for Toll-Free texts to and from roughly 100 percent of the nation’s mobile subscribers.” (Page 6, QSI Consulting Exploratory Paper).

From the QSI Consulting Exploratory Paper

In addition to the ability to hijack numbers without authorization, ZipWhip had at the time refused to release numbers for SMS text messaging purposes back to their authorized customers. SOMOS Letter to FCC, WT Docket №08–7 (07/01/2016) (“For example, Zipwhip refused to recognize an authorized change of service providers and blocked legitimate messaging traffic. Only after intervention by CTIA and Somos did Zipwhip finally relent and allow the messaging traffic to flow through to the legitimate and authorized customer.”)

All of this was enabled by NetNumber who would assign ZipWhip’s NetNumber ID(NNID) to these toll free numbers, and who would presumably refuse other SMS providers to assign their own NNID to these toll-free numbers. While this situation was changed only after SOMOS and CTIA intervention, in our testing we found that Bandwidth.com numbers — or numbers that had Bandwith.com’s NNID assigned to them — could similarly not be hijacked, while virtually all other numbers could have their NNID re-assigned or hijacked without any prior authorization whatsoever, including wireless numbers.

Up until sometime on Thursday, March 11th, 2021 NetNumber was allowing any and all wireless phone numbers to have their NNIDs reassigned or hijacked without any authorization or verification as well. Presumably while this author and other journalists were seeking comment, after a proof of concept was demonstrated, it appears they have devised a scheme to pretend this is no longer a problem by temporarily not allowing wireless numbers to be hijacked. Their quick fix however brings more questions than answers. If wireless numbers are locked to the carrier they’re already assigned to then what is the purpose of NetNumber’s database? The carrier information about a wireless number can easily be looked up in NPAC without querying NetNumber to see where to send an SMS message to, and why decide only now to offer this protection to wireless numbers and only wireless numbers? Furthemore, people use VoIP numbers instead of their real wireless numbers for various services and those folks are still left vulnerable to this attack while only those who don’t care about their privacy and use their real mobile numbers are protected. The point here is until NetNumber is regulated by the FCC (and the various other telecom regulatories that NetNumber operates in), nothing in their database can be trusted. They make unilateral policy decisions on the fly for whatever purpose suits them. To paraphrase Orwell’s Animal Farm, some carriers are more equal than others.

To demonstrate this point further the country of Barbados has 2 main mobile providers, Flow & Digicel. As of the date of this article, it is believed it’s still possible to hijack any barbados mobile number on these carriers through NetNumber — we’ve only tested and verified on Flow though. Since most providers “route on NNID” attackers hijacking Barbados mobile numbers would succeed in intercepting SMS from 2FA companies like Twilio that use NetNumber to send SMS. However, locally on the island of Barbados, Flow & Digicel route to each other without any NNID lookup, so the victim’s texts locally would still flow back and forth with no suspicion at all that their text messages internationally with carriers that use NetNumber, and importantly text messages from almost any 2FA service on the internet, were being hijacked. This is likely the case for most if not all of the caribbean islands in NANP’s +1 region.

Enter Okey Monitor, a new service that promises to alert you to this type of attack, as well as other SMS intercept attacks(such as port outs, etc.). Their website states:

The unspoken truth is, out-of-band security gaps exist which allow hackers to virtually steal your phone from anywhere. In today’s world, if they have your phone, they are ‘Authentically’ you. Now they can easily pass Two-Factor Authentication and take over your accounts. Hijack your text messages. Impersonate you. All without you knowing a thing.

The key to protect against Communication Hijack Attacks…

You need to be aware of unauthorized changes to your mobile service while it’s happening, in real-time, then take action. We have the solution.

Sign up for our free beta and we’ll monitor out-of-band communications such as your routes and carrier settings. If a malicious event takes place, we’ll alert you through alternative forms of trusted communication. Now you’ll know.

from Hacker News https://ift.tt/2NmISaz