Slashdot Mirror
Researchers Discover SS7 Flaw, Allowing Total Access To Any Cell Phone, Anywhere
krakman writes: Researchers discovered security flaws in SS7 that allow listening to private phone calls and intercepting text messages on a potentially massive scale – even when cellular networks are using the most advanced encryption now available. The flaws, to be reported at a hacker conference in Hamburg this month, are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network. It is thought that these flaws were used for bugging German Chancellor Angela's Merkel's phone.
Those skilled at the housekeeping functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption (Google translation of German original). There is also potential to defraud users and cellular carriers by using SS7 functions, the researchers say. This is another result of security being considered only after the fact, as opposed to being part of the initial design.
Those skilled at the housekeeping functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption (Google translation of German original). There is also potential to defraud users and cellular carriers by using SS7 functions, the researchers say. This is another result of security being considered only after the fact, as opposed to being part of the initial design.
"Flaw"? Is anyone really that ignorant these days? This is not a bug, it's by design.
The only flaw I see in this is that someone discovered the intentional backdoor. This was not unintentional by any means.
http://www.wired.com/2014/09/c... Back in Sept, Wired talked about a phone that has firewall and security to detect when you are using a hack cell tower. Sure its a little different but still interesting the same.
I like how you reach that conclusion that this is the result of security being considered only after the fact, rather than being an integral part of the design.
SS7 pre-dates the modern processing explosion. Early systems were stretching their embedded 386 just to handle the protocol messages. Any additional security would have made the systems pretty much impractical for another few years.
As a result, it was designed around physical security of the signalling lines, and that is pretty much the way it has stayed. Only certified equipment gets connected to core equipment. Foreign equipment goes through an SS7 gateway (really a firewall of sorts). Encrypted tunnels are use for connecting SS7 networks over insecure channels.
So basically your calls are as good as the physical security of the core switches. Which is generally pretty good. And if you have physical access to the core switches, then there are probably many other ways you could listen in anyway.
This bit
record hundreds of encrypted calls and texts at a time for later decryption
And that it probably applies to any encryption offered up to consumers from Google, Apple, and Microsoft, etc.
If they haven't already added a master key to their encryption, the ability to decrypt easily through a "flaw" or "weakness" would allow deniability though.
"If any question why we died, Tell them because our fathers lied."
SS7 stands for Signalling System No. 7
SS7 protocol enable the cellphone network to identify the identification of a certain user, no matter where that particular user turns up
This isn't even a back door; it's how the system works. Only the authorized licensed carriers are supposed to issue command codes, just like the C,D,E,F touch-tones (yes, Virginia, there are four more than on your phone). What's being described here is a basic fraud, as basic as Charlie Chaplin in a restaurant posing as a waiter and pocketing the money someone else leaves with a bill. The failure is in assuming that someone intending to violate conventions and rules will follow the "authorizations" any more than they will follow any other rules.
Uh.. the whole point of transport layer encryption is that you assume an attacker can record your communication and the encryption prevents the attacker from figuring out the real contents of the communication.
If you know for a fact that no unauthorized party can actually tap to your communication channel.. you don't even have to bother with the encryption in the first place.
The rest of the issue is due to the fact that the SS7 protocol is a byzantinely complex and very very old standard going way WAY back before data security was taken into account.
For all the people saying this is some intentional backdoor... if the NSA really were that smart to sneak this into a design-by-committee standard where hundreds of engineers spent years niggling over details, then you might as well give up now because you just said they are smart enough to insert backdoors into the Linux kernel or any other complex open source project too and they'll get away with it for decades before they get caught.
AntiFA: An abbreviation for Anti First Amendment.
What failure? This was left wide open intentionally.
Not too surprising, technologically everything has been or will be subverted. This has been shown time and again. Processors have hidden functions, like SMM.
Networks and ISPs are continuously backdoored through subterfuge. Programmers are paid or coerced (threats, deadlines, stress) into creating poor code. Management gives backdoor access to any TLA who requests. Standards bodies implement broken standards for the benefit of spy agencies. The list just goes on and on.
All of these things come down to money used by the spy agencies in order to break these technologies. Sadly, there is no way to remove money from these agencies so we are all pretty much screwed.
Now to drink my spiked coffee and finish writing terrible code for this network driver. That i get paid to do ...
If they can only listen to phone calls and view text messages. That's like saying someone has "total access" to your machine because they installed a keylogger. Is it dangerous and invasive? Yes. But it's not "total access", if they can't actually *control* anything...
The hacker conference is the 31st Chaos Communication Congress, organized by the Chaos Computer Club. As usual, it is held between Christmas and New Year, and talks are streamed live and made available for download shortly after.
Various groups provide network services to the attending hackers, including wired and wireless networks with multi-gigabit internet links, a DECT phone network covering the congress center, a GSM mobile phone network (on spectrum specifically licensed for this purpose), and even a pneumatic tube network.
I'm going back to using coconuts for communication.
Then again, "hackers did it", so it's world news.
If I break into your house, and then walk into your main hallway, and then say, "There is a security flaw in your home! From this point in your hallway I can listen to any room, or walk down freely into any room." As you're looking at your front door splintered from the battering ram I hit it with to get in, would you call it a "hack," a flaw or something to be concerned about how your hallway(s) go through your house? No, you'd say, "The hallway is fine, I need a stronger front door. BTW, the Glock I'm holding is loaded."
