Hacking Facebook Accounts with just a phone number through the SS7 protocol

Share this…

Even where users have chosen strong passwords and taken extrasecurity measures, their Facebook FB -0.29% accounts are not safe from hackers. Researchers have proven just that by taking control of a Facebook account with only a phone number and some hacking skills to exploit the SS7 network, a core piece of telecoms infrastructure shown to be vulnerable repeatedly over the last half decade.

What’s the problem with SS7? As the SS7 network trusts messages sent over it regardless of their origin, hackers can trick it into diverting calls and texts to their own devices. All they need is the phone number and some device details to initiate the silent snooping. Positive Technologies, which demoed the Facebook hack for FORBES, recently showed they could also hijack WhatsApp and Telegram accounts with similar tricks.

The Facebook hack takes the exploits a step further, only requiring a phone number. The attacker clicks on the “Forgot account?” link on the Facebook.com homepage. When asked for an email address or phone number linked to the target account, the hacker provides the legitimate number. By diverting the text message containing a one-time passcode to their own PC or phone, they can login to the account, as shown in the video below.


The attack, of course, requires the user to have registered a phone number with Facebook and to have authorized Facebook Texts. Nevertheless, Positive’s work shows that any service that usesSMS to verify user accounts has left open an avenue for hackers to quickly target customers.

As hackers are already exploiting the flaws, and surveillance companies are selling $20 million SS7 snooping services to nation state spies, network operators are trying to roll out protections for customers. FORBES has learned that British intelligence service GCHQ is helping European providers improve their SS7 security, via CESG, the body’s information security arm. “The Government takes mobile network security and resilience extremely seriously,” a spokesperson for CESG said over email. “We are aware of the SS7 issue and will continue to support the work underway by the telecoms industry to tackle this issue and ensure customers remain protected.”

Vodafone and Telefonica are currently working on improvements, sources told FORBES. According to Karsten Nohl, a security researcher who is assisting unnamed operators protect their networks, simple firewall rules preventing obvious trickery would solve 90 per cent of the security issues associated with SS7.

Users can take some steps to prevent SS7 attacks on their own phones, as outlined in my previous article on the vulnerabilities. Alex Mathews, technical manager EMEA of Positive Technologies, also suggested users not publish their phone number on public resources; they could rely solely on their email to recover Facebook and other social media accounts. Two-factor authentication that doesn’t use SMS texts for receiving codes, but instead go via an app as Facebook offers, will also help prevent account takeovers.