German researchers have discovered security flaws that

could let hackers, spies and criminals listen to private

phone calls and intercept text messages on a potentially

massive scale – even when cellular networks are using the

most advanced encryption now available.

The flaws, to be reported at a hacker conference in

Hamburg this month, are the latest evidence of widespread

insecurity on SS7, the global network that allows the

world’s cellular carriers to route calls, texts and other

services to each other. Experts say it’s increasingly clear

that SS7, first designed in the 1980s, is riddled with serious

vulnerabilities that undermine the privacy of the world’s

billions of cellular customers.

The flaws discovered by the German researchers are

actually functions built into SS7 for other purposes – such

as keeping calls connected as users speed down highways,

switching from cell tower to cell tower – that hackers can

repurpose for surveillance because of the lax security on

the network.

Those skilled at the myriad functions built into SS7 can

locate callers anywhere in the world, listen to calls as they

happen or record hundreds of encrypted calls and texts at a

time for later decryption. There also is potential to defraud

users and cellular carriers by using SS7 functions, the

researchers say.

These vulnerabilities continue to exist even as cellular

carriers invest billions of dollars to upgrade to advanced 3G

technology aimed, in part, at securing communications

against unauthorized eavesdropping. But even as individual

carriers harden their systems, they still must communicate

with each other over SS7, leaving them open to any of

thousands of companies worldwide with access to the

network. That means that a single carrier in Congo or

Kazakhstan, for example, could be used to hack into cellular

networks in the United States, Europe or anywhere else.

“It’s like you secure the front door of the house, but the

back door is wide open,” said Tobias Engel, one of the

German researchers.

Engel, founder of Sternraute, and Karsten Nohl, chief

scientist for Security Research Labs, separately discovered

these security weaknesses as they studied SS7 networks in

recent months, after The Washington Post reported the

widespread marketing of surveillance systems that use SS7

networks to locate callers anywhere in the world. The Post

reported that dozens of nations had bought such systems to

track surveillance targets and that skilled hackers or

criminals could do the same using functions built into SS7.

(The term is short for Signaling System 7 and replaced

previous networks called SS6, SS5, etc.)

The researchers did not find evidence that their latest

discoveries, which allow for the interception of calls and

texts, have been marketed to governments on a widespread

basis. But vulnerabilities publicly reported by security

researchers often turn out to be tools long used by secretive

intelligence services, such as the National Security Agency

or Britain’s GCHQ, but not revealed to the public.

“Many of the big intelligence agencies probably have teams

that do nothing but SS7 research and exploitation,” said

Christopher Soghoian, principal technologist for the ACLU

and an expert on surveillance technology. “They’ve likely

sat on these things and quietly exploited them.”

The GSMA, a global cellular industry group based in

London, did not respond to queries seeking comment about

the vulnerabilities that Nohl and Engel have found. For the

Post’s article in August on location tracking systems that

use SS7, GSMA officials acknowledged problems with the

network and said it was due to be replaced over the next

decade because of a growing list of security and technical

issues.

The German researchers found two distinct ways to

eavesdrop on calls using SS7 technology. In the first,

commands sent over SS7 could be used to hijack a cell

phone’s “forwarding” function -- a service offered by many

carriers. Hackers would redirect calls to themselves, for

listening or recording, and then onward to the intended

recipient of a call. Once that system was in place, the

hackers could eavesdrop on all incoming and outgoing calls

indefinitely, from anywhere in the world.

The second technique requires physical proximity but could

be deployed on a much wider scale. Hackers would use

radio antennas to collect all the calls and texts passing

through the airwaves in an area. For calls or texts

transmitted using strong encryption, such as is commonly

used for advanced 3G connections, hackers could request

through SS7 that each caller’s carrier release a temporary

encryption key to unlock the communication after it has

been recorded.

Nohl on Wednesday demonstrated the ability to collect and

decrypt a text message using the phone of a German

senator, who cooperated in the experiment. But Nohl said

the process could be automated to allow massive decryption

of calls and texts collected across an entire city or a large

section of a country, using multiple antennas.

“It’s all automated, at the push of a button,” Nohl said. “It

would strike me as a perfect spying capability, to record

and decrypt pretty much any network… Any network we

have tested, it works.”

Those tests have included more than 20 networks

worldwide, including T-Mobile in the United States. The

other major U.S. carriers have not been tested, though Nohl

and Engel said it’s likely at least some of them have similar

vulnerabilities. (Several smartphone-based text messaging

systems, such as Apple’s iMessage and Whatsapp, use end-

to-end encryption methods that sidestep traditional cellular

text systems and likely would defeat the technique

described by Nohl and Engel.)

In a statement, T-Mobile said: “T-Mobile remains vigilant in

our work with other mobile operators, vendors and

standards bodies to promote measures that can detect and

prevent these attacks."

The issue of cell phone interception is particularly sensitive

in Germany because of news reports last year, based on

documents provided by former NSA contractor Edward

Snowden, that a phone belonging to Chancellor Angela

Merkel was the subject of NSA surveillance. The techniques

of that surveillance have not become public, though Nohl

said that the SS7 hacking method that he and Engel

discovered is one of several possibilities.

