Documente Academic
Documente Profesional
Documente Cultură
problems with the network and said it was due to be replaced over the
next decade because of a growing list of security and technical issues.
The German researchers found two distinct ways to eavesdrop on
calls using SS7 technology. In the first, commands sent over SS7
could be used to hijack a cell phones forwarding function -- a
service offered by many carriers. Hackers would redirect calls to
themselves, for listening or recording, and then onward to the
intended recipient of a call. Once that system was in place, the
hackers could eavesdrop on all incoming and outgoing calls
indefinitely, from anywhere in the world.
The second technique requires physical proximity but could be
deployed on a much wider scale. Hackers would use radio antennas
to collect all the calls and texts passing through the airwaves in an
area. For calls or texts transmitted using strong encryption, such as is
commonly used for advanced 3G connections, hackers could request
through SS7 that each callers carrier release a temporary encryption
key to unlock the communication after it has been recorded.
Nohl on Wednesday demonstrated the ability to collect and decrypt a
text message using the phone of a German senator, who cooperated
in the experiment. But Nohl said the process could be automated to
allow massive decryption of calls and texts collected across an entire
city or a large section of a country, using multiple antennas.
Its all automated, at the push of a button, Nohl said. It would
strike me as a perfect spying capability, to record and decrypt pretty
much any network Any network we have tested, it works.
Those tests have included more than 20 networks worldwide,
including T-Mobile in the United States. The other major U.S.
carriers have not been tested, though Nohl and Engel said its likely at
least some of them have similar vulnerabilities. (Several smartphone-
Have more to say about this topic? Join us today for our weekly live
chat, Switchback. We'll kick things off at 11 a.m. Eastern. You can
submit your questions now, right here.
Hackers demo network-level call interception
January 05, 2015
More Sharing ServicessharePrintShare on emailEmail
White-hat hackers at the 31st Chaos Computer Congress have demonstrated
fundamental flaws in the underlying infrastructure of 2G and 3G mobile phone
networks. The flaws allow attackers to covertly track the location of a phone
number as well as intercept calls and SMS - all at the network level.
Tobias Engel from the Chaos Computer Club demonstrated in front of a live
audience how it was possible to send a fake network message from his laptop
to block a phone from making calls and even divert calls to another phone.
This could be diverted to a man-in-the-middle recording of the conversation.
He also showed how a couple of volunteers were tracked over a few weeks as
they travelled around the United States and Europe again by spoofed network
messages simply asking the mobile service center (MSC) server for the
location of the subscriber.
Engel said that a journalist has contacted him with claims from a security
company offering tracking of individuals down to the city street with just their
phone number, and asked how it could be done.
GSM and UMTS systems all depend on a protocol called Signalling System 7
(SS7) which was designed around fixed line telephones in the 1980s. With
each phone line at a physical house and most telcos being trusted stateowned operators, privacy was not a concern at the time.
SS7 has been extended with new protocols added over time to allow for
mobility, text messages and geo-location and roaming, for instance. The
problem is that SS7 fundamentally does not have any authentication.
Many operators are selling legitimate access to SS7, for instance for text
messaging or vehicle fleet management.
With the advent of femto cells, it is even possible for people to hack into their
femto units to gain direct access to the SS7 network.
In order to track a target with simply his phone number, the attacker with
access to SS7 can simply ask the HLR (home location register) for the
international mobile subscriber identity (IMSI) and the mobile switching center
(MSC) that the target is currently using. This is done by using what is called an
anytime interrogation SS7 message to the HLR.
Many networks have blocked anytime interrogation messages but a
workaround is to use the SMS routing to find the IMSI and MSC instead again
with SS7 messages.
If that fails (with home SMS routing installed) an attacker with the IMSI
address gained through out-of-band means can simply brute-force requests to
MSCs all over the world until the right MSC is found.
Armed with the IMSI and the MSC, the attacker then send an SS7 message
directly to the MSC to query the location of the target.
The MSC does not do plausibility assessments. If a German user is in his
home network, an Indonesian network should not have anything to do with it
[but is not prevented]. Most MSCs accept requests from anywhere and
anyone, he said.
Engel said that some networks have implemented a verify sender address
mechanism for geo-location. But he said that simply by spoofing the source
address, called the global title, to something that looks similar to the global
title of the MSC, it was possible to circumvent the check and be treated as a
legitimate, local server.
Away from location, it is possible to use SS7 messages to manipulate a
targets phone. Since this is at the network level, it is irrelevant if it is a
smartphone or a simple feature phone.
