But the Signaling System 7 (SS7) vulnerability is a reality. Not only that, it’s an intentional loophole that’s existed for years. It’s a Feature, Not a Flaw. Feb 21, 2013 Download Open SS7 for free. An open implementation of the SS7 core protocols, MTP, SCCP, ISUP, and TCAP.
SS7 hack explained
Technology is, in its nature, developing based on current progress. Sometimes it is worth going back to the blue box era to discover something in today’s world. More or less recent scandals involving NSA’s practice to track, listen, and intercept communication without authorisation made a splash, but not many took the time and effort to understand the magic behind. Kudos for Washington Post: they went looking into this.
After little research taking me 50 years back in time, I will explain the technology behind and demonstrate that one does not need NSA resources or an army of hackers to repeat the trick on you.
The calling protocol that is used for one network to “talk” to another was developed in 1970’s and is called SS7. The protocol was somewhat refined around 2000 with a SIGTRAN specification, which made it IP network environment friendly. This, however, meant that all the weak links on the upper level of SS7 infrastructure were carried over.
Picture that the communication is made possible not by one, but in fact several hundreds of links, which result a chain that triggers phone on the other end of your call ringing. Referencing back to my earlier post on “Evolution of Authentication”, I would like to demonstrate that the same principle of security level assessment applies here: the chain is as safe as it’s weakest link. Consider WhatsApp hacking methods, message virus trends, phone number exploits, Skype lock services.
During my time in Deutsche Telekom Consulting, I was involved in review of a number of networks (fun times included climbing down sewers following copper lines laid there in 50s-60s-70-s, which were used by corporations and governments in 2003-2004 and likely still to be in place). The hardware and software providers vary from network to network and are extremely segmented, which leads to a simple result: they have to keep their chains wide open to make sure that the next chain link can integrate.
So did anyone know about these vulnerabilities until 2013? In short: of cause. First reference I have discovered dates back to a report published in 2001, which I (admittedly) could not read to full extent due to my neglected Swedish. Google Translate may help you.
It was also made public by Tobias Engel during a Chaos Computer Club Congress held in 2008, when Tobias made a live demo of tracking abilities:
A white paper on SS7 hack SS7: locate track manipulate (pdf file; original here)
And, of cause, it was most widely reported during NSA scandal involving Edward Snowden, that revealed how NSA was exploiting the weaknesses of SS7 to create a very intelligent and complex series of solutions enabling them to simultaneously track and analyse millions of citizens without their nor carrier’s knowledge or approval.
SS7 hack software
So what does one require to make this work? The list is quite short:
- Computer
- Linux OS
- SDK for SS7
Apart from the computer itself, remaining ingredients are free and publicly available on the Internet.
It may have slipped under your radar, but apparently now there is a legal way to use this technology to track anyone worldwide, and NSA is not involved at all: the service offering is open to public and provided by a NASDAQ listed Verint Systems Inc. (NASDAQ: VRNT). In their product description, which was made public, they refer to the system as “Skylock”. During search I even stumbled upon a certification of encryption capabilities of this product by NIST (certificate scan).
Verdict? Abandon illusions of privacy if you still had them.
Sources:
- A study of Location-Based Services including design and implementation of an enhanced Friend Finder Client with mapping capabilities (Aug. 2001)
- Uncut video of Tobias Engel’s speech “Locating mobile phones using signalling system #7” at 25th Chaos Computer Club Congress (12/27/2008 21:45:00)
- Skylock product description (2013)
Disclaimer: this article is a warning to regular citizens about low technological barrier protecting their privacy specifically in relation to mobile phone hacking using ss7 protocol. It is not a guide to hack-a-phone. I will intentionally leave a few aspects uncovered. I urge all readers NOT to use this technology and hope that the solution to restrict this ability to track phones will be implemented soon.
German hacker Karsten Nohl has demonstrated to the crew of CBS News’ 60 Minutes program how easy it can be for well-resourced attackers to eavesdrop on the phone calls and track the current geographic position of any one user.
All the attacker needs to know about the target is his or her phone number, and have access to Signalling System No. 7 (SS7).
The vulnerability
SS7 is a set of telephony signaling protocols that are used by thousands of telecoms around the world so that their users can connect to different telecom networks, make phone calls, send text messages, etc, when traveling, and for several other purposes and services that simplify the life of both the users and the operators.
Unfortunately, some things SS7 allows can easily be taken advantage of by attackers. For example, it allows telecoms to “ask” the user’s phone to share its location. It also allows the telecom to route calls and messages through a proxy server with the caller/sender and the party on the receiving end being none the wiser, record calls, and decrypt them (if they are encrypted).
These capabilities are exactly those that Nohl took advantage of in order to demonstrate his capability to follow US congressman Ted Lieu’s location and eavesdrop on his calls (the congressman agreed to be part of the test).
Granted, Nohl had apparently been given access to an operator’s network, and that might not be easy to achieve if you’re a lowly, random hacker. On the other hand, state-sponsored hackers, intelligence agencies, and even some well-heeled criminal gangs could find a way to do it, either through social engineering tricks, bribery, or by simply using secret court orders.
This particular flaw in the SS7 has been discovered and publicly revealed by Nohl and researcher Tobias Engel in 2014. Even before that, it was widely known that dozens of countries have bought or leased surveillance technology that allowed them to take advantage of this flaw to track people.
SS7 is still widely in use even though many mobile carriers are apparently already switching to an alternative protocol (Diameter). But it will take years for the switch to become total.
What others think of it?
John Marinho, VP of cybersecurity and technology at CTIA – The Wireless Association, an international industry trade group that represents the interests of wireless telecommunications companies, dismissed the risk.
“While we are aware of the research hackers’ manipulation to exploit SS7 technology in the international wireless networks, it’s important to note that they were given extraordinary access to a German operator’s network,” he told The Register.
“That is the equivalent of giving a thief the keys to your house; that is not representative of how US wireless operators secure and protect their networks. We continue to maintain security as a top industry priority.”
But unfortunately, attackers don’t read such statements and say: “Oh, OK then, we won’t even try, there’s no way we’ll get in.” Also, they know – as does all of the infosec industry – that every system can be hacked into and it’s just a matter of enough time, resources, and effort.
Lookout founder John Hering, who has also been asked to contribute to the program and who, along with other hackers and security experts showed how easy it is generally to hack mobile phones and collent information from them, said that the average person does not have to worry about most of these attacks.
Ss7 Flaw Apk App
Still, he noted that their goal was to show what’s possible, so that people can understand that if we don’t address security issues, we’ll live in a world where we cannot trust the technology that we use.
Ss7 Flaw Apk Download
The US congressman was appropriately horrified by the result of the demonstration, and expressed his opinion that anyone in the US intelligence agencies who knew about the flaw and let it remain secret so that they could use it should be fired. He also called for a congressional investigation into the flaw and its ramifications, as well as who in government knew about it.