U.S. embassies and consulates in dozens of foreign cities,

including Berlin, are outfitted with antennas for collecting

cellular signals, according to reports by German magazine

Der Spiegel, based on documents released by Snowden.

Many cell phone conversations worldwide happen with

either no encryption or weak encryption.

The move to 3G networks offers far better encryption and

the prospect of private communications, but the hacking

techniques revealed by Nohl and Engel undermine that

possibility. Carriers can potentially guard their networks

against efforts by hackers to collect encryption keys, but it’s

unclear how many have done so. One network that operates

in Germany, Vodafone, recently began blocking such

requests after Nohl reported the problem to the company

two weeks ago.

Nohl and Engel also have discovered new ways to track the

locations of cell phone users through SS7. The Post story, in

August, reported that several companies were offering

governments worldwide the ability to find virtually any cell

phone user, virtually anywhere in the world, by learning the

location of their cell phones through an SS7 function called

an “Any Time Interrogation” query.

Some carriers block such requests, and several began doing

so after the Post’s report. But the researchers in recent

months have found several other techniques that hackers

could use to find the locations of callers by using different

SS7 queries. All networks must track their customers in

order to route calls to the nearest cellular towers, but they

are not required to share that information with other

networks or foreign governments.

Carriers everywhere must turn over location information

and allow eavesdropping of calls when ordered to by

government officials in whatever country they are operating

in. But the techniques discovered by Nohl and Engel offer

the possibility of much broader collection of caller locations

and conversations, by anyone with access to SS7 and the

required technical skills to send the appropriate queries.

“I doubt we are the first ones in the world who realize how

open the SS7 network is,” Engel said.

Secretly eavesdropping on calls and texts would violate

laws in many countries, including the United States, except

when done with explicit court or other government

authorization. Such restrictions likely do little to deter

criminals or foreign spies, say surveillance experts, who say

that embassies based in Washington likely collect cellular

signals.

The researchers also found that it was possible to use SS7

to learn the phone numbers of people whose cellular signals

are collected using surveillance devices. The calls transmit

a temporary identification number which, by sending SS7

queries, can lead to the discovery of the phone number.

That allows location tracking within a certain area, such as

near government buildings.

The German senator who cooperated in Nohl’s

demonstration of the technology, Thomas Jarzombek of

Merkel’s Christian Democratic Union party, said that while

many in that nation have been deeply angered by

revelations about NSA spying, few are surprised that such

intrusions are possible.

“After all the NSA and Snowden things we’ve heard, I guess

nobody believes it’s possible to have a truly private

conversation on a mobile phone,” he said. “When I really

need a confidential conversation, I use a fixed-line” phone.

 

Have more to say about this topic? Join us today for our

weekly live chat, Switchback. We'll kick things off at 11

a.m. Eastern. You can submit your questions

now, right here.

Hackers demo network-level call interceptionJanuary 05, 2015More Sharing ServicessharePrintShare on emailEmailWhite-hat hackers at the 31st Chaos Computer Congress have demonstrated fundamental flaws in the underlying infrastructure of 2G and 3G mobile phone networks. The flaws allow attackers to covertly track the location of a phone number as well as intercept calls and SMS - all at the network level.

Tobias Engel from the Chaos Computer Club demonstrated in front of a live audience how it was possible to send a fake network message from his laptop to block a phone from making calls and even divert calls to another phone.

This could be diverted to a man-in-the-middle recording of the conversation.

He also showed how a couple of volunteers were tracked over a few weeks as they travelled around the United States and Europe again by spoofed network messages simply asking the

mobile service center (MSC) server for the location of the subscriber.

Engel said that a journalist has contacted him with claims from a security company offering tracking of individuals down to the city street with just their phone number, and asked how it could be done.

GSM and UMTS systems all depend on a protocol called Signalling System 7 (SS7) which was designed around fixed line telephones in the 1980’s. With each phone line at a physical house and most telcos being trusted state-owned operators, privacy was not a concern at the time.

SS7 has been extended with new protocols added over time to allow for mobility, text messages and geo-location and roaming, for instance. The problem is that SS7 fundamentally does not have any authentication.

Many operators are selling legitimate access to SS7, for instance for text messaging or vehicle fleet management.

With the advent of femto cells, it is even possible for people to hack into their femto units to gain direct access to the SS7 network.

In order to track a target with simply his phone number, the attacker with access to SS7 can simply ask the HLR (home location register) for the international mobile subscriber identity (IMSI) and the mobile switching center (MSC) that the target is currently using. This is done by using what is called an anytime interrogation SS7 message to the HLR.

Many networks have blocked anytime interrogation messages but a workaround is to use the SMS routing to find the IMSI and MSC instead again with SS7 messages.

If that fails (with home SMS routing installed) an attacker with the IMSI address gained through out-of-band means can simply brute-force requests to MSCs all over the world until the right MSC is found.

Armed with the IMSI and the MSC, the attacker then send an SS7 message directly to the MSC to query the location of the target.

“The MSC does not do plausibility assessments. If a German user is in his home network, an Indonesian network should not have anything to do with it [but is not prevented]. Most MSCs accept requests from anywhere and anyone,” he said.

