SS7 Attacks: Intercepting SMS and Calls As Easy As ABC

We have already talked about the non-security of such popular messengers as Skype, Viber, WhatsApp and others. They are wiretapped, listened, and hacked every day by anyone who wants to, including the government. So maybe a good old-fashioned SMS is more reliable in terms of security? Maybe, sending a text message, and then deleting it from your phone is the best way to keep a secret?

Unfortunately, this variant is also insecure. Let’s investigate why.

 

SS7 Vulnerabilities

The technology of Short Message Service (SMS) is based on the standardized communications protocols, which allow mobile phone devices to exchange text messages. It started functioning as far as early 1980s, and was hardly ever improved upon. SMS is based on the Signaling System No. 7 (SS7) protocol, which is really old-fashioned and very vulnerable. Some of these vulnerabilities were publicized in 2008, and again in 2014. Actually, the information revealed stated that cell phone movements can be tracked by governments and third parties with a 70% success rate.

Around 90% of all mobile operators all over the world are unprotected because of the “holes” in the SS7 protocol. To be more precise, 89% of subscribers’ SMS can be intercepted; 58% of subscribers can be tracked, and half of all phone calls can be wiretapped. These facts are taken from the research conducted by the company Positive Technologies that investigated the security systems of the biggest world mobile operators.

The last improvement of the original SS7 was more than 30 years ago already. In the early 2000s the addition of SS7, software Sigtran, was developed. It allowed messages and commands to be passed through IP-networks. The components of SS7 network became accessible via a public network and the connection to some of them even became possible via the Internet. The new innovative software continued to work on the old-fashioned unprotected system, as well as, using of SS7 “holes” became even simpler.

The public talks about SS7 vulnerabilities started in 2008, at the Chaos Computer Club hacker conference. Even earlier, in 2007 the book “How to Cheat at VoIP Security” by Porter and Gough (telecommunication specialists) stated that the US President Administration is seriously concerned by the SS7 insecurity.

 

How It Works

Tracking and wiretapping may seem like a specialization of intelligence agencies only, being a quite complicated and expensive process, but because of the insecurity of SS7 it is accessible by any hacker of even average level. To attack subscribers, no specific equipment is needed, one doesn’t need to be a genius or work in security service.

After fulfilling the main task of connecting to SS7 – a hacker finds out an IMSI number using specific software. This is an authenticator that is assigned to every mobile subscriber (it carries the country code, operator code, and inner unique SIM-card code).

Additionally, a hacker receives MSC/VLR parameters (calls and locations commutator), depending on which subscriber is in the network.

This information is needed to “cheat” the home network of the subscriber and forward it to the “fake” one. For the home network it will look as if the subscriber is roaming, i.e. operator receives a signal that his subscriber is now served by another operator. In reality, the “fake” network is now serving the subscriber, and a hacker, using specific software, intercepts SMS, listens to calls, and tracks location. And subscriber would never guess they have been hacked.

 

Some Proofs of Tracking

In 2013 a former CIA employee and computer professional Edward Snowden revealed information about the NSA and a specific program they used based on SS7. The program allows them to track any telephone subscriber all over the world. And, of course, the government was actively using this program without the consent of the users. Snowden explained the result of his discovery by saying that he didn’t want to live in a world where everything he was doing and saying, was being wiretapped.

Soon after, it became known that some private companies offer such services globally for a particular fee. The example is SkyLock – a solution of the American based company Verint system. This is a real-time tracker that uses international SS7 network to track virtually any subscriber in the world, even if the GPS on the phone is disabled. No specific hardware or software is needed.

Three years later, in 2016, this vulnerability was successfully used for the experimental wiretapping of an American congressman. German researcher Karsten Nohl, knowing only the phone number of Representative Ted Lieu, hacked his phone and listened to the conversation with a journalist.

Even after all this was information was released to the public nothing has changed. Mobile operators all over the world refuse to admit the problem. Many “ethical hackers” believe that SS7 is created and continues to be used in this form, because it is “convenient” for tracking and wiretapping. For years, special agencies have been aware of these vulnerabilities, and have done nothing to change it. The reason is, maybe they use the “leaks” for themselves, assumes The Daily Beast.

 

Conclusion

SMS and mobile calls seem to be the most insecure ways of communicating. One doesn’t need any specific equipment or extra funds, just medium technical knowledge and a bit of patience. So don’t fool yourself hoping that your secrets are safe. If you have to conduct any communication that needs to be kept secret, you’re better off doing it in the open fields, without any devices in your hands. Or start looking for a really secure communication solution.

 

References:

https://en.wikipedia.org/wiki/Short_Message_Service#Vulnerabilities

https://en.wikipedia.org/wiki/Signalling_System_No._7#Protocol_security_vulnerabilities

https://flibustahezeous3.onion.cab/node/328256

http://www.cbsnews.com/news/60-minutes-hacking-your-phone/

https://www.ptsecurity.com/upload/ptcom/SS7_WP_A4.ENG.0036.01.DEC.28.2014.pdf