German researchers have discovered security flaws that could let

hackers, spies and criminals listen to private phone calls and

intercept text messages on a potentially massive scale even when
cellular networks are using the most advanced encryption now
available.
The flaws, to be reported at a hacker conference in Hamburg this
month, are the latest evidence of widespread insecurity on SS7, the
global network that allows the worlds cellular carriers to route calls,
texts and other services to each other. Experts say its increasingly
clear that SS7, first designed in the 1980s, is riddled with serious
vulnerabilities that undermine the privacy of the worlds billions of
cellular customers.
The flaws discovered by the German researchers are actually
functions built into SS7 for other purposes such as keeping calls
connected as users speed down highways, switching from cell tower
to cell tower that hackers can repurpose for surveillance because of
the lax security on the network.
Those skilled at the myriad functions built into SS7 can locate callers
anywhere in the world, listen to calls as they happen or record
hundreds of encrypted calls and texts at a time for later decryption.
There also is potential to defraud users and cellular carriers by using
SS7 functions, the researchers say.
These vulnerabilities continue to exist even as cellular carriers invest
billions of dollars to upgrade to advanced 3G technology aimed, in
part, at securing communications against unauthorized
eavesdropping. But even as individual carriers harden their systems,
they still must communicate with each other over SS7, leaving them
open to any of thousands of companies worldwide with access to the
network. That means that a single carrier in Congo or Kazakhstan, for

example, could be used to hack into cellular networks in the United

States, Europe or anywhere else.
Its like you secure the front door of the house, but the back door is
wide open, said Tobias Engel, one of the German researchers.
Engel, founder of Sternraute, and Karsten Nohl, chief scientist for
Security Research Labs, separately discovered these security
weaknesses as they studied SS7 networks in recent months, after The
Washington Post reported the widespread marketing of surveillance
systems that use SS7 networks to locate callers anywhere in the
world. The Post reported that dozens of nations had bought such
systems to track surveillance targets and that skilled hackers or
criminals could do the same using functions built into SS7. (The term
is short for Signaling System 7 and replaced previous networks called
SS6, SS5, etc.)
The researchers did not find evidence that their latest discoveries,
which allow for the interception of calls and texts, have been
marketed to governments on a widespread basis. But vulnerabilities
publicly reported by security researchers often turn out to be tools
long used by secretive intelligence services, such as the National
Security Agency or Britains GCHQ, but not revealed to the public.
Many of the big intelligence agencies probably have teams that do
nothing but SS7 research and exploitation, said Christopher
Soghoian, principal technologist for the ACLU and an expert on
surveillance technology. Theyve likely sat on these things and
quietly exploited them.
The GSMA, a global cellular industry group based in London, did not
respond to queries seeking comment about the vulnerabilities that
Nohl and Engel have found. For the Posts article in August on
location tracking systems that use SS7, GSMA officials acknowledged

problems with the network and said it was due to be replaced over the
next decade because of a growing list of security and technical issues.
The German researchers found two distinct ways to eavesdrop on
calls using SS7 technology. In the first, commands sent over SS7
could be used to hijack a cell phones forwarding function -- a
service offered by many carriers. Hackers would redirect calls to
themselves, for listening or recording, and then onward to the
intended recipient of a call. Once that system was in place, the
hackers could eavesdrop on all incoming and outgoing calls
indefinitely, from anywhere in the world.
The second technique requires physical proximity but could be
deployed on a much wider scale. Hackers would use radio antennas
to collect all the calls and texts passing through the airwaves in an
area. For calls or texts transmitted using strong encryption, such as is
commonly used for advanced 3G connections, hackers could request
through SS7 that each callers carrier release a temporary encryption
key to unlock the communication after it has been recorded.
Nohl on Wednesday demonstrated the ability to collect and decrypt a
text message using the phone of a German senator, who cooperated
in the experiment. But Nohl said the process could be automated to
allow massive decryption of calls and texts collected across an entire
city or a large section of a country, using multiple antennas.
Its all automated, at the push of a button, Nohl said. It would
strike me as a perfect spying capability, to record and decrypt pretty
much any network Any network we have tested, it works.
Those tests have included more than 20 networks worldwide,
including T-Mobile in the United States. The other major U.S.
carriers have not been tested, though Nohl and Engel said its likely at
least some of them have similar vulnerabilities. (Several smartphone-

based text messaging systems, such as Apples iMessage and

Whatsapp, use end-to-end encryption methods that sidestep
traditional cellular text systems and likely would defeat the technique
described by Nohl and Engel.)
In a statement, T-Mobile said: T-Mobile remains vigilant in our
work with other mobile operators, vendors and standards bodies to
promote measures that can detect and prevent these attacks."
The issue of cell phone interception is particularly sensitive in
Germany because of news reports last year, based on documents
provided by former NSA contractor Edward Snowden, that a phone
belonging to Chancellor Angela Merkel was the subject of NSA
surveillance. The techniques of that surveillance have not become
public, though Nohl said that the SS7 hacking method that he and
Engel discovered is one of several possibilities.
U.S. embassies and consulates in dozens of foreign cities, including
Berlin, are outfitted with antennas for collecting cellular signals,
according to reports by German magazine Der Spiegel, based on
documents released by Snowden. Many cell phone conversations
worldwide happen with either no encryption or weak encryption.
The move to 3G networks offers far better encryption and the
prospect of private communications, but the hacking techniques
revealed by Nohl and Engel undermine that possibility. Carriers can
potentially guard their networks against efforts by hackers to collect
encryption keys, but its unclear how many have done so. One
network that operates in Germany, Vodafone, recently began
blocking such requests after Nohl reported the problem to the
company two weeks ago.
Nohl and Engel also have discovered new ways to track the locations
of cell phone users through SS7. The Post story, in August, reported