Engel said that some networks have implemented a verify sender address mechanism for geo-location. But he said that simply by spoofing the source address, called the global title, to something that looks similar to the global title of the MSC, it was possible to circumvent the check and be treated as a legitimate, local server.

Away from location, it is possible to use SS7 messages to manipulate a target’s phone. Since this is at the network level, it is irrelevant if it is a smartphone or a simple feature phone.

Engel demonstrated in front of the live audience how it was possible to send SS7 messages to the MSC in order to block calls to a phone and divert calls to a third party. This could be used to set up a man-in-the-middle to eavesdrop on calls.

This was possible because when roaming, users often dial local numbers without the international prefix. There is an SS7 message that allows the HLR to tell the MSC, “when this subscriber makes a call, ask me first”. The idea is that when, for instance, a German subscriber is roaming in France, for domestic German numbers to be added with the international country code of Germany so it can be routed correctly.

But since the HLR’s SS7 messages can be spoofed, an attacker with access to the SS7 network can send a message pretending to be the target’s HLR and tell the MSC to ask it when the target tries to make a call and thereby set up the man-in-the-middle attack.

The same can be done for SMS, USSD and, Engel said, probably data though he said that was not tested yet.

Yet another vulnerability detailed involved de-anonymizing temporary mobile subscriber information (TMSI) numbers and get the IMSI and phone numbers for other users in the vicinity of the attacker.

By simply capturing TMSI paging requests over the air it is possible to send an SS7 update to the MSC that will result in the full HLR details being returned.

“If you do that often enough in Berlin, I don’t know how long it would take you to get Angela Merkel’s phone number,” he said.

Though SS7 is used on GSM and UMTS 3G networks, LTE uses a new protocol called Diameter. However, Diameter has apparently copied many of the flaws of SS7 and still does not have end-to-end authentication.

Asked about this revelation, AIS vice-president for networks Saran Phaloprakarn pointed out one flaw in the doomsday scenario laid out by the Chaos Computer Club. While he acknowledged that the SS7 protocol was fundamentally flawed, he said the SS7 hacks could be detected at the network level with proper monitoring.

Neither Dtac nor TrueMove responded to questions by time of going to press

German researchers have announced the discovery of news security flaws in SS7 protocol that could be exploited by an attacker to spy on private phone calls.

A team of German researchers has discovered security flaws that be exploited by a threat actor to spy on private phone calls and intercept text messages on a large scale, even when the mobile cellphone are using the most advanced encryption now available.

The flaws will be reported at the next hacker conference in Hamburg, and once again the attackers will exploit insecurity in the SS7 protocol, also known as Signaling System Number 7, that is the protocol suite used by several telecommunications operators to communicate with one another with directing calls, texts and Internet data.

The researchers also explained that the flaws in the SS7 protocol could be also exploited by criminal crews to defraud users and cellular carriers.

“The flaws, to be reported at a hacker conference in Hamburg this month, are the latest evidence of widespread insecurity on SS7, the global network that allows the world’s cellular carriers to route calls, texts and other services to each other. Experts say it’s increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world’s billions of cellular customers.The flaws discovered by the German researchers are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network.” reports The Washington Post.

The SS7 protocol allows cell phone carriers to collect location data related to the user’s device from cell phone towers and share it with other carriers, this means that exploiting the SS7 a carrier is able to discover the position of its customer everywhere he is.

In a previous post, I explained that surveillance vendors using the SS7 protocol are able to geo-localize users with great precision.

“The tracking technology takes advantage of the lax security of SS7, a global network that cellular carriers use to communicate with one another when directing calls, texts and Internet data.” reports the Washington Post. As explained by the researchers, the problem resides in the intrinsic security of the Protocol that is considered outdated due to the presence of several serious security vulnerabilities which can lead to the violation of the privacy for billions of mobile users worldwide.

In time I’m writing, the researchers haven’t provided other information on the security vulnerabilities discovered in the SS7 protocol, but the experts believe that hackers can exploit them to track an individual or redirect user calls to the attackers.SS7 protocolThe attack scenario is worrying and open the door to massive surveillance activities, The American Civil Liberties Union (ACLU) has also warned people against possible abuse of such vulnerabilities by Intelligence agencies and Law enforcement.“Don’t use the telephone service provided by the phone company for voice. The voice channel

they offer is not secure,” principle technologist Christopher Soghoian told Gizmodo. “If you want to make phone calls to loved ones or colleagues and you want them to be secure, use third-party tools. You can use FaceTime, which is built into any iPhone, or Signal, which you can download from the app store. These allow you to have secure communication on an insecure channel.”Unfortunately, the vulnerabilities into SS7 protocol will continue to be present, even as cellular carriers upgrade to advanced 3G technology to avoid eavesdropping.

“But even as individual carriers harden their systems, they still must communicate with each other over SS7, leaving them open to any of thousands of companies worldwide with access to the network. That means that a single carrier in Congo or Kazakhstan, for example, could be used to hack into cellular networks in the United States, Europe or anywhere else.” states the Washington Post“It’s like you secure the front door of the house, but the back door is wide open,” said Tobias Engel, one of the German researchers.The team of researchers did not find evidence that the flaws discovered have been “marketed” to governments on a widespread basis, anyway it is impossible to understand is intelligence agencies are already exploiting them for their operations.

