{"id":82827,"date":"2017-03-18T22:44:47","date_gmt":"2017-03-19T02:44:47","guid":{"rendered":"http:\/\/rbachnet.wwwmi3-ss40.a2hosted.com\/index.php\/"},"modified":"2022-10-22T12:08:08","modified_gmt":"2022-10-22T16:08:08","slug":"your-mobile-is-leaking-ss7","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/your-mobile-is-leaking-ss7\/","title":{"rendered":"Your Mobile is Leaking SS7"},"content":{"rendered":"

\"Your<\/a>There is a vulnerability<\/strong> in the global phone system. <\/strong>The flaw allows hackers to access telephone data using nothing but a phone number. The flaw<\/strong> is in the Signaling System 7<\/a><\/strong> (PDF) or SS7. SS7 is a set of telephony signaling protocols that exchanges information on telephone networks.<\/p>\n

\"Listening<\/a>The Register<\/em><\/a> points out<\/a> that SS7 signaling technology was developed in the 1970s. It hasn\u2019t been updated, since the systems became accessible over the internet. The weakness in SS7 allows hackers or TLA’s to exploit the vulnerability<\/strong> with the phone number of the user they’re targeting. The flaw allows them to listen to phone calls, read text messages and track the user’s location<\/strong>.<\/p>\n

The SS7 flaw<\/h3>\n

A white paper<\/a> (PDF) by independent cyber-security company Positive Technologies<\/a> explains.<\/p>\n

The process of placing voice calls in modern mobile networks is still based on SS7 technology which dates back to the 1970s. At that time, safety protocols involved physical security of hosts and communication channels, making it impossible to obtain access to an SS7 network through a remote unauthorized host. In the early 21st century, a set of signaling transport protocols called SIGTRAN<\/a><\/strong> were developed. SIGTRAN is an extension to SS7 that allows the use of IP networks to transfer messages<\/strong>.<\/em><\/p>\n

However, even with these new specifications, security vulnerabilities within SS7 protocols remained. As a result, an intruder is able to send, intercept and alter SS7 messages<\/strong> by executing various attacks against mobile networks and their subscribers.<\/em><\/p>\n

The real-world result of the SS7 flaw as Alex Mathews, technical manager EMEA of Seoul Korea-based Positive Technologies<\/a> explained is.<\/p>\n

Chat applications such as WhatsApp, Telegram, and others use SMS verification<\/strong> based on text messages using SS7 signaling to verify the identity of users\/numbers.<\/em><\/p>\n

\"SMSSMS authentication is one of the major security mechanisms for services like WhatsApp<\/a><\/strong>, Viber<\/a>, Telegram<\/a>, Facebook<\/a><\/strong> (FB<\/a>), and is also part of second-factor authentication<\/a> for Google<\/a><\/strong> (GOOG<\/a>) accounts, etc. Devices and applications send SMS messages via the SS7 network<\/strong> to verify identity, and an attacker can easily intercept these and assume the identity of the legitimate user<\/strong>. Having done so, the attacker can read and write messages as if they are the intended recipient.<\/em><\/p>\n

If chat history is stored on the server, this information can also be retrieved.<\/em><\/p>\n

60 Minutes hacks SS7<\/h3>\n

The hack first came to light in 2014. Security researcher Karsten Nohl demonstrated the SS7 flaw at a convention in Germany according to FierceWireless<\/a><\/em>. CBS 60 Minutes<\/a> (rb- <\/strong>That\u2019s still on?<\/em>) caused a mild ripple after they ran a story on the flaw. The program engaged Mr. Nohl to demonstrate the vulnerability. He was able to track a new iPhone\u00a0that had been given to U.S. Rep. Ted Lieu<\/a> (D-CA).<\/p>\n

Mr. Lieu, who holds a degree in computer science from Stanford<\/a>, agreed to use the phone to talk to his staff knowing it would be hacked. From his office in Berlin, Mr. Nohl was able to access Rep. Lieu’s phone. He tracked the representative’s movements in Los Angeles, read messages, and recorded phone calls between Representative Lieu and his staff.<\/p>\n

\"recordCBS correspondent Sharyn Alfonsi<\/a> contacted representatives from CTIA<\/a> for comment on the story. The CTIA said that there have been reports of SS7-related security breaches abroad. She stated, “… but (they) assured us that all U.S. cellphone networks were secure.<\/em>” Despite the fact that Mr. Lieu was on a U.S. network when his phone was hacked from Germany.<\/p>\n

An open secret<\/h3>\n

The flaw “is an open secret among the world’s intelligence agencies — including ours — and they don’t necessarily want that hole plugged,<\/em>” Ms. Alfonsi reported. The four major U.S. wireless operators declined to discuss more specific questions from\u00a0FierceWireless<\/a><\/em>. When asked whether the flaw may threaten the privacy and security of subscribers, AT&T<\/a> (T<\/a>) and Verizon<\/a> (VZ<\/a>) deferred to CTIA. Sprint<\/a> (S<\/a>) and T-Mobile<\/a> (TMUS<\/a>) declined to discuss SS7.<\/p>\n

\"ListenRepresentative Lieu has called for a congressional investigation of the vulnerabilities in SS7. He wrote that “The applications for this vulnerability are seemingly limitless, from criminals monitoring individual targets to foreign entities conducting economic espionage on American companies to nation states monitoring U.S. government officials.<\/em>” Lieu said the investigation should be conducted by the House Oversight and Government Reform Committee<\/a>, of which he is a member.<\/p>\n

Investigate the flaws in SS7<\/h3>\n

The Register<\/em><\/a> reports<\/a> that Senator Ron Wyden<\/a> (D-OR) recently joined Representative Lieu to investigate the flaws in SS7. The pair plan to send an open letter<\/a> [PDF] to Homeland Security<\/a>. They want an update from Secretary John Kelly on DHS’s progress in addressing the SS7 design shortcomings. It also asks why the agency isn’t doing more to alert the public about the issue. The letter states in part:<\/p>\n

We suspect that most Americans simply have no idea how easy it is for a relatively sophisticated adversary to track their movements, tap their calls, and hack their smartphones. … We are also concerned that the government has not adequately considered the counterintelligence threat posed by SS7-enabled surveillance.<\/em><\/p>\n

\u00a0rb-<\/em><\/strong><\/p>\n

It is important to understand that the wired and wireless telephone network that your phone connects to is not secure. They probably never will be. <\/em><\/p>\n

Telephone networks were not designed to be secure.<\/em><\/p>\n

In the most recent draft<\/a> of the new Digital Identity Guidelines<\/a> requirements from NIST<\/a> warns that:<\/em><\/p>\n

Note: Out-of-band authentication using the PSTN (SMS or voice) is discouraged and is being considered for removal in future editions of this guideline.<\/em><\/p>\n

You really have to wonder if this is related to the SS7 hole and why it is only being considered for removal. Maybe some of its TLA friends want the hole to stay in place.<\/em><\/p>\n

I previously covered the SS7 flaw implications to SMS here<\/a>.<\/em><\/p>\n

Related articles<\/h6>\n