When it comes to the “Ghost Telephonist,” it’s spookier than “the calls are coming from inside the house!”
They’re coming from your own phone number.
Consider how unique your phone number is to your identity. It’s tied to a majority of your online accounts for banking, social networks, travel and work, now that banks and apps are relying on phone numbers to help protect your accounts, those digits can stick with a person for life. In a blog post, former DEA agent Thomas Martin went as far as calling your cell phone number the “new social security number.”
So, when cybercriminals get to just see your cellphone number, they can cause damage like taking over your bank accounts, according to NextAdvisor. When they can use your phone number, things get much scarier.
The Unicorn Team researchers from 360 Technology, China’s leading security company, discovered they could hack phones when they switched from modern LTE wireless networks to older, slower 2G technology. Of course, our phones do this all the time when the signal’s weak, although you may not notice when it’s happening.
Still, if hackers take advantage of the opening, they’re able to send text messages and phone calls from a victim’s phone number, the team said during a presentation at the Black Hat security conference in Las Vegas Thursday.
The hack works because of the way your phone rushes to keep a connection running when it switches between network technologies, said Lin Huang, one of the researchers on the team.
Typically, when a phone wants to connect to a wireless network, it needs to send an authentication codes that identify it as the correct phone using your number, the researchers said.
But, when a phone switches between slower and faster technologies, it skips that authentication step, Huang’s team found, in order to keep your connection as stable as possible.
Perhaps the worst thing Huang and his team found out is that if a hacker successfully takes over your phone number, you may never see it.
The “Ghost Telephonist” attack, which Unicorn Team named, can cause several headaches for victims, the researchers found. After taking over your phone number, hackers could use it to gain access to many of your online accounts.
You can find accounts on social media by typing in a phone number, for example. The Unicorn Team took it a step further, and requested to reset a password by phone on Facebook. Facebook automatically sent a text message to the phone number — which Unicorn Team had hijacked — and used it to take over the social network account.
The team has informed network standards bodies about the vulnerability, and said involved providers have fixed the issue, or are in the process of doing it. They recommend that companies fix their authentication process, or switch over to more secure technologies, which do exist.
Setting your phone on airplane mode also blocks out the Ghost Telephonist, Huang said, but then of course you’re disconnected.
“If you are in airplane mode, that means your phone already told the network, ‘I’m offline,'” she said.