“Many of the big intelligence agencies probably have teams that do nothing but SS7 research and exploitation. They’ve likely sat on these things and quietly exploited them,” Soghoian said. Stay Tuned for further information …Pierluigi Paganini(Security Affairs – SS7 protocol, surveillance)

Share it please ...Tweet about this on TwitterShare on Google+Share on FacebookShare on LinkedInPin on PinterestShare on RedditEmail this to someoneShare on StumbleUponShare this:EmailTwitterPrintLinkedIn154Facebook73MoreACLUAmerican Civil Liberties UnioneavesdroppingGCHQNSASS7 protocolsurveillanceThe Washington Post Hacking Security

SHARE ON

Pierluigi Paganini

Pierluigi Paganini is Chief Information Security Officer at Bit4Id, firm leader in identity

management, member of the ENISA (European Union Agency for Network and Information Security)Treat Landscape Stakeholder Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”

Surveillance – How to secretly track cellphone users position around the globeSeptember 18, 2014 By Pierluigi Paganini

Fb-Button

Using the proper surveillance systems available on the market it is easy and quick to track cellphone and the movements of targets everywhere on the globe.We recently discussed about the decision of Wikileaks to publish copies of the criticized surveillance software FinFisher, highlighting the dangers for the militarization of the cyberspace and in particular for the use of spyware to track users.The principal vendors of surveillance platforms defend their business declaring that the solutions are only for law enforcement and intelligence agencies. Unfortunately the reality is quite different, because many threat actors worldwide use surveillance malware to track individual for different reasons.The Washington Post published an interesting article a few weeks ago on surveillance technology that can be used to track individuals anywhere in the world through the localization of their mobile devices.The post explains that surveillance vendors using the SS7 protocol, aka Signaling System Number, are able to geo-localize users with great precision.“The tracking technology takes advantage of the lax security of SS7, a global network that cellular carriers use to communicate with one another when directing calls, texts and Internet data.” reports the Washington Post. SS7 or Signaling System Number 7 is a protocol suite used by several telecommunications operators to communicate with one another with directing calls, texts and Internet data. The SS7 protocol allows cell phone carriers to collect location data related to the user’s device from cell phone towers and share it with other carriers, this means that exploiting the SS7 a carrier is able to discover the position of its customer everywhere he is.

“The system was built decades ago, when only a few large carriers controlled the bulk of global phone traffic. Now thousands of companies use SS7 to provide services to billions of phones and other mobile devices, security experts say,” explains the post.“All of these companies have access to the network and can send queries to other companies on

the SS7 system, making the entire network more vulnerable to exploitation. Any one of these companies could share its access with others, including makers of surveillance systems.” continues the Washington post.Another family of devices sold by companies which provide surveillance solutions are the IMSI catchers, also known by one popular trade name, StingRay. An IMSI catcher (International Mobile Subscriber Identity) is device for telephony eavesdropping commonly used for intercepting mobile phone traffic and tracking movement of mobile phone users. Essentially, it operates as a bogus mobile cell tower between the target mobile phone and the service provider’s real towers. The IMSI catcher runs a Man In the Middle (MITM) attack that could not be detected by victims using commercial products.The use of trackers based on exploitation of the SS7 protocol is recommended with “IMSI catchers,” in fact while SS7 tracker locate the victim the IMSI catchers can be deployed effectively.StingRays are common surveillance devices that allow are able to intercept calls and Internet traffic, send fake texts, install malware on a phone, and of course find the precise location of the victim.“What’s interesting about this story is not that the cell phone system can track your location worldwide,”“That makes sense; the system has to know where you are. What’s interesting about this story is that anyone can do it.” said the popular expert Bruce Schneier.Privacy advocates are really concerned with possible misuse of such technology, foreign state-sponsored hackers and cyber criminals could use it for illegal activities. Let’s remember that it is illegal in many countries to track individuals without a court order, but there is no clear international legal framework that punishes ill intentioned for secretly tracking people in other countries.

The FCC recently created an internal task force to study the misuse of IMSI catchers in the cybercrime ecosystem and foreign intelligence agencies, which demonstrated that this technology could be used to spy on American citizens, businesses and diplomats.

surverillance

Don’t forget that government to track us just need to type our phone number into a computer portal, which then collects data about our location, to within a few blocks in an urban area or a few miles in a rural one, from databases maintained by cellular carriers.

The Washington Post made explicit reference to a 24-page marketing brochure for the cellular tracking system sold by Verint codenamed SkyLock. The document, dated January 2013 and labeled “Commercially Confidential,”, reveals the system offers government agencies “a cost-effective, new approach to obtaining global location information concerning known targets.”The brochure includes screen shots of maps depicting location tracking in what appears to be Mexico, Nigeria, South Africa, Brazil, Congo, the United Arab Emirates, Zimbabwe and several other countries. Verint says on its Web site that it is “a global leader in Actionable Intelligence solutions for customer engagement optimization, security intelligence, and fraud, risk and compliance,” with clients in “more than 10,000 organizations in over 180 countries.”As said by Eric King, deputy director of Privacy International:

“Any tin-pot dictator with enough money to buy the system could spy on people anywhere in the world,” “This is a huge problem.”Pierluigi Paganini(Security Affairs – Surveillance, privacy)

The recently concluded Chaos Communications Congress (31c3) in Hamburg, Germany was an all-out assault on cellular call privacy and security. Of particular interest was the SS7 protocol used to route calls between switching centers.

