The SS7 (Signal System 7) is used by cellphone providers to help route calls and texts, especially between providers. Developed in the 1980’s it is now apparent that the system if woefully insecure. German researchers have discovered vulnerabilities that allow them to manipulate built in tools to spy on anyone using the network. ie. Everyone using a phone. These tools allow hackers to track users, listen in on phone calls, read texts, and record encrypted communication for later decryption. That’s just the start.
Not only can hackers spy on legitimate users,they can impersonate them as well, making phone calls or sending texts for free anywhere in the world. This is because of the universal nature of SS7. At the time of its creation, there were very few global communication providers, so security was very lax. There were only a few entry points. Now that there are over 800 providers using the network, it is impossible to keep everything secure. Ciaran Bradley, chief product officer at AdaptiveMobile, which provides network security for a fifth of all mobile users in the world says,”Once you have SS7 access and a mobile phone number, you pretty much can track anyone around the world.”
Even worse than the possibility of blackhat access to a global telecom network, companies such as Verint are actually developing and marketing surveillance tools that use these vulnerabilities to anyone with the coin. Of course, governments like the US and England already have these capabilities, but these services would any organization or government the ability to track any phone in the world, instantly.
It is unclear which governments have acquired these tracking systems, but one industry official, speaking on the condition of anonymity to share sensitive trade information, said that dozens of countries have bought or leased such technology in recent years.
“Any tin-pot dictator with enough money to buy the system could spy on people anywhere in the world,” said Eric King, deputy director of Privacy International, a London-based activist group that warns about the abuse of surveillance technology. “This is a huge problem.”
So obviously this is huge problem, and hopefully there have been effort to fix it right? Unfortunately, all the information in this article so far is from mid December, 2014. According to a recent article by Positive Research Security, the result of these vulnerabilities coming to light are… numerous states from companies such as GSMA and T-Mobile stating they are,”…looking into these issues.” Only more recently did GSMA tell The Post that,” it was due to be replaced over the next decade because of a growing list of security and technical issues.” For obvious reasons, providers don’t want subscribers to know about these problems. It is also believed that law enforcement agencies as well as companies like Verint around the world use the system for surveillance.
60 minutes Australia Recently did a story in which they covered the vulnerabilities, and found that no progress has been made in fixing them since their discovery. “Criminals now have access to these huge security holes to steal your data and listen in to your calls. We know telephone companies know about it, we know security agencies know about it, but nothing is being done.”
The following is a quote from a Positive Research Center report on SS7:
During testing network security, Positive Technologies experts managed to perform such attacks as discovering a subscriber’s location, disrupting a subscriber’s availability, SMS interception, USSD request forgery (and transfer of funds as a result of this attack), voice call redirection, conversation tapping, disrupting a mobile switch’s availability.
The testing revealed that even the top 10 telecom companies are vulnerable to these attacks. Moreover, there are known cases of performance of such attacks on the international level, including discovering a subscriber’s location and tapping conversations from other countries.
Common features of these attacks:
- The intruder doesn’t need sophisticated equipment. We used a common computer with OS Linux and SDK for generating SS7 packets, which is publicly available on the web.
- Upon performing one attack using SS7 commands, the intruder is able to perform the rest attacks by using the same methods. For instance, if the intruder managed to determine a subscriber’s location, only one step left for SMS interception, transfer of funds etc.
- Attacks are based on legitimate SS7 messages: you cannot just filter messages, because it may have negative influence over the whole service. An alternative way to solve the problem is presented in the final clause of this research.
Read the full PDF report here.
by Mark White