Engel demonstrated in front of the live audience how it was possible to send
SS7 messages to the MSC in order to block calls to a phone and divert calls to
a third party. This could be used to set up a man-in-the-middle to eavesdrop
on calls.
This was possible because when roaming, users often dial local numbers
without the international prefix. There is an SS7 message that allows the HLR
to tell the MSC, when this subscriber makes a call, ask me first. The idea is
that when, for instance, a German subscriber is roaming in France, for
Many of the big intelligence agencies probably have teams that do nothing
but SS7 research and exploitation. Theyve likely sat on these things and
quietly exploited them, Soghoian said.
Stay Tuned for further information
Pierluigi Paganini
(Security Affairs SS7 protocol, surveillance)
Share it please ...Tweet about this on TwitterShare on Google+Share on
FacebookShare on LinkedInPin on PinterestShare on RedditEmail this to
someoneShare on StumbleUpon
Share this:
EmailTwitterPrintLinkedIn154Facebook73More
ACLUAmerican
Civil
Liberties
UnioneavesdroppingGCHQNSASS7
protocolsurveillanceThe Washington Post
Hacking Security
SHARE ON
Pierluigi Paganini
Pierluigi Paganini is Chief Information Security Officer at Bit4Id, firm leader in
identity management, member of the ENISA (European Union Agency for
Network and Information Security)Treat Landscape Stakeholder Group, he is
also a Security Evangelist, Security Analyst and Freelance Writer. Editor-inChief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with
over 20 years experience in the field, he is Certified Ethical Hacker at EC
Council in London. The passion for writing and a strong belief that security is
founded on sharing and awareness led Pierluigi to find the security blog
"Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for
some major publications in the field such as Cyber War Zone, ICTTF, Infosec
Island, Infosec Institute, The Hacker News Magazine and for many other
Security magazines. Author of the Books "The Deep Dark Web" and Digital
Virtual Currency and Bitcoin
Surveillance How to secretly track cellphone users position around the globe
September 18, 2014 By Pierluigi Paganini
Fb-Button
Using the proper surveillance systems available on the market it is easy and
quick to track cellphone and the movements of targets everywhere on the
globe.
We recently discussed about the decision of Wikileaks to publish copies of the
criticized surveillance software FinFisher, highlighting the dangers for the
militarization of the cyberspace and in particular for the use of spyware to
track users.
The principal vendors of surveillance platforms defend their business
declaring that the solutions are only for law enforcement and intelligence
agencies. Unfortunately the reality is quite different, because many threat
actors worldwide use surveillance malware to track individual for different
reasons.
The Washington Post published an interesting article a few weeks ago on
surveillance technology that can be used to track individuals anywhere in the
world through the localization of their mobile devices.
The post explains that surveillance vendors using the SS7 protocol, aka
Signaling System Number, are able to geo-localize users with great precision.
The tracking technology takes advantage of the lax security of SS7, a global
network that cellular carriers use to communicate with one another when
directing calls, texts and Internet data. reports the Washington Post.
SS7 or Signaling System Number 7 is a protocol suite used by several
telecommunications operators to communicate with one another with
directing calls, texts and Internet data. The SS7 protocol allows cell phone
carriers to collect location data related to the users device from cell phone
towers and share it with other carriers, this means that exploiting the SS7 a
carrier is able to discover the position of its customer everywhere he is.
The system was built decades ago, when only a few large carriers controlled
the bulk of global phone traffic. Now thousands of companies use SS7 to
provide services to billions of phones and other mobile devices, security
experts say, explains the post.
All of these companies have access to the network and can send queries to
other companies on the SS7 system, making the entire network more
vulnerable to exploitation. Any one of these companies could share its access
with others, including makers of surveillance systems. continues the
Washington post.
Another family of devices sold by companies which provide surveillance
solutions are the IMSI catchers, also known by one popular trade name,
StingRay. An IMSI catcher (International Mobile Subscriber Identity) is device
for telephony eavesdropping commonly used for intercepting mobile phone
traffic and tracking movement of mobile phone users. Essentially, it operates
as a bogus mobile cell tower between the target mobile phone and the service
providers real towers. The IMSI catcher runs a Man In the Middle (MITM)
attack that could not be detected by victims using commercial products.
The use of trackers based on exploitation of the SS7 protocol is recommended
with IMSI catchers, in fact while SS7 tracker locate the victim the IMSI
catchers can be deployed effectively.
StingRays are common surveillance devices that allow are able to intercept
calls and Internet traffic, send fake texts, install malware on a phone, and of
course find the precise location of the victim.