Researchers, doing parallel research as it turns out, found gaping holes in the protocol that allow an attacker to sit in a man-in-the-middle position and re-route calls and SMS messages, or carry out denial-of-service attacks. More worrying to physical security is also the ability to learn a person’s location and track them.

Related PostsThreatpost News Wrap, March 6, 2015March 6, 2015 , 11:50 amConfusion Reigns Over FBI’s Plans for National Security Letter Gag OrdersMarch 6, 2015 , 11:28 amGoogle Fixes 51 Bugs in Chrome 41March 4, 2015 , 1:58 pmThe bugs are a spy’s dream, and Tobias Engel said he is aware of one real-world attack carried out in the Ukraine and discovered by a telecommunications operator in that country carried out by a Russian SS7 network.

Engel, founder of Sternraute, a Berlin-based service provider specializing in privacy, said that an attacker would need only to know his target’s phone number in order to track their location or spy on their calls. The maligned SS7 protocol was designed in the 1980s, long before mainstream cellular use, and security and privacy shortcomings have not kept up with the times, Engel said. Services built on top of SS7 to enable mobile communication, MAP and CAMEL, operate without authentication, Engel said, leaving the door wide open for abuse.

Karsten Nohl, of SR Labs in Germany, also spoke at 31c3 and tore into SS7 and demonstrated that attacks can also be carried out over 3G networks in order to record voice and SMS communication as well. He released a tool for Android devices called SnoopSnitch that detects IMSI catchers and other attacks over SS7.

“I think it’s really scary. You don’t have to know somebody, you just have to know his phone number and you can track him from the other side of the world. You don’t have to be near him, you just need SS7 access,” Engel said, pointing out that such access can be purchased from telecom and network operators. Also, he said, there are vendors selling products that maneuver against SS7. “Companies offering these services are saying they are only offering them to law enforcement and government agencies. I don’t know about you but there are many countries in the world whose governments I wouldn’t trust with this functionality.”

Governments have been known not only to monitor call activity of citizens and high-value industrial or government targets, but also track the location of activists and dissidents in oppressed parts of the world. Engel’s SS7 presentation included a demonstration of tracking he did of a volunteer, mapping out their journey from Seattle, to their home in the Netherlands and eventually to Hamburg and 31c3.

Engel’s attack takes advantage of the Home Location Register (HLR), a database containing subscriber data including their phone number. The HLR, he said, knows which mobile switching center, or visitor location register (VLR) is closest to the subscriber in order to deliver calls and SMS messages. An attacker can use a Mobile Application Part (MAP) anyTimeInterrogation request to the HLR to learn the subscriber’s cell ID, which then pages the right switching center and returns the information to the attacker, Engel said. European networks block ATI requests for the most part, but that won’t deter an attacker, who instead can just ping the mobile switching center directly to learn the cell ID and IMSI number. Most switching centers, he said, accept requests from anywhere and no plausibility checks are done, Engel said.

Engel brought the problem to the attention of a number of German operators, he said. The operators looked at their traffic and saw a lot of it carried people’s geo-positions. After filtering out the ability to learn IMSI and switching center location, attack traffic dropped 80 percent, Engel said. The remaining traffic were either misconfigured networks, or unknown traffic that he said were requests by state actors or other network operators. Some attacks persist because an attacker can learn the IMSI from other sources, or brute-force a number range from the switching center.

Engel also demonstrated how an attacker could abuse the CAMEL protocol to overwrite switching center data belonging to the subscriber with the attacker’s GSM address without the subscriber’s knowledge. When a subscriber makes a call, he said, the switch center would instead contact the attacker’s ID. The attacker could record traffic, learning what numbers are dialed and bridge calls, sitting in the middle and recording content, Engel said.

“Everybody who has a phone in his pocket indirectly uses SS7,” Engel said. “Every movement can be tracked and every call can be intercepted.”

- See more at: http://threatpost.com/cellular-privacy-ss7-security-shattered-at-31c3/110135#sthash.3MFNCWp9.dpuf

Taking up the Gauntlet: SS7 Attacks Cathal McDaid 16th December 2014

There have been several recent reports in the media on the results of new research into SS7 network. This interesting research outlines a series of techniques potential attackers can use to listen in to and read the calls and text messages of others. An obvious question for those of us in the telecom security industry is whether the threat is real and what we should do to address it. In considering an answer, we can look at a little-reported incident that occurred in Ukrainian Mobile networks earlier this year.

