Database Blunder Left Two-Step Codes, Account Reset Links Exposed
A database security blunder revealed on Friday serves as a reminder that the days of SMS-based authentication should be over.
The database, which wasn’t protected by a password, contained 26 million text messages, some of which were two-step verification codes and password reset links, TechCrunch reports. When it was found, the database was still recording texts in near real-time, offering a huge resource for potential attackers.
The database ran on Amazon’s Elasticsearch and used Kibana, a visualization and querying tool that made it possible to search through the mass of data for text strings and phone numbers, TechCrunch reports.
A security researcher, Sébastien Kaul of Berlin, discovered the database using the Shodan search engine, according to TechCrunch. The database belonged to Voxox, a San Diego-based company formerly known as Telecentris, which specializes in VOIP, bulk SMS and other cloud-based telecommunication services.
Voxox offers a service to help organizations deliver SMSes using the Short Message Peer-to-Peer – SMPP – protocol or a web service API. Voxox processes whatever message an organization wants to send along and then passes it to mobile networks.
That makes the company a key part of security chain. Techcrunch reports that a hunt through the databases shows it held codes and messages transmitted by a host of big companies, including Microsoft, Yahoo, Fidelity Investments, Badoo and more.
After Techcrunch notified Voxox, the database was taken offline. Efforts by Information Security Media Group to reach Voxox officials weren’t immediately successful.
The risk posed by sending anything via SMS is well known and has been repeatedly flagged. In July 2016, the National Institute of Standards and Technology advised that SMS should be deprecated.
SMS continues to pose significant risks to individuals because attackers have increasingly tapped these messages via more aggressive attacks as a means to compromise accounts.
SIM swaps or hijacks – where attackers gain control of someone’s mobile phone number – can be used to capture a two-step verification code sent by SMS. Such attacks prey on mobile operators that may not have strong controls for verifying customers when someone requests a new SIM or to port a number (see: Gone in 15 Minutes: Australia’s Phone Number Theft Problem).
Concern also abounds around Signaling System #7, or SS7, the protocol for routing phone calls that was first developed in the 1970s. The protocol is responsible for enabling mobile roaming around the world by connecting to Home Location Register databases, which contain subscriber and routing data.
But rogue access to SS7 can lead to a lot of mischief, because it’s possible to track a device’s location, intercept calls or disrupt service. Last year, hackers gained access to SS7 and forwarded calls and texts from certain numbers to their own numbers, allowing them to capture one-time codes for bank accounts in Germany (see: Bank Account Hackers Used SS7 to Intercept Security Codes).
2FA Adoption Remains Challenging
Service providers are diversifying their options for delivering two-step verification codes, supporting independent code generators such as Google’s Authenticator, Authy, Duo and others. Those types of applications take SMS out of the equation.
But there’s still a heavy reliance on SMS. Google, LinkedIn, Instagram and other service providers sometimes still use that mobile channel for password resets, depending on how an account is configured.
Using two-step verification over SMS, however, remains better than nothing. But in many respects, getting users just to turn it on voluntarily is a feat, muchless persuading the masses to use an application to generate the codes. In January, a Google engineer said less than 10 percent of Gmail users had enabled two-step verification, The Register reported.
With billions of leaked usernames and passwords floating around in huge lists from data breaches, time-based passcodes over SMS have probably saved many users from account compromise. But there’s a clear case to be made for nudging users toward using code-generating apps.
The information in Voxox’s database wouldn’t be useful, at least directly, for account takeovers because the transmitted codes and links would have expired.
But what is perhaps more disconcerting is that it’s unclear how long the database may have been online and whether someone else before Kaul discovered it. The finding also raises questions about other companies and parties involved in the SMS transmission chains. It’s a reminder again that if account security is imperative, this mandate remains clear: If possible, ditch two-step verification via SMS.