Researchers Discover SS7 Flaw, Allowing Total Access To Any Cell Phone, Anywhere

krakman writes: Researchers discovered security flaws in SS7 that allow listening to private phone calls and intercepting text messages on a potentially massive scale – even when cellular networks are using the most advanced encryption now available. The flaws, to be reported at a hacker conference in Hamburg this month, are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network. It is thought that these flaws were used for bugging German Chancellor Angela's Merkel's phone.

Those skilled at the housekeeping functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption (Google translation of German original). There is also potential to defraud users and cellular carriers by using SS7 functions, the researchers say. This is another result of security being considered only after the fact, as opposed to being part of the initial design.

Hardware Security

SS7 pre-dates the modern processing explosion. Early systems were stretching their embedded 386 just to handle the protocol messages. Any additional security would have made the systems pretty much impractical for another few years.

As a result, it was designed around physical security of the signalling lines, and that is pretty much the way it has stayed. Only certified equipment gets connected to core equipment. Foreign equipment goes through an SS7 gateway (really a firewall of sorts). Encrypted tunnels are use for connecting SS7 networks over insecure channels.

So basically your calls are as good as the physical security of the core switches. Which is generally pretty good. And if you have physical access to the core switches, then there are probably many other ways you could listen in anyway.

Re:Best pick up one of these

[thoriumbr]

No, this will not solve the problem. The main issue is at protocol level, not cellphone level. Even with a secured phone, the attack can be silently executed.

The only defense is using encrypted calls and encrypted text messages.

SS7 was an intentional feature

SS7 stands for Signalling System No. 7

SS7 protocol enable the cellphone network to identify the identification of a certain user, no matter where that particular user turns up

Stupidity is abundant these days

[JohnnyComeLately]

If I break into your house, and then walk into your main hallway, and then say, "There is a security flaw in your home! From this point in your hallway I can listen to any room, or walk down freely into any room." As you're looking at your front door splintered from the battering ram I hit it with to get in, would you call it a "hack," a flaw or something to be concerned about how your hallway(s) go through your house? No, you'd say, "The hallway is fine, I need a stronger front door. BTW, the Glock I'm holding is loaded."

When I start to read, "SS7 was designed in the 80s," I already know I'm dealing wtih a mental midget. Actually, SS7 begain due to the first ever hackers. Remember 2600? As in, 2600 Hz was the signaling frequency for a landline switch. Throw that tone, and you could make calls (for free if it was a payphone). Hence, telecoms came up with an idea to do out of band signaling, which eventually became SS7. So, saying you can "hack" SS7 is very misleading because all SS7 does is coordinate call set up. That "ringing" you hear as you wait for the far, distant switch to reply that the called line is available, is a "comfort tone," as SS7 does it's work. Besides cutting down on fraud, SS7 keeps circuits available, because if the called number is busy, or unavailable, there's no point in setting up a line between your local switch and the switch at the far end.

In the deepest bowels of a switching office, usually near the back, you'll see SS7 racks. These connect from and between local, long-distance and other switches. It's what you'd call, "Back Office," network, similar to the network used by the telecoms to manage their servers your traffic go across but you'll never touch. Such as 3G data going through PCF after it's left the mobile switch, and before it hits an internet backbone ATM. So in simple terms, you'd have to break in, figure out the network, and then figure out a 2nd break in to get to the SS7, and then you'd be in a very small part of the network.

Honestly, if you're going to be doing that much effort, you're NOT going after SS7. Just hack the 3-letter agencies or other LEO server for court-approved wiretapping that is hanging off the switching network and you're in anything, everything, anywhere.

eh, sonny, back in the day...

[swschrad]

I tripped over the ruts from the SS7 bandwagon over a decade ago. back then, you had to be in the CO and on the terminal of the Stratum server to spy on SS7 traffic. ability to scoop up the slop in a bucket came later.