Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Cellphones Encryption Privacy

Researchers Discover SS7 Flaw, Allowing Total Access To Any Cell Phone, Anywhere 89

krakman writes: Researchers discovered security flaws in SS7 that allow listening to private phone calls and intercepting text messages on a potentially massive scale – even when cellular networks are using the most advanced encryption now available. The flaws, to be reported at a hacker conference in Hamburg this month, are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network. It is thought that these flaws were used for bugging German Chancellor Angela's Merkel's phone.

Those skilled at the housekeeping functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption (Google translation of German original). There is also potential to defraud users and cellular carriers by using SS7 functions, the researchers say. This is another result of security being considered only after the fact, as opposed to being part of the initial design.
This discussion has been archived. No new comments can be posted.

Researchers Discover SS7 Flaw, Allowing Total Access To Any Cell Phone, Anywhere

Comments Filter:
  • How naive... (Score:4, Insightful)

    by Anonymous Coward on Friday December 19, 2014 @09:34AM (#48633545)

    "Flaw"? Is anyone really that ignorant these days? This is not a bug, it's by design.

    • Re:How naive... (Score:4, Interesting)

      by Anonymous Coward on Friday December 19, 2014 @10:19AM (#48634027)

      Yes, flaw. SS7 dates back to the late 70s, and has roots all the way back in the early 60s. Nobody encrypted anything back then, it was a miracle it worked at all.

      So, clearly SS8 (or whatever) needs to take this into consideration, but...

    • by swschrad ( 312009 ) on Friday December 19, 2014 @11:48AM (#48635075) Homepage Journal

      I tripped over the ruts from the SS7 bandwagon over a decade ago. back then, you had to be in the CO and on the terminal of the Stratum server to spy on SS7 traffic. ability to scoop up the slop in a bucket came later.

      • by Cramer ( 69040 )

        I'd post a picture, but I'm not going to slash my own server. :-)

        Ours was connected to the company LAN -- so you could telnet to it. It originally lived next to the HVAC in the room with the LD switch (Alcatel 600e.) In the Grand NOC Redesign of 2001(TM), it was moved to the desks in the NOC which moved to the CO.

    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Friday December 19, 2014 @01:26PM (#48636101)
      Comment removed based on user account deletion
      • by Cramer ( 69040 )

        The issue is the amount of blind trust still in the system to this day. Even in the Mitnick hacking era of the early 90's, the system needed to be modernized. Security through obscurity doesn't work. "Lack of physical access" isn't a sufficient barrier. (and really never was. How many telcos had (still have) dialup modems on rcv and tlws ports, with little or no authentication? The telco I worked for did for over two decades -- to everything not just the 5ESS's, before moving them to terminal servers on the

    • And that's why we have the term "design flaw" rather than "design bug".
    • by cevioux ( 803559 )
      Certainly the NSA listeners call it a "feature."
  • Yeah sure... (Score:2, Insightful)

    by Anonymous Coward

    The only flaw I see in this is that someone discovered the intentional backdoor. This was not unintentional by any means.

  • http://www.wired.com/2014/09/c... [wired.com] Back in Sept, Wired talked about a phone that has firewall and security to detect when you are using a hack cell tower. Sure its a little different but still interesting the same.
    • by thoriumbr ( 1152281 ) on Friday December 19, 2014 @09:54AM (#48633723) Homepage
      No, this will not solve the problem. The main issue is at protocol level, not cellphone level. Even with a secured phone, the attack can be silently executed.

      The only defense is using encrypted calls and encrypted text messages.
      • by Anonymous Coward

        The only defense is using encrypted calls and encrypted text messages.

        You sent that message in plaintext, you insensitive clod!

        • by Qzukk ( 229616 )

          With the right key and cipher, it could be an encrypted message to pick up milk and eggs on the way home from the store.

      • Re: (Score:3, Interesting)

        by DarkOx ( 621550 )

        The obvious solution is just have the handsets negotiate. There is absolutely no "good" reason call setup between two cellular handsets (or any other digital endpoint for that matter) should not feature some kind of certificate validation step between the end points followed by the exchange of uniquely per call generated symmetric key exchanged securely using the same PKI used to validate the certificate authenticity. Essentially SSL for phone calls.