Last May, a report was issued by the Ukrainian Telecom Regulator (NKRZI[1]). This document, which went essentially unreported by the press outside of Ukraine & Russia, contains the result of the investigation of the NKRZI, assisted by the Ukrainian Security Service (SBU), into telecom network activity over several days in MTS Ukraine. The key findings of this report were that over a 3 day period in April 2014, a number of Ukrainian mobile subscribers were affected by suspicious/custom SS7[2] packets from telecom network elements with Russian addresses, causing their location and potentially the contents of their phone calls to be obtained.

The 'attacks' outlined in the document involved SS7 packets being sent between the mobile operators. Without going into specific details, what occurred is a series of SS7 packets were received by MTS Ukraine's SS7 network which modified control information stored in network switches for a number of MTS Ukraine mobile users. In doing so, when one of the affected mobile subscribers tried to ring someone else, their call would be forwarded to a physical land line number in St. Petersburg, Russia, without their knowledge - in effect the call has been intercepted. There is an additional further step that could be taken for the interception, not outlined in the original Ukrainian report, but suggested by the Washington Post article. The forwarded-to number could have initiated a new call to the original targeted subscriber, and then conference in the intercepted call, thus allowing itself to listen in to the call without the participants being aware.

In the document, the investigation stated that the custom SS7 packets themselves came from links allocated to MTS Russia, the parent company of MTS Ukraine. The Ukrainian regulator then assigned responsibility for the nodes that generated the SS7 based on the origination addresses in the SS7 packets received. According to the report, some of the SS7 source addresses that originated the attack were assigned to MTS Russia, while others were assigned to Rostov Cellular Communications.

It's important to keep in mind that this is the report from one side only, and it is stated that they “draw conclusions about the potential for the interference with operation of telecom networks on the part of the PSTN area in the Russian Federation” , however in the report the regulator felt that MTS Ukraine was not doing enough to maintain the privacy of subscribers locations and call forwarding routes. For its part, MTS Russia denied that the SS7 address used was under its control, thus leaving the ultimate instigator a mystery. Indeed, in subsequent follow-ups it was reported that MTS Ukraine was not alone of being at risk, as the Ukrainian Telecom Regulator stated at a later date that Astelit and Kyivstar – the other main Ukrainian mobile operators – also experienced ‘external interference’. Whilst we don't have information on the exact subscribers affected, there have been examples of very sensitive phone calls being intercepted by unknown

means within the region, when using non government issued cell-phones. It is purely speculation on our part, but the same SS7 techniques outlined in the report could have conceivably been used to help achieve these interceptions.

Looking forward, an unfortunate, but seemingly inevitable, side-effect of these techniques is that it will lead to countries that have been affected adversely by SS7 attacks to attempt to build their own capability, thus leading to an ‘SS7 arms-race’. This has already been experienced in Ukraine, where new legislation has been submitted that one media source stated will allow their security services to legally listen in turn to subscribers of foreign mobile operators, track their location and obtain ‘other’ information about the activity of subscribers. Taken to extremes between countries, this would lead to a form of ‘mutually assured surveillance’, with mobile operators and mobile phone users on both sides suffering.

The Ukrainian report, and the recent research that has been released, shows us that we have moved into uncharted territory. Yes, there is a threat, and it is real - as the above example shows - however it does require considerable technical expertise to do this level of network interference. Not only to run and operate SS7 nodes capable of doing this - but especially to gain access to the SS7 network in the first place. Plus the nature of the risk is very different: consider there are more users of the SS7 network worldwide than there users of the internet, yet the number of attacks on IP networks everyday dwarf what is known to occur over SS7. The SS7 network is working as designed, but 'bad actors' are increasingly trying to exploit it, the real danger is that we assume that nothing can be done to fix the problem and it will just get worse as more 'bad actors' try to get access. As has been said by others, as an industry we need to work together to define recommendations and implement solutions to detect and stop potential attacks, because defences are possible and can make a difference if deployed correctly.

This coordination is already well underway, and AdaptiveMobile are helping to contribute to this, but no-one should doubt the amount of work and effort that will be required to completely secure the SS7 network from organisations that would seek to exploit it. However, at the same time it would be a mistake for those using these techniques offensively to assume that their activities & methods have gone unnoticed. We are now entering the more public stage of a struggle in which the gauntlet was thrown down some time ago.

Example AdaptiveMobile visualisation of SS7 Activity between several mobile operators over a short time spam - looking for abnormal behaviour. Colours represent a selection of different SS7 packet types. The 'clumps' are groups of similar SS7 node types. While unrelated to the events described in the report, the purpose of such work is to help investigate ways in which to detect malicious or unusual SS7 behaviour in networks. Such methods will be called on increasingly in

the future to help detect and block unwanted SS7 activity.

Update : 3/1/2015In the 3rd paragraph of the original blog entry on 16th of December, it was stated: "In doing so, when someone tried to ring one of the affected mobile subscribers..." This has now been updated.

References:

[1] National Commission for the State Regulation of Communications and Information (Національна комісія, що здійснює державне регулювання у сфері зв`язку та інформатизації)

[2] Signalling System 7 (SS7), is a catch-all term for a telecom network technology that is used by hundreds of cellular companies to allow them to operate and communicate with each other; it is the computer protocol used by telecom nodes within cellular networks to provide mobility control, network registration, call and text setup etc. In short it enables mobile devices to communicate and roam globally, and it allows mobile operators to control and bill this activity. All pieces of network hardware that operate in the core network use SS7 to interoperate with the rest of the network.