When I start to read, "SS7 was designed in the 80s," I already know I'm dealing wtih a mental midget. Actually, SS7 begain due to the first ever hackers. Remember 2600? As in, 2600 Hz was the signaling frequency for a landline switch. Throw that tone, and you could make calls (for free if it was a payphone). Hence, telecoms came up with an idea to do out of band signaling, which eventually became SS7. So, saying you can "hack" SS7 is very misleading because all SS7 does is coordinate call set up. That "ringing" you hear as you wait for the far, distant switch to reply that the called line is available, is a "comfort tone," as SS7 does it's work. Besides cutting down on fraud, SS7 keeps circuits available, because if the called number is busy, or unavailable, there's no point in setting up a line between your local switch and the switch at the far end.
In the deepest bowels of a switching office, usually near the back, you'll see SS7 racks. These connect from and between local, long-distance and other switches. It's what you'd call, "Back Office," network, similar to the network used by the telecoms to manage their servers your traffic go across but you'll never touch. Such as 3G data going through PCF after it's left the mobile switch, and before it hits an internet backbone ATM. So in simple terms, you'd have to break in, figure out the network, and then figure out a 2nd break in to get to the SS7, and then you'd be in a very small part of the network.
Honestly, if you're going to be doing that much effort, you're NOT going after SS7. Just hack the 3-letter agencies or other LEO server for court-approved wiretapping that is hanging off the switching network and you're in anything, everything, anywhere.
You might think "meh, ss7, old protocol not in use much", but... a huge number of voice and network transit products use SS7 signalling, and pretty much all the big players in trunk and voice kit have ss7 modules or compatibility mode built right in.
The syntax is pretty odd, I've had a play and generating it on the fly was difficult but we could log in and do some basic manipulation of configs etc but we had no documentation, but I was sure there were other funky stuff hiding there, but ultimately management didn't want us uncovering anything under the skin as we'd never get a fix for the legacy stuff, so they pulled our funding for that project.
I shoulda played with it in my own time, but, you know how it goes...
I tripped over the ruts from the SS7 bandwagon over a decade ago. back then, you had to be in the CO and on the terminal of the Stratum server to spy on SS7 traffic. ability to scoop up the slop in a bucket came later.
if this is supposed to be a new economy, how come they still want my old fashioned money?
The comments above about SS7 being designed without security are spot-on. In the old days, access to the SS7 network was strictly for big players and salesmen with 'extremely customer-friendly' expense accounts. Basically, anyone with access was a big player (with all the baggage that entails).
Really, the issue here is with MAP (an add-on to SS7 to support mobiles). The explosion of mobile means SS7 is no longer just the playing field for national carriers - mobile-only operators came to the party (still all $xbillion players). Then, smaller countries with some interesting networks came on the scene, and rather naughty SS7 traffic started to appear on the network.
Smarter operators (or at least bigger ones who got their fingers burnt) spent money to install gateways that limit and control their exposure (wouldn't you?). The less clueful/more cash-strapped/networks in less-developed countries remain more exposed.
Anyone interested can search for 'SS7 mobility management' ; the <a href="http://www.informit.com/library/content.aspx?b=Signaling_System_No_7&seqNum=116">code is easy</a>, the issue is getting access to the network.
Oh, wait, these days SS7 is being routed over IP now (ever wondered what the <a href="http://lksctp.sourceforge.net/">linux SCTP module</a> is actually for?).
All your ghosts are just false positives.
An intentional design feature.
-=/\- Jizzbug -/\=-
ILECs and CLECs don't trust other entities to route good SS7 commends. The gateway to the actual SS7 network is setup to filter most SS7 commands beyond the bare minimum needed to complete a call. I've seen an unrestricted SS7 console in action at an ILEC and you can do all sorts of things to trace out a calls, listen in and pull billing and address information. It's pretty slick, but they are very selective about who gets access.
Too often when I hear of "researchers" discovering "flaws" turns out all they are doing is demonstrating an obvious result from commonly known properties of a system.
You mean you can just mount that unencrypted drive, change root password, boot up and have full access to everything? Well jolly geeewiz...
SS7 "flaw" is standard operating procedure for Telco's where only meaningful form of security has always been adult supervision.
Not much different from what happens when one or more "adults" setting up BGP sessions turns out to be an immature little brat.
Only difference at least people know the Internet isn't secure and can plan accordingly by plugging in the E2E security solution of their choice.
Have a smartphone and want to replace standard voice codec with an encrypted one? Sorry that's locked away in the baseband.. access denied son.
Attempts to setup globally trustworthy systems have consistently devolved into jokes. Humanity appears to lack necessary intelligence and integrity to pull it off. The best we can do right now is piecemeal E2E solutions.
that NSA has known about it and been exploiting it whenever possible.
This isn't even a back door; it's how the system works. Only the authorized licensed carriers are supposed to issue command codes, just like the C,D,E,F touch-tones (yes, Virginia, there are four more than on your phone). What's being described here is a basic fraud, as basic as Charlie Chaplin in a restaurant posing as a waiter and pocketing the money someone else leaves with a bill. The failure is in assuming that someone intending to violate conventions and rules will follow the "authorizations" any more than they will follow any other rules.
It was ABCD, not CDEF. My ameritech beige box has them as well as other neato DTMF codes.
and the the entire planet's phone routing system for that matter.
Is that it explicitly assumes that only those who are trusted have access to the network at that level.
That assumption has been blown apart time and time again.
Hijacked phone ranges were a problem in the 1990s well before the problem of hijacked IP netblocks started being noticed and defended against on the Internet - and they're still a problem which isn't defended against.
SS7 attacks have been around a long time and telcos won't do anything about it because it's not economically worthwhile.
As with railway companies being legally forced to put adequate braking systems on trains, telcos will only take action on these issues when legislation forces them to.
Did I miss something?