        People could use third party CAs like they do for the web

  • LOL. (Score:1, Interesting)

    by Jahoda ( 2715225 )
    I like how you reach that conclusion that this is the result of security being considered only after the fact, rather than being an integral part of the design.
    • Re:LOL. (Score:5, Insightful)

      by wolrahnaes ( 632574 ) <sean@seanha[ ]w.info ['rlo' in gap]> on Friday December 19, 2014 @11:13AM (#48634697) Homepage Journal

      SS7 dates to the '70s. Pretty much no communications protocols intended for general use were designed with even the thought of security at the time. The number of players in the game was small enough that any bad behavior could be rooted out fairly easily.

      Look at email for the same basic problem, it was designed with the assumption that the parties involved could be trusted because on the networks it was designed for that was generally the case. Over time the trustworthiness of the network was degraded for reasons both good and bad, but the common protocols had already been established by then and it's a long road to change.

      I won't argue that there probably has been some "influence" on decisions about adopting more secure replacements, but it's a bit tinfoil hattish to claim that the protocols themselves were intentionally made insecure when it's well documented that most protocols from that era just weren't designed to try to be secure in the first place.

      • by Jahoda ( 2715225 )
        This is very informative, thank you!
      • by Cramer ( 69040 )

        Also, computing technology was large, slow, power hungry, and expensive. Cryptography was primitive due the lack of cpu processing to handle the complex math, and doing it in hardware was another exercise in expensive. Any considerations for security would've quickly been dismissed as a) unnecessary, and b) prohibitively expensive.

        Why haven't "we" updated the system? Because there's an immense amount of "legacy" gear still running the PSTN to this day. The AT&T 5ESS local switch I walked past several ti

  • Hardware Security (Score:5, Informative)

    by Anonymous Coward on Friday December 19, 2014 @09:46AM (#48633663)

    SS7 pre-dates the modern processing explosion. Early systems were stretching their embedded 386 just to handle the protocol messages. Any additional security would have made the systems pretty much impractical for another few years.

    As a result, it was designed around physical security of the signalling lines, and that is pretty much the way it has stayed. Only certified equipment gets connected to core equipment. Foreign equipment goes through an SS7 gateway (really a firewall of sorts). Encrypted tunnels are use for connecting SS7 networks over insecure channels.

    So basically your calls are as good as the physical security of the core switches. Which is generally pretty good. And if you have physical access to the core switches, then there are probably many other ways you could listen in anyway.

    • Re:Hardware Security (Score:5, Interesting)

      by Charliemopps ( 1157495 ) on Friday December 19, 2014 @09:59AM (#48633787)

      yea, I've been laughing about this story... If this scares you, never look up how landlines work, that'd terrify you. lol

      You could take pretty much any speaker you wanted to, run a jumper to the switch and listen to any phone call you wanted. ANYONE in your neighborhood can walk over to any one of the hundreds of pedestals in your neighborhood and do the same. If you really want to get fancy you can go get a butt set off Amazon for $10 and dial out to. And all that's before we get to someone with switch access... they can issue commands to link your call to another number so they can listen in, etc...
      You've absolutely no privacy on a land-line phone call.

      • by NixieBunny ( 859050 ) on Friday December 19, 2014 @10:02AM (#48633823) Homepage
        Except with the land line, someone has to go find your physical wire pair and connect to it. This is a software hack.
        • Except with the land line, someone has to go find your physical wire pair and connect to it. This is a software hack.

          No they don't.
          The switch has a modem that you can dial into... and yes, they are still connected and used a lot.
          The call can be rerouted to any number on the planet.
          Some switches only have 1 login that's shared by all the programmers ;-)
          Remember, this hardwares from the 60's, 70s, 80s...