Whats interesting about this story is not that the cell phone system can
track your location worldwide,That makes sense; the system has to know
where you are. Whats interesting about this story is that anyone can do it.
said the popular expert Bruce Schneier.
Privacy advocates are really concerned with possible misuse of such
technology, foreign state-sponsored hackers and cyber criminals could use it
for illegal activities. Lets remember that it is illegal in many countries to track
individuals without a court order, but there is no clear international legal
framework that punishes ill intentioned for secretly tracking people in other
countries.
The FCC recently created an internal task force to study the misuse of IMSI
catchers in the cybercrime ecosystem and foreign intelligence agencies,
which demonstrated that this technology could be used to spy on American
CAMEL, operate without authentication, Engel said, leaving the door wide
open for abuse.
Karsten Nohl, of SR Labs in Germany, also spoke at 31c3 and tore into SS7
and demonstrated that attacks can also be carried out over 3G networks in
order to record voice and SMS communication as well. He released a tool for
Android devices called SnoopSnitch that detects IMSI catchers and other
attacks over SS7.
I think its really scary. You dont have to know somebody, you just have to
know his phone number and you can track him from the other side of the
world. You dont have to be near him, you just need SS7 access, Engel said,
pointing out that such access can be purchased from telecom and network
operators. Also, he said, there are vendors selling products that maneuver
against SS7. Companies offering these services are saying they are only
offering them to law enforcement and government agencies. I dont know
about you but there are many countries in the world whose governments I
wouldnt trust with this functionality.
Governments have been known not only to monitor call activity of citizens and
high-value industrial or government targets, but also track the location of
activists and dissidents in oppressed parts of the world. Engels SS7
presentation included a demonstration of tracking he did of a volunteer,
mapping out their journey from Seattle, to their home in the Netherlands and
eventually to Hamburg and 31c3.
dialed and bridge calls, sitting in the middle and recording content, Engel said.
Everybody who has a phone in his pocket indirectly uses SS7, Engel said.
Every movement can be tracked and every call can be intercepted.
- See more at: http://threatpost.com/cellular-privacy-ss7-security-shattered-at31c3/110135#sthash.3MFNCWp9.dpuf
Taking up the Gauntlet: SS7 Attacks
Cathal McDaid 16th December 2014
There have been several recent reports in the media on the results of new
research into SS7 network. This interesting research outlines a series of
techniques potential attackers can use to listen in to and read the calls and
text messages of others. An obvious question for those of us in the telecom
security industry is whether the threat is real and what we should do to
address it. In considering an answer, we can look at a little-reported incident
that occurred in Ukrainian Mobile networks earlier this year.
Last May, a report was issued by the Ukrainian Telecom Regulator (NKRZI[1]).
This document, which went essentially unreported by the press outside of
Ukraine & Russia, contains the result of the investigation of the NKRZI,
assisted by the Ukrainian Security Service (SBU), into telecom network
activity over several days in MTS Ukraine. The key findings of this report were
that over a 3 day period in April 2014, a number of Ukrainian mobile
subscribers were affected by suspicious/custom SS7[2] packets from telecom
network elements with Russian addresses, causing their location and
potentially the contents of their phone calls to be obtained.
The 'attacks' outlined in the document involved SS7 packets being sent
between the mobile operators. Without going into specific details, what
occurred is a series of SS7 packets were received by MTS Ukraine's SS7
network which modified control information stored in network switches for a
number of MTS Ukraine mobile users. In doing so, when one of the affected
mobile subscribers tried to ring someone else, their call would be forwarded to
a physical land line number in St. Petersburg, Russia, without their knowledge
- in effect the call has been intercepted. There is an additional further step
that could be taken for the interception, not outlined in the original Ukrainian
report, but suggested by the Washington Post article. The forwarded-to
number could have initiated a new call to the original targeted subscriber, and
then conference in the intercepted call, thus allowing itself to listen in to the
call without the participants being aware.
In the document, the investigation stated that the custom SS7 packets
themselves came from links allocated to MTS Russia, the parent company of
MTS Ukraine. The Ukrainian regulator then assigned responsibility for the
nodes that generated the SS7 based on the origination addresses in the SS7
packets received. According to the report, some of the SS7 source addresses
that originated the attack were assigned to MTS Russia, while others were
assigned to Rostov Cellular Communications.