Cell Phone Tapping: How It Is Done and Will Anybody Protect SubscribersYou probably have read on various news websites about surveillance programs led by security services in different countries that reach phone and Internet communications of ordinary citizens. We have already wrote about possible threats to mobile telecommunication networks and today we want to put more emphasis on one of the attack vectors against mobile subscribers.

In short, the outline is like this. The attacker penetrates into the SS7 (Signaling System's No. 7) network and sends a Send Routing Info For SM (SRI4SM) service message to the network channel, specifying the phone number of an attacked subscriber A as a parameter. The subscriber's A home network sends the following technical information as a response: IMSI (International Mobile Subscriber Identity) and address of the MSC currently providing services to the subscriber.

After that, the attacker changes the billing system address in the subscriber's profile to the address of his own pseudo-billing system and injects the updated profile into VLR database via Insert Subscriber Data (ISD) message.

When the attacked subscriber makes an outgoing call, his switch addresses the attacker's system instead of the actual billing system. The attacker's system sends the switch a directive allowing

one to redirect a call to a third party controlled by the attacker.

At a third-party location, a conference call with three subscribers is set up, two of them are real (the caller A and the called B) while the third is introduced by the attacker illegally and is able to listen and record the conversation.

I would say to skeptics straight off: this plan is not a fantasy, as you can see, and it could be practically realized. On the stage of development, the SS7 system was not provided with defense mechanisms against such attacks. It was meant that SS7 network itself is private enough and an "outsider" cannot access it. However, times are changing and we become witnesses of using telephony technologies with malicious intent. Unfortunately, one does not simply enable external SS7 message filtering, as far as it may affect the availability of mobile services in roaming. There is no mobile network operator who wants to lose its money.

The work of an operator providing services to a large number of subscribers always treads a fine line between Information Security and availability of services. The problem is especially acute for mobile network operators: The range of services is broad, it is different for different operators; at the same time, providing services both to their subscribers and subscribers from other networks within the operator's network is desirable, and in such a manner that subscribers do not face the limitations of mobile network services when traveling abroad.

What you can do

It would be good to fix the so-called "vulnerabilities" in the SS7 protocol stack, but any expert will tell you that it is impossible. A classic example of the "it's not a bug, it's a feature" thing.Instead of being philosophical about mobile network architecture we must take action. We can do the following, for example:

Perform a penetration test in the SS7 network.Set up monitoring of warning messages at the operator's network perimeter by all available means.Analyze the received information and take steps to minimize the risks.

Penetration Tests

Let's talk a bit about the benefits of penetration tests. As for operator's network, these tests play a role not only in the detection of vulnerabilities, but also in solving operational tasks. For instance, you need to perform dozens of tests considering the specifics of each particular

network in order to find out the impact of enabling either one feature or the other. When testing SS7 warning messages, we consider 10 basic types of attacks on a network and mobile subscribers.

Check for the disclosure of confidential technical parameters: subscriber's IMSI; MSC address where the subscriber is registered; HLR database address, where the subscriber's profile is stored. An attacker can conduct more complicated attacks using these parameters.Check for the disclosure of subscriber's cell data. An attacker can detect subscriber's location using the cell ID. In cities the location can be determined with an accuracy of about 10 meters (http://blog.ptsecurity.com/2014/04/search-and-neutralize-how-to-determine.html).Check for possible violation of subscriber's availability for incoming calls (DoS against the subscriber). In case of a successful attack, the victim subscriber no longer receives incoming calls and SMS. At the same time victim's mobile phone indicates the network availability. The victim subscriber will stay in this state until he/she makes an outgoing call, goes to the other switch service area or reboots the phone.Check for private SMS conversations disclosure. This attack is a consequence of the attack number 3. In case of a successful attack, incoming SMS messages are intercepted by the attacker's devices, so it will not be difficult to read them. To prevent the following delivery to the recipient, the attacker sends an SMS delivery notification to the SMS Center.Check for USSD commands manipulations. In case of a successful attack, the attacker is able to send USSD commands on behalf of the subscriber. The possible damage will be assessed with regard to USSD services provided by the operator (e.g, if the money transfer between accounts via USSD commands is available or not).Check for spoofing subscriber's profile in VLR. In case of a successful attack, the attacker is able to use his equipment as an intelligent platform in order to extend the capabilities of voice calls and manipulate the tariffing of mobile services.Check for possible outgoing calls redirection. This attack is a continuation of the attack number 6. In case of a successful attack, the attacker is able to redirect outgoing calls from the victim subscriber. Additionally, this attack allows an attacker to make an unauthorized conference call, cutting in the conversation.Check for possible incoming calls redirection. In case of a successful attack, the attacker is able to redirect incoming calls to the victim subscriber. Moreover, calls to high-tariff regions may be not tariffed or call charges will be billed to the victim subscriber.Checking the switch stability and resistance to DoS attacks. In case of a successful attack, the switch no longer handles incoming calls to subscribers located in its service area.Check for possible direct direct manipulations in billing. In case of a successful attack, the attacker is able to empty the subscriber's personal account, so that the subscriber becomes deprived of the opportunity to make calls.