        • Comment removed (Score:5, Interesting)

          by account_deleted ( 4530225 ) on Friday December 19, 2014 @03:52PM (#48637611)
          Comment removed based on user account deletion
          • by Cramer ( 69040 )

            Funny. The phones of that era (70s/80s) were mechanical. The handset speaker/mic weren't physically connected until the handset was lifted -- the phone went "off hook". The ringer was a solenoid, swing arm, and one or two bells -- so the ringer was useless as a "listening device". Until the advent of digital (speaker) phones, these sorts of line seizing hacks were of very little value. Even the early electronic touch-tone phones of the 80s had no speaker/mic connected until the handset was lifted.

            • Comment removed based on user account deletion
              • by Cramer ( 69040 )

                Ah, it's a hardware "bug" that has to be placed in the phone -- as that's where most interesting conversations will happen. It can technically be attached to the phone line anywhere. Putting it in the phone means it'll obviously have access to the line, will go where ever the phone goes, and will be in the vicinity of most conversations. It can then be activated by a special incoming call that it answers before any ring is generated. (or without a ring being signalling at all.)

                This is in contrast to what I

      • by OzPeter ( 195038 )

        You could take pretty much any speaker you wanted to, run a jumper to the switch and listen to any phone call you wanted.

        Back in the day I had a friend who worked for a phone company. As a part of their QC they had a speaker in their office that was connected to various random landlines in order to keep a check on call quality. (In hindsight the choice of lines is a bit suspect)

        He told me a story of one call they heard, about the mother of little johnny calling up a phone sex line (but not knowing it was one) and wanting to know what all these charges were for. The phone sex worker tried to sidestep the issue by saying tha

      • I'm glad my pedestal is in my back yard. Probably not comforting for my neighbors that the fence blocks their view of it. At least it's not near the road were a kid taking a leak on it would cause static on the line. I feel sorry for the tech that had to trouble shoot that one.
        • by cdrudge ( 68377 )

          Where do you live that you don't get any rain?

          • Being able to explain that when it rains the line goes static is one thing. It's another to say every day around 3 oclock the line gets static when there is no rain. All the line tests would say the line was wet, but no indication of where, or why. Arizona doesn't really get a lot of rain ether. We found out when the customer looked out at the pedestal during one of the trouble shooting calls, and saw a kid on his way home from school peeing into pedestal. The older models are ok for rain, but if someone's
        • I'm glad my pedestal is in my back yard. Probably not comforting for my neighbors that the fence blocks their view of it. At least it's not near the road were a kid taking a leak on it would cause static on the line. I feel sorry for the tech that had to trouble shoot that one.

          Anyone can tap your call from any point in the route between you and the CO. Someone could be half a mile away and still do it.
          Though, if the plants been modernized, it's probobly MUX'd (turned digital) after before you hit 30,000 feet.

      • by swb ( 14022 )

        Even the phone company used to do it wrong.

        Before I left for college in '85, we had a second phone line (which basically became my line). When I went away, my parents got it disconnected. When I came home the first summer I didn't know it was disconnected. I connected my phone back to the jack and sure enough, had a dialtone.

        I made calls for several weeks until my friends kept complaining that my number didn't work, said it was disconnected. I called Ma Bell and found out it was disconnected!

        The line f

        • That's a soft disconnect.
          They deleted your number in the switch software but didn't physically disconnect the wire.
          It happens all the time, and, in fact, is required by law in some areas.
          Some counties require the phone company to have a working phone with 911 access in every home, even if it's abandoned. So they have to send techs out with police escorts to install phones, just in case some hobos move in and have an emergency.

          • ooo... and I should add...
            Soft disconnects are done frequently for people that plan to reconnect the phone.
            "I'll be in Florida for the winter but I want my number back when I get back!"
            The phone company charges you a small fee to hold them number, they disco the number in the switch so it doesn't lead to the line but they don't physically disconnect the line because that would involve work and they'd just have to reconnect it later anyways. So when you get back home they just reprogram the number and viola.

            • by swb ( 14022 )

              No, they cancelled the line. I had a change in my financial aid and ended up living at home for another year. When I found that out I actually did get the extra line again but I couldn't get the old phone number, I had to get another phone number.

