Slashdot Mirror
Researchers Discover SS7 Flaw, Allowing Total Access To Any Cell Phone, Anywhere
krakman writes: Researchers discovered security flaws in SS7 that allow listening to private phone calls and intercepting text messages on a potentially massive scale – even when cellular networks are using the most advanced encryption now available. The flaws, to be reported at a hacker conference in Hamburg this month, are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network. It is thought that these flaws were used for bugging German Chancellor Angela's Merkel's phone.
Those skilled at the housekeeping functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption (Google translation of German original). There is also potential to defraud users and cellular carriers by using SS7 functions, the researchers say. This is another result of security being considered only after the fact, as opposed to being part of the initial design.
Those skilled at the housekeeping functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption (Google translation of German original). There is also potential to defraud users and cellular carriers by using SS7 functions, the researchers say. This is another result of security being considered only after the fact, as opposed to being part of the initial design.
SS7 pre-dates the modern processing explosion. Early systems were stretching their embedded 386 just to handle the protocol messages. Any additional security would have made the systems pretty much impractical for another few years.
As a result, it was designed around physical security of the signalling lines, and that is pretty much the way it has stayed. Only certified equipment gets connected to core equipment. Foreign equipment goes through an SS7 gateway (really a firewall of sorts). Encrypted tunnels are use for connecting SS7 networks over insecure channels.
So basically your calls are as good as the physical security of the core switches. Which is generally pretty good. And if you have physical access to the core switches, then there are probably many other ways you could listen in anyway.