that several companies were offering governments worldwide the

ability to find virtually any cell phone user, virtually anywhere in the
world, by learning the location of their cell phones through an SS7
function called an Any Time Interrogation query.
Some carriers block such requests, and several began doing so after
the Posts report. But the researchers in recent months have found
several other techniques that hackers could use to find the locations
of callers by using different SS7 queries. All networks must track their
customers in order to route calls to the nearest cellular towers, but
they are not required to share that information with other networks
or foreign governments.
Carriers everywhere must turn over location information and allow
eavesdropping of calls when ordered to by government officials in
whatever country they are operating in. But the techniques
discovered by Nohl and Engel offer the possibility of much broader
collection of caller locations and conversations, by anyone with access
to SS7 and the required technical skills to send the appropriate
queries.
I doubt we are the first ones in the world who realize how open the
SS7 network is, Engel said.
Secretly eavesdropping on calls and texts would violate laws in many
countries, including the United States, except when done with explicit
court or other government authorization. Such restrictions likely do
little to deter criminals or foreign spies, say surveillance experts, who
say that embassies based in Washington likely collect cellular signals.
The researchers also found that it was possible to use SS7 to learn the
phone numbers of people whose cellular signals are collected using
surveillance devices. The calls transmit a temporary identification
number which, by sending SS7 queries, can lead to the discovery of

the phone number. That allows location tracking within a certain

area, such as near government buildings.
The German senator who cooperated in Nohls demonstration of the
technology, Thomas Jarzombek of Merkels Christian Democratic
Union party, said that while many in that nation have been deeply
angered by revelations about NSA spying, few are surprised that such
intrusions are possible.
After all the NSA and Snowden things weve heard, I guess nobody
believes its possible to have a truly private conversation on a mobile
phone, he said. When I really need a confidential conversation, I
use a fixed-line phone.

Have more to say about this topic? Join us today for our weekly live
chat, Switchback. We'll kick things off at 11 a.m. Eastern. You can
submit your questions now, right here.
Hackers demo network-level call interception
January 05, 2015
More Sharing ServicessharePrintShare on emailEmail
White-hat hackers at the 31st Chaos Computer Congress have demonstrated
fundamental flaws in the underlying infrastructure of 2G and 3G mobile phone
networks. The flaws allow attackers to covertly track the location of a phone
number as well as intercept calls and SMS - all at the network level.
Tobias Engel from the Chaos Computer Club demonstrated in front of a live
audience how it was possible to send a fake network message from his laptop
to block a phone from making calls and even divert calls to another phone.
This could be diverted to a man-in-the-middle recording of the conversation.
He also showed how a couple of volunteers were tracked over a few weeks as
they travelled around the United States and Europe again by spoofed network
messages simply asking the mobile service center (MSC) server for the
location of the subscriber.
Engel said that a journalist has contacted him with claims from a security
company offering tracking of individuals down to the city street with just their
phone number, and asked how it could be done.

GSM and UMTS systems all depend on a protocol called Signalling System 7
(SS7) which was designed around fixed line telephones in the 1980s. With
each phone line at a physical house and most telcos being trusted stateowned operators, privacy was not a concern at the time.
SS7 has been extended with new protocols added over time to allow for
mobility, text messages and geo-location and roaming, for instance. The
problem is that SS7 fundamentally does not have any authentication.
Many operators are selling legitimate access to SS7, for instance for text
messaging or vehicle fleet management.
With the advent of femto cells, it is even possible for people to hack into their
femto units to gain direct access to the SS7 network.
In order to track a target with simply his phone number, the attacker with
access to SS7 can simply ask the HLR (home location register) for the
international mobile subscriber identity (IMSI) and the mobile switching center
(MSC) that the target is currently using. This is done by using what is called an
anytime interrogation SS7 message to the HLR.
Many networks have blocked anytime interrogation messages but a
workaround is to use the SMS routing to find the IMSI and MSC instead again
with SS7 messages.
If that fails (with home SMS routing installed) an attacker with the IMSI
address gained through out-of-band means can simply brute-force requests to
MSCs all over the world until the right MSC is found.
Armed with the IMSI and the MSC, the attacker then send an SS7 message
directly to the MSC to query the location of the target.
The MSC does not do plausibility assessments. If a German user is in his
home network, an Indonesian network should not have anything to do with it
[but is not prevented]. Most MSCs accept requests from anywhere and
anyone, he said.
Engel said that some networks have implemented a verify sender address
mechanism for geo-location. But he said that simply by spoofing the source
address, called the global title, to something that looks similar to the global
title of the MSC, it was possible to circumvent the check and be treated as a
legitimate, local server.
Away from location, it is possible to use SS7 messages to manipulate a
targets phone. Since this is at the network level, it is irrelevant if it is a
smartphone or a simple feature phone.
Engel demonstrated in front of the live audience how it was possible to send
SS7 messages to the MSC in order to block calls to a phone and divert calls to
a third party. This could be used to set up a man-in-the-middle to eavesdrop
on calls.
This was possible because when roaming, users often dial local numbers
without the international prefix. There is an SS7 message that allows the HLR
to tell the MSC, when this subscriber makes a call, ask me first. The idea is
that when, for instance, a German subscriber is roaming in France, for