    • by decsnake ( 6658 )

      SS7 pre-dates the modern processing explosion. Early systems were stretching their embedded 386 just to handle the protocol messages.

      Your point is absolutely correct, however, I'm pretty sure the first SS7 implementations ran on 3B20s.

    • by sjames ( 1099 )

      THIS!

      It's the same way that the initial solution to people MFing was to put a 2600 Hz notch filter on POTS lines. Then they moved signaling out of band except for the last mile. They assumed that was problem solved since trunks were protected with physical security.

      They simply didn't anticipate a day when most of the population had a cellphone and a computer more powerful than their switch and where software defined radio was an actual thing that an individual could make or buy.

    • ILECs and CLECs don't trust other entities to route good SS7 commends. The gateway to the actual SS7 network is setup to filter most SS7 commands beyond the bare minimum needed to complete a call. I've seen an unrestricted SS7 console in action at an ILEC and you can do all sorts of things to trace out a calls, listen in and pull billing and address information. It's pretty slick, but they are very selective about who gets access.

      • by hughk ( 248126 )
        The problem is that there a lot more SS7 systems out there now and not all under the control of competent/secure telcos but for various reasons (including mobile roaming) there is implicit level of trust between telcos. You might be filtered out in the US, but perhaps not somewhere else. There is already a problem of being able to pull locator info including cell-id for a cell phone from any other SS7 mobile switch. The trick is to get in at that level which isn't hard given the appetite of some regimes for
    • "Early systems were stretching their embedded 386 just to handle the protocol messages."

      SS7 existed before the 8088 was a twinkle in Intel's eye, let alone "386s"

      FWIW it wasn't blue boxes or Captain Crunch that drove SS7 - it existed before all that stuff happened.

      The driver for SS7 was digitisation of the phone system, which started in the early 1960s. Having worked on analog transmission and multiplexing systems, with their hundred of thousands of exquisitely tuned quartz crystal blocks and experienced th

  • This bit

    record hundreds of encrypted calls and texts at a time for later decryption

    And that it probably applies to any encryption offered up to consumers from Google, Apple, and Microsoft, etc.

    If they haven't already added a master key to their encryption, the ability to decrypt easily through a "flaw" or "weakness" would allow deniability though.

  • by DutchUncle ( 826473 ) on Friday December 19, 2014 @10:01AM (#48633805)
    This isn't even a back door; it's how the system works. Only the authorized licensed carriers are supposed to issue command codes, just like the C,D,E,F touch-tones (yes, Virginia, there are four more than on your phone). What's being described here is a basic fraud, as basic as Charlie Chaplin in a restaurant posing as a waiter and pocketing the money someone else leaves with a bill. The failure is in assuming that someone intending to violate conventions and rules will follow the "authorizations" any more than they will follow any other rules.
  • by CajunArson ( 465943 ) on Friday December 19, 2014 @10:05AM (#48633853) Journal

    Uh.. the whole point of transport layer encryption is that you assume an attacker can record your communication and the encryption prevents the attacker from figuring out the real contents of the communication.

    If you know for a fact that no unauthorized party can actually tap to your communication channel.. you don't even have to bother with the encryption in the first place.

    The rest of the issue is due to the fact that the SS7 protocol is a byzantinely complex and very very old standard going way WAY back before data security was taken into account.

    For all the people saying this is some intentional backdoor... if the NSA really were that smart to sneak this into a design-by-committee standard where hundreds of engineers spent years niggling over details, then you might as well give up now because you just said they are smart enough to insert backdoors into the Linux kernel or any other complex open source project too and they'll get away with it for decades before they get caught.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      For all the people saying this is some intentional backdoor... if the NSA really were that smart to sneak this into a design-by-committee standard where hundreds of engineers spent years niggling over details, then you might as well give up now because you just said they are smart enough to insert backdoors into the Linux kernel or any other complex open source project too and they'll get away with it for decades before they get caught.

      NIST standards aren't design-by-committee standards with hundreds of engineers niggling for years over details? You're naiveté is pretty cute.