It's important to keep in mind that this is the report from one side only, and it
is stated that they draw conclusions about the potential for the interference
with operation of telecom networks on the part of the PSTN area in the
Russian Federation , however in the report the regulator felt that MTS Ukraine
was not doing enough to maintain the privacy of subscribers locations and call
forwarding routes. For its part, MTS Russia denied that the SS7 address used
was under its control, thus leaving the ultimate instigator a mystery. Indeed,
in subsequent follow-ups it was reported that MTS Ukraine was not alone of
being at risk, as the Ukrainian Telecom Regulator stated at a later date that
Astelit and Kyivstar the other main Ukrainian mobile operators also
experienced external interference. Whilst we don't have information on the
exact subscribers affected, there have been examples of very sensitive phone
calls being intercepted by unknown means within the region, when using non
government issued cell-phones. It is purely speculation on our part, but the
same SS7 techniques outlined in the report could have conceivably been used
to help achieve these interceptions.
Looking forward, an unfortunate, but seemingly inevitable, side-effect of these
techniques is that it will lead to countries that have been affected adversely
by SS7 attacks to attempt to build their own capability, thus leading to an
SS7 arms-race. This has already been experienced in Ukraine, where new
legislation has been submitted that one media source stated will allow their
security services to legally listen in turn to subscribers of foreign mobile
operators, track their location and obtain other information about the activity
of subscribers. Taken to extremes between countries, this would lead to a
form of mutually assured surveillance, with mobile operators and mobile
phone users on both sides suffering.
The Ukrainian report, and the recent research that has been released, shows
us that we have moved into uncharted territory. Yes, there is a threat, and it is
real - as the above example shows - however it does require considerable
technical expertise to do this level of network interference. Not only to run
and operate SS7 nodes capable of doing this - but especially to gain access to
the SS7 network in the first place. Plus the nature of the risk is very different:
consider there are more users of the SS7 network worldwide than there users
of the internet, yet the number of attacks on IP networks everyday dwarf what
is known to occur over SS7. The SS7 network is working as designed, but 'bad
actors' are increasingly trying to exploit it, the real danger is that we assume
that nothing can be done to fix the problem and it will just get worse as more
'bad actors' try to get access. As has been said by others, as an industry we
need to work together to define recommendations and implement solutions to
detect and stop potential attacks, because defences are possible and can
make a difference if deployed correctly.
This coordination is already well underway, and AdaptiveMobile are helping to
contribute to this, but no-one should doubt the amount of work and effort that
will be required to completely secure the SS7 network from organisations that
would seek to exploit it. However, at the same time it would be a mistake for
those using these techniques offensively to assume that their activities &
methods have gone unnoticed. We are now entering the more public stage of
a struggle in which the gauntlet was thrown down some time ago.
similar SS7 node types. While unrelated to the events described in the report,
the purpose of such work is to help investigate ways in which to detect
malicious or unusual SS7 behaviour in networks. Such methods will be called
on increasingly in the future to help detect and block unwanted SS7 activity.
Update : 3/1/2015
In the 3rd paragraph of the original blog entry on 16th of December, it was
stated: "In doing so, when someone tried to ring one of the affected mobile
subscribers..." This has now been updated.
References:
[1] National Commission for the State Regulation of Communications and
Information ( ,
` )
[2] Signalling System 7 (SS7), is a catch-all term for a telecom network
technology that is used by hundreds of cellular companies to allow them to
operate and communicate with each other; it is the computer protocol used
by telecom nodes within cellular networks to provide mobility control, network
registration, call and text setup etc. In short it enables mobile devices to
communicate and roam globally, and it allows mobile operators to control and
bill this activity. All pieces of network hardware that operate in the core
network use SS7 to interoperate with the rest of the network.
Cell Phone Tapping: How It Is Done and Will Anybody Protect Subscribers
You probably have read on various news websites about surveillance
programs led by security services in different countries that reach phone and
Internet communications of ordinary citizens. We have already wrote about
possible threats to mobile telecommunication networks and today we want to
put more emphasis on one of the attack vectors against mobile subscribers.
In short, the outline is like this. The attacker penetrates into the SS7
(Signaling System's No. 7) network and sends a Send Routing Info For SM
(SRI4SM) service message to the network channel, specifying the phone
number of an attacked subscriber A as a parameter. The subscriber's A home
network sends the following technical information as a response: IMSI
(International Mobile Subscriber Identity) and address of the MSC currently
providing services to the subscriber.
After that, the attacker changes the billing system address in the subscriber's
profile to the address of his own pseudo-billing system and injects the
updated profile into VLR database via Insert Subscriber Data (ISD) message.
When the attacked subscriber makes an outgoing call, his switch addresses
the attacker's system instead of the actual billing system. The attacker's
system sends the switch a directive allowing one to redirect a call to a third
party controlled by the attacker.