domestic German numbers to be added with the international country code of

Germany so it can be routed correctly.
But since the HLRs SS7 messages can be spoofed, an attacker with access to
the SS7 network can send a message pretending to be the targets HLR and
tell the MSC to ask it when the target tries to make a call and thereby set up
the man-in-the-middle attack.
The same can be done for SMS, USSD and, Engel said, probably data though
he said that was not tested yet.
Yet another vulnerability detailed involved de-anonymizing temporary mobile
subscriber information (TMSI) numbers and get the IMSI and phone numbers
for other users in the vicinity of the attacker.
By simply capturing TMSI paging requests over the air it is possible to send an
SS7 update to the MSC that will result in the full HLR details being returned.
If you do that often enough in Berlin, I dont know how long it would take you
to get Angela Merkels phone number, he said.
Though SS7 is used on GSM and UMTS 3G networks, LTE uses a new protocol
called Diameter. However, Diameter has apparently copied many of the flaws
of SS7 and still does not have end-to-end authentication.
Asked about this revelation, AIS vice-president for networks Saran
Phaloprakarn pointed out one flaw in the doomsday scenario laid out by the
Chaos Computer Club. While he acknowledged that the SS7 protocol was
fundamentally flawed, he said the SS7 hacks could be detected at the network
level with proper monitoring.
Neither Dtac nor TrueMove responded to questions by time of going to press
German researchers have announced the discovery of news security flaws in
SS7 protocol that could be exploited by an attacker to spy on private phone
calls.
A team of German researchers has discovered security flaws that be exploited
by a threat actor to spy on private phone calls and intercept text messages on
a large scale, even when the mobile cellphone are using the most advanced
encryption now available.
The flaws will be reported at the next hacker conference in Hamburg, and
once again the attackers will exploit insecurity in the SS7 protocol, also known
as Signaling System Number 7, that is the protocol suite used by several
telecommunications operators to communicate with one another with
directing calls, texts and Internet data.
The researchers also explained that the flaws in the SS7 protocol could be also
exploited by criminal crews to defraud users and cellular carriers.
The flaws, to be reported at a hacker conference in Hamburg this month, are
the latest evidence of widespread insecurity on SS7, the global network that
allows the worlds cellular carriers to route calls, texts and other services to
each other. Experts say its increasingly clear that SS7, first designed in the
1980s, is riddled with serious vulnerabilities that undermine the privacy of the

worlds billions of cellular customers.

The flaws discovered by the German researchers are actually functions built
into SS7 for other purposes such as keeping calls connected as users speed
down highways, switching from cell tower to cell tower that hackers can
repurpose for surveillance because of the lax security on the network.
reports The Washington Post.
The SS7 protocol allows cell phone carriers to collect location data related to
the users device from cell phone towers and share it with other carriers, this
means that exploiting the SS7 a carrier is able to discover the position of its
customer everywhere he is.
In a previous post, I explained that surveillance vendors using the SS7
protocol are able to geo-localize users with great precision.
The tracking technology takes advantage of the lax security of SS7, a global
network that cellular carriers use to communicate with one another when
directing calls, texts and Internet data. reports the Washington Post.
As explained by the researchers, the problem resides in the intrinsic security
of the Protocol that is considered outdated due to the presence of several
serious security vulnerabilities which can lead to the violation of the privacy
for billions of mobile users worldwide.
In time Im writing, the researchers havent provided other information on the
security vulnerabilities discovered in the SS7 protocol, but the experts believe
that hackers can exploit them to track an individual or redirect user calls to
the attackers.
SS7 protocol
The attack scenario is worrying and open the door to massive surveillance
activities, The American Civil Liberties Union (ACLU) has also warned people
against possible abuse of such vulnerabilities by Intelligence agencies and
Law enforcement.
Dont use the telephone service provided by the phone company for voice.
The voice channel they offer is not secure, principle technologist Christopher
Soghoian told Gizmodo. If you want to make phone calls to loved ones or
colleagues and you want them to be secure, use third-party tools. You can use
FaceTime, which is built into any iPhone, or Signal, which you can download
from the app store. These allow you to have secure communication on an
insecure channel.
Unfortunately, the vulnerabilities into SS7 protocol will continue to be present,
even as cellular carriers upgrade to advanced 3G technology to avoid
eavesdropping.
But even as individual carriers harden their systems, they still must
communicate with each other over SS7, leaving them open to any of
thousands of companies worldwide with access to the network. That means
that a single carrier in Congo or Kazakhstan, for example, could be used to
hack into cellular networks in the United States, Europe or anywhere else.
states the Washington Post
Its like you secure the front door of the house, but the back door is wide
open, said Tobias Engel, one of the German researchers.
The team of researchers did not find evidence that the flaws discovered have
been marketed to governments on a widespread basis, anyway it is
impossible to understand is intelligence agencies are already exploiting them
for their operations.