      • Since you assign God-like powers to the NSA, give up now because nothing is secure. They slice through any encryption with a pocket calculator. They've kidnapped you and implanted mind-recording devices in your head and then wiped your memory! You live in an episode of the Prisoner but without the trippy 60's music!

        • Since you assign God-like powers to the NSA, give up now because nothing is secure.

          Subverting standards and products is not having a God-like power. It's well within the means of a nation-state agency with an unlimited black budget. Their own documents even prove this.

          • by meta-monkey ( 321000 ) on Friday December 19, 2014 @11:13AM (#48634691) Journal

            This isn't even about a subversion of standards. It's kind of required for cell phones to work that the towers are able to identify your handset and route your calls and messages. This isn't an OTA exploit. You still have to have physical access to the switch and credentials.

            OMG guys! I've discovered a terrible, awful vulnerability in Linux!!! If somebody has your root password, they can, with a few keystrokes, have total access to your computer! They can read all your files, change them, delete them, anything! We're doomed!

            No, the problem with government surveillance is a political one, not a technological one. As long as they have the authority to hook their boxes into the communications lines, nothing can ever be secure. Somebody has to have root access to the system for the system to work and be maintainable.

            I work at a hospital, and I have root access to the database. ZOMG your medical records aren't secure! Somebody sitting at the server with the root password can see everything! Ummmm no, your records are fine. I have to have access to the database to do my job. But we have a political system including an internal review board and threats of felony criminal prosecution if I were to do anything to violate your privacy. Also I'm not a dick. The solution to government surveillance is a political one. We need people who aren't dicks and rules that put them in jail if they intercept your calls.

            • by q4Fry ( 1322209 )
              I appreciate the voice of sanity in your post w.r.t. the access itself.

              Can we agree that the problem is that even if the people with access aren't dicks right now that they might become dicks in the future. It only takes one person evading your dick filter for a while to hire some other like-minded dicks and dick everyone over. There's also a pretty convincing thesis [prisonexp.org] that ordinary people with power** are at unique risk to become dicks.

              (Also, I'm not saying you're a dick. Just to be clear.)

              ** One could
              • Sure, which is why there has to be dicks who watch dicks. Kind of like the checks and balances that are supposed to exist in our government. Except they don't.

        • by DarkOx ( 621550 )

          Is that you number 6?

        • A couple of anecdotes:

          The NSA's input into the original DES password crypto stuff bears looking at. They managed to prevent a whole block of cyphers being used in the 1970s and it wasn't until the late 1990s that civilian researchers found out how borken that particular set was.

          In that case the NSA was _shoring up_ crypto, not breaking it down.

          Back in the late 1990s, I needed to explain how public key crypto (pgp-style) worked to one of my elderly customers.
          His response: "Oh ok. We were using that stuff in

  • If they can only listen to phone calls and view text messages. That's like saying someone has "total access" to your machine because they installed a keylogger. Is it dangerous and invasive? Yes. But it's not "total access", if they can't actually *control* anything...

  • I'm going back to using coconuts for communication.
  • by JohnnyComeLately ( 725958 ) on Friday December 19, 2014 @11:26AM (#48634835) Homepage Journal

    If I break into your house, and then walk into your main hallway, and then say, "There is a security flaw in your home! From this point in your hallway I can listen to any room, or walk down freely into any room." As you're looking at your front door splintered from the battering ram I hit it with to get in, would you call it a "hack," a flaw or something to be concerned about how your hallway(s) go through your house? No, you'd say, "The hallway is fine, I need a stronger front door. BTW, the Glock I'm holding is loaded."

    When I start to read, "SS7 was designed in the 80s," I already know I'm dealing wtih a mental midget. Actually, SS7 begain due to the first ever hackers. Remember 2600? As in, 2600 Hz was the signaling frequency for a landline switch. Throw that tone, and you could make calls (for free if it was a payphone). Hence, telecoms came up with an idea to do out of band signaling, which eventually became SS7. So, saying you can "hack" SS7 is very misleading because all SS7 does is coordinate call set up. That "ringing" you hear as you wait for the far, distant switch to reply that the called line is available, is a "comfort tone," as SS7 does it's work. Besides cutting down on fraud, SS7 keeps circuits available, because if the called number is busy, or unavailable, there's no point in setting up a line between your local switch and the switch at the far end.

