PROOF OF CONCEPT | Dubbed ‘evil attack’, hackers can take over your phone number

July 31, 2017 - 10:01 PM

LAS VEGAS, NEVADA — The UnicornTeam researchers from 360 Technology, China’s leading security company, demoed an “evil attack” at the on-going hacker summit in Las Vegas, Nevada. The attack, “Ghost Telephonist”, can let hackers get the content of a user’s call and SMS.

In the team’s presentation at the on-going hacker summit Black Hat USA 2017 and DEF CON in Las Vegas, Nevada, security researchers introduced one vulnerability in CSFB (Circuit Switched Fallback) in 4G LTE network. In the CSFB procedure, researchers found the authentication step is missing.

“Several exploitations can be made based on this vulnerability,” Unicorn Team wireless security researcher Huang Lin, told Xinhua. “We have reported this vulnerability to the Global System for Mobile Communications Alliance(GSMA)”.
The security research team presented a scenario where one could reset a Google account password using a stolen mobile number.

After hijacking a user’s communication, researcher signed in the user’s Google Email and clicked “forget the password”. Since Google sends verification code to the victim’s mobile, attackers can intercept the SMS text, thereby reseting the account’s password. The victim keeps online in 4G network and is not aware of the attack.

A lot of Internet application accounts use verification SMS to reset the login password, which means attacker can use a cellphone number to start password reset procedure then hijack the verification SMS.

According researchers, the attacker can also initiate a call/SMS by impersonating the victim. Furthermore, Telephonist Attack can obtain the victim’s phone number and then use the phone number to make advanced attack. The victim will not sense being attacked since no 4G or 2G fake base station is used and no cell re-selection. These attacks can randomly choose victims or target a given victim.

The research team proposed many countermeasures to operators and Internet service provider as well. Researchers say now they are collaborating with operators and terminal manufactures to fix this vulnerability.