Many of the big intelligence agencies probably have teams that do nothing
but SS7 research and exploitation. Theyve likely sat on these things and
quietly exploited them, Soghoian said.
Stay Tuned for further information
Pierluigi Paganini
(Security Affairs SS7 protocol, surveillance)
Share it please ...Tweet about this on TwitterShare on Google+Share on
FacebookShare on LinkedInPin on PinterestShare on RedditEmail this to
someoneShare on StumbleUpon
Share this:
EmailTwitterPrintLinkedIn154Facebook73More
ACLUAmerican
Civil
Liberties
UnioneavesdroppingGCHQNSASS7
protocolsurveillanceThe Washington Post
Hacking Security
SHARE ON

Pierluigi Paganini
Pierluigi Paganini is Chief Information Security Officer at Bit4Id, firm leader in
identity management, member of the ENISA (European Union Agency for
Network and Information Security)Treat Landscape Stakeholder Group, he is
also a Security Evangelist, Security Analyst and Freelance Writer. Editor-inChief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with
over 20 years experience in the field, he is Certified Ethical Hacker at EC
Council in London. The passion for writing and a strong belief that security is
founded on sharing and awareness led Pierluigi to find the security blog
"Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for
some major publications in the field such as Cyber War Zone, ICTTF, Infosec
Island, Infosec Institute, The Hacker News Magazine and for many other
Security magazines. Author of the Books "The Deep Dark Web" and Digital
Virtual Currency and Bitcoin
Surveillance How to secretly track cellphone users position around the globe
September 18, 2014 By Pierluigi Paganini
Fb-Button
Using the proper surveillance systems available on the market it is easy and
quick to track cellphone and the movements of targets everywhere on the
globe.
We recently discussed about the decision of Wikileaks to publish copies of the
criticized surveillance software FinFisher, highlighting the dangers for the
militarization of the cyberspace and in particular for the use of spyware to
track users.
The principal vendors of surveillance platforms defend their business

declaring that the solutions are only for law enforcement and intelligence
agencies. Unfortunately the reality is quite different, because many threat
actors worldwide use surveillance malware to track individual for different
reasons.
The Washington Post published an interesting article a few weeks ago on
surveillance technology that can be used to track individuals anywhere in the
world through the localization of their mobile devices.
The post explains that surveillance vendors using the SS7 protocol, aka
Signaling System Number, are able to geo-localize users with great precision.
The tracking technology takes advantage of the lax security of SS7, a global
network that cellular carriers use to communicate with one another when
directing calls, texts and Internet data. reports the Washington Post.
SS7 or Signaling System Number 7 is a protocol suite used by several
telecommunications operators to communicate with one another with
directing calls, texts and Internet data. The SS7 protocol allows cell phone
carriers to collect location data related to the users device from cell phone
towers and share it with other carriers, this means that exploiting the SS7 a
carrier is able to discover the position of its customer everywhere he is.
The system was built decades ago, when only a few large carriers controlled
the bulk of global phone traffic. Now thousands of companies use SS7 to
provide services to billions of phones and other mobile devices, security
experts say, explains the post.
All of these companies have access to the network and can send queries to
other companies on the SS7 system, making the entire network more
vulnerable to exploitation. Any one of these companies could share its access
with others, including makers of surveillance systems. continues the
Washington post.
Another family of devices sold by companies which provide surveillance
solutions are the IMSI catchers, also known by one popular trade name,
StingRay. An IMSI catcher (International Mobile Subscriber Identity) is device
for telephony eavesdropping commonly used for intercepting mobile phone
traffic and tracking movement of mobile phone users. Essentially, it operates
as a bogus mobile cell tower between the target mobile phone and the service
providers real towers. The IMSI catcher runs a Man In the Middle (MITM)
attack that could not be detected by victims using commercial products.
The use of trackers based on exploitation of the SS7 protocol is recommended
with IMSI catchers, in fact while SS7 tracker locate the victim the IMSI
catchers can be deployed effectively.
StingRays are common surveillance devices that allow are able to intercept
calls and Internet traffic, send fake texts, install malware on a phone, and of
course find the precise location of the victim.
Whats interesting about this story is not that the cell phone system can
track your location worldwide,That makes sense; the system has to know
where you are. Whats interesting about this story is that anyone can do it.
said the popular expert Bruce Schneier.
Privacy advocates are really concerned with possible misuse of such
technology, foreign state-sponsored hackers and cyber criminals could use it
for illegal activities. Lets remember that it is illegal in many countries to track
individuals without a court order, but there is no clear international legal
framework that punishes ill intentioned for secretly tracking people in other
countries.
The FCC recently created an internal task force to study the misuse of IMSI
catchers in the cybercrime ecosystem and foreign intelligence agencies,
which demonstrated that this technology could be used to spy on American

citizens, businesses and diplomats.