    In the deepest bowels of a switching office, usually near the back, you'll see SS7 racks. These connect from and between local, long-distance and other switches. It's what you'd call, "Back Office," network, similar to the network used by the telecoms to manage their servers your traffic go across but you'll never touch. Such as 3G data going through PCF after it's left the mobile switch, and before it hits an internet backbone ATM. So in simple terms, you'd have to break in, figure out the network, and then figure out a 2nd break in to get to the SS7, and then you'd be in a very small part of the network.

    Honestly, if you're going to be doing that much effort, you're NOT going after SS7. Just hack the 3-letter agencies or other LEO server for court-approved wiretapping that is hanging off the switching network and you're in anything, everything, anywhere.

  • by Anonymous Coward

    You might think "meh, ss7, old protocol not in use much", but... a huge number of voice and network transit products use SS7 signalling, and pretty much all the big players in trunk and voice kit have ss7 modules or compatibility mode built right in.
    The syntax is pretty odd, I've had a play and generating it on the fly was difficult but we could log in and do some basic manipulation of configs etc but we had no documentation, but I was sure there were other funky stuff hiding there, but ultimately managemen

  • by hazeii ( 5702 ) on Friday December 19, 2014 @12:26PM (#48635483) Homepage
    The comments above about SS7 being designed without security are spot-on. In the old days, access to the SS7 network was strictly for big players and salesmen with 'extremely customer-friendly' expense accounts. Basically, anyone with access was a big player (with all the baggage that entails).

    Really, the issue here is with MAP (an add-on to SS7 to support mobiles). The explosion of mobile means SS7 is no longer just the playing field for national carriers - mobile-only operators came to the party (still all $xbillion players). Then, smaller countries with some interesting networks came on the scene, and rather naughty SS7 traffic started to appear on the network.

    Smarter operators (or at least bigger ones who got their fingers burnt) spent money to install gateways that limit and control their exposure (wouldn't you?). The less clueful/more cash-strapped/networks in less-developed countries remain more exposed.

    Anyone interested can search for 'SS7 mobility management' ; the <a href="http://www.informit.com/library/content.aspx?b=Signaling_System_No_7&seqNum=116">code is easy</a>, the issue is getting access to the network.

    Oh, wait, these days SS7 is being routed over IP now (ever wondered what the <a href="http://lksctp.sourceforge.net/">linux SCTP module</a> is actually for?).
  • An intentional design feature.

    • by AHuxley ( 892839 )
      Yes when the NSA and GCHQ where setting up the standards with the telcos in the 1980's they had Ireland (live monitoring) and other cold war issues in mind.
      A standard that was just able to keep the press out and users safe but be open to the security services in real time.
      Voice, gps, video, images, live mic, plain text, tracking and all the other wiretap friendly methods and standards could be seen with CALEA and what is shipped now.
      Italy had the SISMI-Telecom scandal https://en.wikipedia.org/wiki/... [wikipedia.org]
      G
  • Too often when I hear of "researchers" discovering "flaws" turns out all they are doing is demonstrating an obvious result from commonly known properties of a system.

    You mean you can just mount that unencrypted drive, change root password, boot up and have full access to everything? Well jolly geeewiz...

    SS7 "flaw" is standard operating procedure for Telco's where only meaningful form of security has always been adult supervision.

    Not much different from what happens when one or more "adults" setting up BGP

  • that NSA has known about it and been exploiting it whenever possible.
  • and the the entire planet's phone routing system for that matter.

    Is that it explicitly assumes that only those who are trusted have access to the network at that level.

    That assumption has been blown apart time and time again.

    Hijacked phone ranges were a problem in the 1990s well before the problem of hijacked IP netblocks started being noticed and defended against on the Internet - and they're still a problem which isn't defended against.

    SS7 attacks have been around a long time and telcos won't do anything

Those who do things in a noble spirit of self-sacrifice are to be avoided at all costs. -- N. Alexander.

Working...