X

A flaw in wireless networks lets hackers pretend to be you

There are calls and text messages coming from your phone number that you never made. Meet the “ghost telephonist.”

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
hacking-security-hackers-privacy-2893.jpg

The "Ghost Telephonist" lets hackers take over your phone number.

James Martin/CNET

When it comes to the "Ghost Telephonist," it's spookier than "the calls are coming from inside the house!"

They're coming from your own phone number.

Consider how unique your phone number is to your identity. It's tied to a majority of your online accounts for banking, social networks, travel and work, now that banks and apps are relying on phone numbers to help protect your accounts. Those digits can stick with a person for life. In a blog post, former DEA agent Thomas Martin went as far as calling your cell phone number the "new social security number."

So, when cybercriminals get to see your cellphone number, they can cause damage like taking over your bank accounts, according to NextAdvisor. When they can use your phone number, things get much scarier.

The Unicorn Team researchers from 360 Technology, China's leading security company, discovered they could hack phones when they switched from modern LTE wireless networks to older, slower 2G technology. Of course, our phones do this all the time when the signal's weak, although you may not notice when it's happening.

Still, if hackers take advantage of the opening, they're able to send text messages and phone calls from a victim's phone number, the team said during a presentation at the Black Hat security conference in Las Vegas Thursday.

The hack works because of the way your phone rushes to keep a connection running when it switches between network technologies, said Lin Huang, one of the researchers on the team.

Typically, when a phone wants to connect to a wireless network, it needs to send an authentication codes that identify it as the correct phone using your number, the researchers said.

But, when a phone switches between slower and faster technologies, it skips that authentication step, Huang's team found, in order to keep your connection as stable as possible.

Perhaps the worst thing Huang and his team found out is that if a hacker successfully takes over your phone number, you may never see it.

The "Ghost Telephonist" attack, which Unicorn Team named, can cause several headaches for victims, the researchers found. After taking over your phone number, hackers could use it on their own devices to gain access to many of your online accounts.

You can find accounts on social media by typing in a phone number, for example. The Unicorn Team took it a step further, and requested to reset a password by phone on Facebook. Facebook automatically sent a text message to the phone number -- which Unicorn Team had hijacked -- and used it to take over the social network account.

The team has informed network standards bodies about the vulnerability and said involved providers have fixed the issue or are in the process of doing it. They recommend that companies fix their authentication process or switch over to more secure technologies, which do exist.

Setting your phone on airplane mode also blocks out the Ghost Telephonist, Huang said, but then of course you're disconnected.

"If you are in airplane mode, that means your phone already told the network, 'I'm offline,'" she said.  

Intolerance on the Internet: Online abuse is as old as the internet and it's only getting worse. It exacts a very real toll.

It's Complicated: This is dating in the age of apps. Having fun yet? These stories get to the heart of the matter.