surverillance
Dont forget that government to track us just need to type our phone number
into a computer portal, which then collects data about our location, to within a
few blocks in an urban area or a few miles in a rural one, from databases
maintained by cellular carriers.
The Washington Post made explicit reference to a 24-page marketing brochure
for the cellular tracking system sold by Verint codenamed SkyLock. The
document, dated January 2013 and labeled Commercially Confidential,,
reveals the system offers government agencies a cost-effective, new
approach to obtaining global location information concerning known targets.
The brochure includes screen shots of maps depicting location tracking in
what appears to be Mexico, Nigeria, South Africa, Brazil, Congo, the United
Arab Emirates, Zimbabwe and several other countries. Verint says on its Web
site that it is a global leader in Actionable Intelligence solutions for customer
engagement optimization, security intelligence, and fraud, risk and
compliance, with clients in more than 10,000 organizations in over 180
countries.
As said by Eric King, deputy director of Privacy International:
Any tin-pot dictator with enough money to buy the system could spy on
people anywhere in the world, This is a huge problem.
Pierluigi Paganini
(Security Affairs Surveillance, privacy)
The recently concluded Chaos Communications Congress (31c3) in Hamburg,
Germany was an all-out assault on cellular call privacy and security. Of
particular interest was the SS7 protocol used to route calls between switching
centers.
Researchers, doing parallel research as it turns out, found gaping holes in the
protocol that allow an attacker to sit in a man-in-the-middle position and reroute calls and SMS messages, or carry out denial-of-service attacks. More
worrying to physical security is also the ability to learn a persons location and
track them.
Related Posts
Threatpost News Wrap, March 6, 2015
March 6, 2015 , 11:50 am
Confusion Reigns Over FBIs Plans for National Security Letter Gag Orders
March 6, 2015 , 11:28 am
Google Fixes 51 Bugs in Chrome 41
March 4, 2015 , 1:58 pm
The bugs are a spys dream, and Tobias Engel said he is aware of one realworld attack carried out in the Ukraine and discovered by a
telecommunications operator in that country carried out by a Russian SS7
network.
Engel, founder of Sternraute, a Berlin-based service provider specializing in
privacy, said that an attacker would need only to know his targets phone
number in order to track their location or spy on their calls. The maligned SS7
protocol was designed in the 1980s, long before mainstream cellular use, and
security and privacy shortcomings have not kept up with the times, Engel
said. Services built on top of SS7 to enable mobile communication, MAP and

CAMEL, operate without authentication, Engel said, leaving the door wide
open for abuse.
Karsten Nohl, of SR Labs in Germany, also spoke at 31c3 and tore into SS7
and demonstrated that attacks can also be carried out over 3G networks in
order to record voice and SMS communication as well. He released a tool for
Android devices called SnoopSnitch that detects IMSI catchers and other
attacks over SS7.
I think its really scary. You dont have to know somebody, you just have to
know his phone number and you can track him from the other side of the
world. You dont have to be near him, you just need SS7 access, Engel said,
pointing out that such access can be purchased from telecom and network
operators. Also, he said, there are vendors selling products that maneuver
against SS7. Companies offering these services are saying they are only
offering them to law enforcement and government agencies. I dont know
about you but there are many countries in the world whose governments I
wouldnt trust with this functionality.
Governments have been known not only to monitor call activity of citizens and
high-value industrial or government targets, but also track the location of
activists and dissidents in oppressed parts of the world. Engels SS7
presentation included a demonstration of tracking he did of a volunteer,
mapping out their journey from Seattle, to their home in the Netherlands and
eventually to Hamburg and 31c3.

Engels attack takes advantage of the Home Location Register (HLR), a

database containing subscriber data including their phone number. The HLR,
he said, knows which mobile switching center, or visitor location register (VLR)
is closest to the subscriber in order to deliver calls and SMS messages. An
attacker can use a Mobile Application Part (MAP) anyTimeInterrogation request
to the HLR to learn the subscribers cell ID, which then pages the right
switching center and returns the information to the attacker, Engel said.
European networks block ATI requests for the most part, but that wont deter
an attacker, who instead can just ping the mobile switching center directly to
learn the cell ID and IMSI number. Most switching centers, he said, accept
requests from anywhere and no plausibility checks are done, Engel said.

Engel brought the problem to the attention of a number of German operators,

he said. The operators looked at their traffic and saw a lot of it carried
peoples geo-positions. After filtering out the ability to learn IMSI and
switching center location, attack traffic dropped 80 percent, Engel said. The
remaining traffic were either misconfigured networks, or unknown traffic that
he said were requests by state actors or other network operators. Some
attacks persist because an attacker can learn the IMSI from other sources, or
brute-force a number range from the switching center.
Engel also
overwrite
attackers
subscriber
attackers

demonstrated how an attacker could abuse the CAMEL protocol to

switching center data belonging to the subscriber with the
GSM address without the subscribers knowledge. When a
makes a call, he said, the switch center would instead contact the
ID. The attacker could record traffic, learning what numbers are