I would say to skeptics straight off: this plan is not a fantasy, as you can see,
and it could be practically realized. On the stage of development, the SS7
system was not provided with defense mechanisms against such attacks. It
was meant that SS7 network itself is private enough and an "outsider" cannot
access it. However, times are changing and we become witnesses of using
telephony technologies with malicious intent. Unfortunately, one does not
simply enable external SS7 message filtering, as far as it may affect the
availability of mobile services in roaming. There is no mobile network operator
who wants to lose its money.
Check for the disclosure of subscriber's cell data. An attacker can detect
subscriber's location using the cell ID. In cities the location can be determined
with
an
accuracy
of
about
10
meters
(http://blog.ptsecurity.com/2014/04/search-and-neutralize-how-todetermine.html).
Check for possible violation of subscriber's availability for incoming calls (DoS
against the subscriber). In case of a successful attack, the victim subscriber
no longer receives incoming calls and SMS. At the same time victim's mobile
phone indicates the network availability. The victim subscriber will stay in this
state until he/she makes an outgoing call, goes to the other switch service
area or reboots the phone.
Check for private SMS conversations disclosure. This attack is a consequence
of the attack number 3. In case of a successful attack, incoming SMS
messages are intercepted by the attacker's devices, so it will not be difficult to
read them. To prevent the following delivery to the recipient, the attacker
sends an SMS delivery notification to the SMS Center.
Check for USSD commands manipulations. In case of a successful attack, the
attacker is able to send USSD commands on behalf of the subscriber. The
possible damage will be assessed with regard to USSD services provided by
the operator (e.g, if the money transfer between accounts via USSD
commands is available or not).
Check for spoofing subscriber's profile in VLR. In case of a successful attack,
the attacker is able to use his equipment as an intelligent platform in order to
extend the capabilities of voice calls and manipulate the tariffing of mobile
services.
Check for possible outgoing calls redirection. This attack is a continuation of
the attack number 6. In case of a successful attack, the attacker is able to
redirect outgoing calls from the victim subscriber. Additionally, this attack
allows an attacker to make an unauthorized conference call, cutting in the
conversation.
Check for possible incoming calls redirection. In case of a successful attack,
the attacker is able to redirect incoming calls to the victim subscriber.
Moreover, calls to high-tariff regions may be not tariffed or call charges will be
billed to the victim subscriber.
Checking the switch stability and resistance to DoS attacks. In case of a
successful attack, the switch no longer handles incoming calls to subscribers
located in its service area.
Check for possible direct direct manipulations in billing. In case of a successful
attack, the attacker is able to empty the subscriber's personal account, so
that the subscriber becomes deprived of the opportunity to make calls.
How to Protect Users
Our research revealed that the overwhelming majority of attacks against SS7
networks begin with obtaining technical data about the subscriber (IMSI, MSC
and HLR database addresses). These parameters can be obtained from the
response to the SRI4SM message mentioned in the beginning of this article.
One of security solutions is SMS Home Routing procedure provided by 3GPP in
2007. It is sometimes called the SMS Firewall or SMS Filter.
An additional host, providing filtering of malware SRI4SM messages, is
implemented to the operator's network. It works is as follows. When a SRI4SM
message is received to the operator's network from another network, it is rerouted to the new filtering host. This host sends a correct response replacing
MSC and HLR database addresses with its own address and IMSI with false
data. If the SRI4SM message was generated by the attacker, he will not
receive any useful data in the response and his attack will be interrupted in
the very beginning. If the SRI4SM message was used for the authorized
transaction, to send an SMS, the originator's network will send this message
to the filtering host, which will deliver the message to the recipient within the
home network.
It's been 7 years since this recommendation was issued, but, so far as we can
see, few operators had launched this solution. By the way, SRI4SM message is
not the only way to obtain the sunscriber's IMSI.
Mobile operator's network is potentially vulnerable, just like any other
network. Due to the specificity of mobile networks, these attacks can be more
sophisticated than the Internet attacks. We recommend that operators take
measures to protect such networks using the traditional scenario: penetration
tests to discover potential vulnerabilities, security audit with the
recommended settings and cyclic check of security settings against a
template. This minimum amount of work helps you to improve the level of
your network security just above the average, still it is enough for the first
step. So subscribers got nothing to worry about.
P. S.
In the course of the Positive Hack Days IV, we made a report about possible
attacks in mobile operators' network, where tapping into phone conversations
from almost any place on earth was discussed.
height="315"
frameborder="0"
This tool can also detect certain types of interception. The application collects
data throughout the day, "like a virus that people have on their computer."
The user can then choose to share this data with Security Research Lab to
supply a map, GSMMap.org (http://gsmmap.org/).