How to Protect Users

Our research revealed that the overwhelming majority of attacks against SS7 networks begin with obtaining technical data about the subscriber (IMSI, MSC and HLR database addresses). These

parameters can be obtained from the response to the SRI4SM message mentioned in the beginning of this article.

One of security solutions is SMS Home Routing procedure provided by 3GPP in 2007. It is sometimes called the SMS Firewall or SMS Filter.

An additional host, providing filtering of malware SRI4SM messages, is implemented to the operator's network. It works is as follows. When a SRI4SM message is received to the operator's network from another network, it is re-routed to the new filtering host. This host sends a correct response replacing MSC and HLR database addresses with its own address and IMSI with false data. If the SRI4SM message was generated by the attacker, he will not receive any useful data in the response and his attack will be interrupted in the very beginning. If the SRI4SM message was used for the authorized transaction, to send an SMS, the originator's network will send this message to the filtering host, which will deliver the message to the recipient within the home network.

It's been 7 years since this recommendation was issued, but, so far as we can see, few operators had launched this solution. By the way, SRI4SM message is not the only way to obtain the sunscriber's IMSI.

Mobile operator's network is potentially vulnerable, just like any other network. Due to the specificity of mobile networks, these attacks can be more sophisticated than the Internet attacks. We recommend that operators take measures to protect such networks using the traditional scenario: penetration tests to discover potential vulnerabilities, security audit with the recommended settings and cyclic check of security settings against a template. This minimum amount of work helps you to improve the level of your network security just above the average, still it is enough for the first step. So subscribers got nothing to worry about.

P. S.

In the course of the Positive Hack Days IV, we made a report about possible attacks in mobile operators' network, where tapping into phone conversations from almost any place on earth was discussed.

Authors: Sergey Puzankov, Dmitry Kurbatov

Автор: Positive Research на 11:07 PM Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest

Ярлыки: information security, mobile data bypass, telecom1 comment:

Irwin WilliamsJanuary 17, 2015 at 5:58 AMCellphone tracking is now very much simple most of the promote submission for the emissary software are prohibited, and the subsistence of the software angers CTIA-The Wireless Association, an industry organization representing the nation's chief cell phone company.

Reply

Location, Monitor Your Communication Use your key for the next articleNext: Flash Storage vs. SSD – What's the Difference?December 30, 20147:55 AM MST Facebook Twitter Pinterest Linkedin Google Plus Comment With few lines of code, a savvy hacker can determine your location, intercept calls and SMS.

According to renowned researcher Tobias Enget Hacker, who presented SS7: Locate. Track. Manipulate at Chaos Communication Congress 31c3 last week, "Companies are now selling the ability to track your phone number wherever you go. With a precision of up to 50 meters, detailed movement profiles can be compiled by somebody from the other side of the world without you ever knowing about it. But that is just the tip of the iceberg."

And it is not only NSA (or other intelligence agencies) that can monitor your movement and intercept communication. Any business or individual can exploite SS7 network vulnerabilities to gain access to subscribers mobile devices.

SS7 protocol is used by mobile operators to direct calls and SMS to their customers, even when they are in another country. In theory, access to the SS7 network is reserved for telephony operators. However, by gaining access to the network business and individuals can have a field day.

"From the moment you have network access, there are hardly any security mechanism," says Tobias Engel.

<iframe width="560" height="315" src="//www.youtube.com/embed/lQ0I5tl0YLY" frameborder="0" allowfullscreen></iframe>

What is rather scary is the assertion that gaining access to a mobile operator’s network is relatively easy.

Karsten Nohl of the German company Security Research Lab who also presented his research asserted that accessing "the location is very easy." He argued that “even 3G is attackable,”

suggesting “it’s high time we upgrade from complaining to self-defense.”

Tobias Engel presented how he tracked and monitor mobile devices accorss the globe. Several US companies even provide what phones their customers location service, as recently reported in the Washington Post(http://www.washingtonpost.com/business/technology/for-sale-systems-that-... f003-11e3-bf76-447a5df6411f_story.html).

Intercepting calls is little more complicated. On stage, Karsten Nohl also demonstrated spoofing the phone number and potentially transferring to call to a computer where it can be recorded. Same can be done with SMS.

Subscribers don't really have many options. Tobias Engel joked: "There are only two solutions to the user. Tell the operator, but I'm not sure that a call to the hotline work, or get rid of his phone."

But if you don't want to get rid of your phone, Karsten Nohl launched SnoopSnitch (https://play.google.com/store /apps/details?id=de.srlabs. snoopsnitch), a free application to detect whether a subscriber is monitored via the SS7 network.

"You receive warnings when something out of the ordinary," Nohl said. "For example, if I ask your operator your location through the SS7 network, your phone is loaded but nothing happens for you. The application notifies you if such an event occurs."

This tool can also detect certain types of interception. The application collects data throughout the day, "like a virus that people have on their computer." The user can then choose to share this data with Security Research Lab to supply a map, GSMMap.org (http://gsmmap.org/).