dialed and bridge calls, sitting in the middle and recording content, Engel said.
Everybody who has a phone in his pocket indirectly uses SS7, Engel said.
Every movement can be tracked and every call can be intercepted.
- See more at: http://threatpost.com/cellular-privacy-ss7-security-shattered-at31c3/110135#sthash.3MFNCWp9.dpuf
Taking up the Gauntlet: SS7 Attacks
Cathal McDaid 16th December 2014
There have been several recent reports in the media on the results of new
research into SS7 network. This interesting research outlines a series of
techniques potential attackers can use to listen in to and read the calls and
text messages of others. An obvious question for those of us in the telecom
security industry is whether the threat is real and what we should do to
address it. In considering an answer, we can look at a little-reported incident
that occurred in Ukrainian Mobile networks earlier this year.
Last May, a report was issued by the Ukrainian Telecom Regulator (NKRZI[1]).
This document, which went essentially unreported by the press outside of
Ukraine & Russia, contains the result of the investigation of the NKRZI,
assisted by the Ukrainian Security Service (SBU), into telecom network
activity over several days in MTS Ukraine. The key findings of this report were
that over a 3 day period in April 2014, a number of Ukrainian mobile
subscribers were affected by suspicious/custom SS7[2] packets from telecom
network elements with Russian addresses, causing their location and
potentially the contents of their phone calls to be obtained.
The 'attacks' outlined in the document involved SS7 packets being sent
between the mobile operators. Without going into specific details, what
occurred is a series of SS7 packets were received by MTS Ukraine's SS7
network which modified control information stored in network switches for a
number of MTS Ukraine mobile users. In doing so, when one of the affected
mobile subscribers tried to ring someone else, their call would be forwarded to
a physical land line number in St. Petersburg, Russia, without their knowledge
- in effect the call has been intercepted. There is an additional further step
that could be taken for the interception, not outlined in the original Ukrainian
report, but suggested by the Washington Post article. The forwarded-to
number could have initiated a new call to the original targeted subscriber, and
then conference in the intercepted call, thus allowing itself to listen in to the
call without the participants being aware.
In the document, the investigation stated that the custom SS7 packets
themselves came from links allocated to MTS Russia, the parent company of
MTS Ukraine. The Ukrainian regulator then assigned responsibility for the
nodes that generated the SS7 based on the origination addresses in the SS7
packets received. According to the report, some of the SS7 source addresses
that originated the attack were assigned to MTS Russia, while others were
assigned to Rostov Cellular Communications.
It's important to keep in mind that this is the report from one side only, and it
is stated that they draw conclusions about the potential for the interference
with operation of telecom networks on the part of the PSTN area in the
Russian Federation , however in the report the regulator felt that MTS Ukraine
was not doing enough to maintain the privacy of subscribers locations and call

forwarding routes. For its part, MTS Russia denied that the SS7 address used
was under its control, thus leaving the ultimate instigator a mystery. Indeed,
in subsequent follow-ups it was reported that MTS Ukraine was not alone of
being at risk, as the Ukrainian Telecom Regulator stated at a later date that
Astelit and Kyivstar the other main Ukrainian mobile operators also
experienced external interference. Whilst we don't have information on the
exact subscribers affected, there have been examples of very sensitive phone
calls being intercepted by unknown means within the region, when using non
government issued cell-phones. It is purely speculation on our part, but the
same SS7 techniques outlined in the report could have conceivably been used
to help achieve these interceptions.
Looking forward, an unfortunate, but seemingly inevitable, side-effect of these
techniques is that it will lead to countries that have been affected adversely
by SS7 attacks to attempt to build their own capability, thus leading to an
SS7 arms-race. This has already been experienced in Ukraine, where new
legislation has been submitted that one media source stated will allow their
security services to legally listen in turn to subscribers of foreign mobile
operators, track their location and obtain other information about the activity
of subscribers. Taken to extremes between countries, this would lead to a
form of mutually assured surveillance, with mobile operators and mobile
phone users on both sides suffering.
The Ukrainian report, and the recent research that has been released, shows
us that we have moved into uncharted territory. Yes, there is a threat, and it is
real - as the above example shows - however it does require considerable
technical expertise to do this level of network interference. Not only to run
and operate SS7 nodes capable of doing this - but especially to gain access to
the SS7 network in the first place. Plus the nature of the risk is very different:
consider there are more users of the SS7 network worldwide than there users
of the internet, yet the number of attacks on IP networks everyday dwarf what
is known to occur over SS7. The SS7 network is working as designed, but 'bad
actors' are increasingly trying to exploit it, the real danger is that we assume
that nothing can be done to fix the problem and it will just get worse as more
'bad actors' try to get access. As has been said by others, as an industry we
need to work together to define recommendations and implement solutions to
detect and stop potential attacks, because defences are possible and can
make a difference if deployed correctly.
This coordination is already well underway, and AdaptiveMobile are helping to
contribute to this, but no-one should doubt the amount of work and effort that
will be required to completely secure the SS7 network from organisations that
would seek to exploit it. However, at the same time it would be a mistake for
those using these techniques offensively to assume that their activities &
methods have gone unnoticed. We are now entering the more public stage of
a struggle in which the gauntlet was thrown down some time ago.

Example AdaptiveMobile visualisation of SS7 Activity between several mobile

operators over a short time spam - looking for abnormal behaviour. Colours
represent a selection of different SS7 packet types. The 'clumps' are groups of

similar SS7 node types. While unrelated to the events described in the report,
the purpose of such work is to help investigate ways in which to detect
malicious or unusual SS7 behaviour in networks. Such methods will be called
on increasingly in the future to help detect and block unwanted SS7 activity.

Update : 3/1/2015
In the 3rd paragraph of the original blog entry on 16th of December, it was
stated: "In doing so, when someone tried to ring one of the affected mobile
subscribers..." This has now been updated.
References:
[1] National Commission for the State Regulation of Communications and
Information ( ,
` )
[2] Signalling System 7 (SS7), is a catch-all term for a telecom network
technology that is used by hundreds of cellular companies to allow them to
operate and communicate with each other; it is the computer protocol used
by telecom nodes within cellular networks to provide mobility control, network
registration, call and text setup etc. In short it enables mobile devices to
communicate and roam globally, and it allows mobile operators to control and
bill this activity. All pieces of network hardware that operate in the core
network use SS7 to interoperate with the rest of the network.
Cell Phone Tapping: How It Is Done and Will Anybody Protect Subscribers
You probably have read on various news websites about surveillance
programs led by security services in different countries that reach phone and
Internet communications of ordinary citizens. We have already wrote about
possible threats to mobile telecommunication networks and today we want to
put more emphasis on one of the attack vectors against mobile subscribers.
In short, the outline is like this. The attacker penetrates into the SS7
(Signaling System's No. 7) network and sends a Send Routing Info For SM
(SRI4SM) service message to the network channel, specifying the phone
number of an attacked subscriber A as a parameter. The subscriber's A home
network sends the following technical information as a response: IMSI
(International Mobile Subscriber Identity) and address of the MSC currently
providing services to the subscriber.
After that, the attacker changes the billing system address in the subscriber's
profile to the address of his own pseudo-billing system and injects the
updated profile into VLR database via Insert Subscriber Data (ISD) message.

When the attacked subscriber makes an outgoing call, his switch addresses
the attacker's system instead of the actual billing system. The attacker's
system sends the switch a directive allowing one to redirect a call to a third
party controlled by the attacker.

At a third-party location, a conference call with three subscribers is set up,

two of them are real (the caller A and the called B) while the third is
introduced by the attacker illegally and is able to listen and record the
conversation.

I would say to skeptics straight off: this plan is not a fantasy, as you can see,
and it could be practically realized. On the stage of development, the SS7
system was not provided with defense mechanisms against such attacks. It
was meant that SS7 network itself is private enough and an "outsider" cannot
access it. However, times are changing and we become witnesses of using
telephony technologies with malicious intent. Unfortunately, one does not
simply enable external SS7 message filtering, as far as it may affect the
availability of mobile services in roaming. There is no mobile network operator
who wants to lose its money.

The work of an operator providing services to a large number of subscribers

always treads a fine line between Information Security and availability of
services. The problem is especially acute for mobile network operators: The
range of services is broad, it is different for different operators; at the same
time, providing services both to their subscribers and subscribers from other
networks within the operator's network is desirable, and in such a manner
that subscribers do not face the limitations of mobile network services when
traveling abroad.
What you can do
It would be good to fix the so-called "vulnerabilities" in the SS7 protocol stack,
but any expert will tell you that it is impossible. A classic example of the "it's
not a bug, it's a feature" thing.
Instead of being philosophical about mobile network architecture we must
take action. We can do the following, for example:
Perform a penetration test in the SS7 network.
Set up monitoring of warning messages at the operator's network perimeter
by all available means.
Analyze the received information and take steps to minimize the risks.
Penetration Tests
Let's talk a bit about the benefits of penetration tests. As for operator's
network, these tests play a role not only in the detection of vulnerabilities, but
also in solving operational tasks. For instance, you need to perform dozens of
tests considering the specifics of each particular network in order to find out
the impact of enabling either one feature or the other. When testing SS7
warning messages, we consider 10 basic types of attacks on a network and
mobile subscribers.
Check for the disclosure of confidential technical parameters: subscriber's
IMSI; MSC address where the subscriber is registered; HLR database address,
where the subscriber's profile is stored. An attacker can conduct more
complicated attacks using these parameters.

Check for the disclosure of subscriber's cell data. An attacker can detect
subscriber's location using the cell ID. In cities the location can be determined
with
an
accuracy
of
about
10
meters
(http://blog.ptsecurity.com/2014/04/search-and-neutralize-how-todetermine.html).
Check for possible violation of subscriber's availability for incoming calls (DoS
against the subscriber). In case of a successful attack, the victim subscriber
no longer receives incoming calls and SMS. At the same time victim's mobile
phone indicates the network availability. The victim subscriber will stay in this
state until he/she makes an outgoing call, goes to the other switch service
area or reboots the phone.
Check for private SMS conversations disclosure. This attack is a consequence
of the attack number 3. In case of a successful attack, incoming SMS
messages are intercepted by the attacker's devices, so it will not be difficult to
read them. To prevent the following delivery to the recipient, the attacker
sends an SMS delivery notification to the SMS Center.
Check for USSD commands manipulations. In case of a successful attack, the
attacker is able to send USSD commands on behalf of the subscriber. The
possible damage will be assessed with regard to USSD services provided by
the operator (e.g, if the money transfer between accounts via USSD
commands is available or not).
Check for spoofing subscriber's profile in VLR. In case of a successful attack,
the attacker is able to use his equipment as an intelligent platform in order to
extend the capabilities of voice calls and manipulate the tariffing of mobile
services.
Check for possible outgoing calls redirection. This attack is a continuation of
the attack number 6. In case of a successful attack, the attacker is able to
redirect outgoing calls from the victim subscriber. Additionally, this attack
allows an attacker to make an unauthorized conference call, cutting in the
conversation.
Check for possible incoming calls redirection. In case of a successful attack,
the attacker is able to redirect incoming calls to the victim subscriber.
Moreover, calls to high-tariff regions may be not tariffed or call charges will be
billed to the victim subscriber.
Checking the switch stability and resistance to DoS attacks. In case of a
successful attack, the switch no longer handles incoming calls to subscribers
located in its service area.
Check for possible direct direct manipulations in billing. In case of a successful
attack, the attacker is able to empty the subscriber's personal account, so
that the subscriber becomes deprived of the opportunity to make calls.
How to Protect Users
Our research revealed that the overwhelming majority of attacks against SS7
networks begin with obtaining technical data about the subscriber (IMSI, MSC
and HLR database addresses). These parameters can be obtained from the
response to the SRI4SM message mentioned in the beginning of this article.
One of security solutions is SMS Home Routing procedure provided by 3GPP in
2007. It is sometimes called the SMS Firewall or SMS Filter.
An additional host, providing filtering of malware SRI4SM messages, is
implemented to the operator's network. It works is as follows. When a SRI4SM
message is received to the operator's network from another network, it is rerouted to the new filtering host. This host sends a correct response replacing
MSC and HLR database addresses with its own address and IMSI with false

data. If the SRI4SM message was generated by the attacker, he will not
receive any useful data in the response and his attack will be interrupted in
the very beginning. If the SRI4SM message was used for the authorized
transaction, to send an SMS, the originator's network will send this message
to the filtering host, which will deliver the message to the recipient within the
home network.
It's been 7 years since this recommendation was issued, but, so far as we can
see, few operators had launched this solution. By the way, SRI4SM message is
not the only way to obtain the sunscriber's IMSI.
Mobile operator's network is potentially vulnerable, just like any other
network. Due to the specificity of mobile networks, these attacks can be more
sophisticated than the Internet attacks. We recommend that operators take
measures to protect such networks using the traditional scenario: penetration
tests to discover potential vulnerabilities, security audit with the
recommended settings and cyclic check of security settings against a
template. This minimum amount of work helps you to improve the level of
your network security just above the average, still it is enough for the first
step. So subscribers got nothing to worry about.
P. S.
In the course of the Positive Hack Days IV, we made a report about possible
attacks in mobile operators' network, where tapping into phone conversations
from almost any place on earth was discussed.

Authors: Sergey Puzankov, Dmitry Kurbatov

: Positive Research 11:07 PM
Email This
BlogThis!
Share to Twitter
Share to Facebook
Share to Pinterest
: information security, mobile data bypass, telecom
1 comment:
Irwin WilliamsJanuary 17, 2015 at 5:58 AM
Cellphone tracking is now very much simple most of the promote submission
for the emissary software are prohibited, and the subsistence of the software
angers CTIA-The Wireless Association, an industry organization representing
the nation's chief cell phone company.
Reply
Location, Monitor Your Communication
Use your key for the next article
Next: Flash Storage vs. SSD What's the Difference?
December 30, 2014
7:55 AM MST Facebook Twitter Pinterest Linkedin Google Plus Comment
With few lines of code, a savvy hacker can determine your location, intercept
calls and SMS.

According to renowned researcher Tobias Enget Hacker, who presented SS7:

Locate. Track. Manipulate at Chaos Communication Congress 31c3 last week,
"Companies are now selling the ability to track your phone number wherever
you go. With a precision of up to 50 meters, detailed movement profiles can
be compiled by somebody from the other side of the world without you ever
knowing about it. But that is just the tip of the iceberg."
And it is not only NSA (or other intelligence agencies) that can monitor your
movement and intercept communication. Any business or individual can
exploite SS7 network vulnerabilities to gain access to subscribers mobile
devices.
SS7 protocol is used by mobile operators to direct calls and SMS to their
customers, even when they are in another country. In theory, access to the
SS7 network is reserved for telephony operators. However, by gaining access
to the network business and individuals can have a field day.
"From the moment you have network access, there are hardly any security
mechanism," says Tobias Engel.
<iframe
width="560"
src="//www.youtube.com/embed/lQ0I5tl0YLY"
allowfullscreen></iframe>

height="315"
frameborder="0"

What is rather scary is the assertion that gaining access to a mobile

operators network is relatively easy.
Karsten Nohl of the German company Security Research Lab who also
presented his research asserted that accessing "the location is very easy." He
argued that even 3G is attackable, suggesting its high time we upgrade
from complaining to self-defense.
Tobias Engel presented how he tracked and monitor mobile devices accorss
the globe. Several US companies even provide what phones their customers
location service, as recently reported in the Washington Post
(http://www.washingtonpost.com/business/technology/for-sale-systems-that-...
f003-11e3-bf76-447a5df6411f_story.html).
Intercepting calls is little more complicated. On stage, Karsten Nohl also
demonstrated spoofing the phone number and potentially transferring to call
to a computer where it can be recorded. Same can be done with SMS.
Subscribers don't really have many options. Tobias Engel joked: "There are
only two solutions to the user. Tell the operator, but I'm not sure that a call to
the hotline work, or get rid of his phone."
But if you don't want to get rid of your phone, Karsten Nohl launched
SnoopSnitch
(https://play.google.com/store
/apps/details?id=de.srlabs.
snoopsnitch), a free application to detect whether a subscriber is monitored
via the SS7 network.
"You receive warnings when something out of the ordinary," Nohl said. "For
example, if I ask your operator your location through the SS7 network, your
phone is loaded but nothing happens for you. The application notifies you if
such an event occurs."

This tool can also detect certain types of interception. The application collects
data throughout the day, "like a virus that people have on their computer."
The user can then choose to share this data with Security Research Lab to
supply a map, GSMMap.org (http://gsmmap.org/).