Slashdot Mirror
Researchers Discover SS7 Flaw, Allowing Total Access To Any Cell Phone, Anywhere
krakman writes: Researchers discovered security flaws in SS7 that allow listening to private phone calls and intercepting text messages on a potentially massive scale – even when cellular networks are using the most advanced encryption now available. The flaws, to be reported at a hacker conference in Hamburg this month, are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network. It is thought that these flaws were used for bugging German Chancellor Angela's Merkel's phone.
Those skilled at the housekeeping functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption (Google translation of German original). There is also potential to defraud users and cellular carriers by using SS7 functions, the researchers say. This is another result of security being considered only after the fact, as opposed to being part of the initial design.
Those skilled at the housekeeping functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption (Google translation of German original). There is also potential to defraud users and cellular carriers by using SS7 functions, the researchers say. This is another result of security being considered only after the fact, as opposed to being part of the initial design.
I like how you reach that conclusion that this is the result of security being considered only after the fact, rather than being an integral part of the design.
yea, I've been laughing about this story... If this scares you, never look up how landlines work, that'd terrify you. lol
You could take pretty much any speaker you wanted to, run a jumper to the switch and listen to any phone call you wanted. ANYONE in your neighborhood can walk over to any one of the hundreds of pedestals in your neighborhood and do the same. If you really want to get fancy you can go get a butt set off Amazon for $10 and dial out to. And all that's before we get to someone with switch access... they can issue commands to link your call to another number so they can listen in, etc...
You've absolutely no privacy on a land-line phone call.
This isn't even a back door; it's how the system works. Only the authorized licensed carriers are supposed to issue command codes, just like the C,D,E,F touch-tones (yes, Virginia, there are four more than on your phone). What's being described here is a basic fraud, as basic as Charlie Chaplin in a restaurant posing as a waiter and pocketing the money someone else leaves with a bill. The failure is in assuming that someone intending to violate conventions and rules will follow the "authorizations" any more than they will follow any other rules.
Yes, flaw. SS7 dates back to the late 70s, and has roots all the way back in the early 60s. Nobody encrypted anything back then, it was a miracle it worked at all.
So, clearly SS8 (or whatever) needs to take this into consideration, but...
The obvious solution is just have the handsets negotiate. There is absolutely no "good" reason call setup between two cellular handsets (or any other digital endpoint for that matter) should not feature some kind of certificate validation step between the end points followed by the exchange of uniquely per call generated symmetric key exchanged securely using the same PKI used to validate the certificate authenticity. Essentially SSL for phone calls.
People could use third party CAs like they do for the web today for most callers. Phone software should be easily configured to ONLY accept previously installed self signed certificates for certain subjects. IE if a call wants to identify itself as being from cousin bob's cellphone it will be rejected unless it its signed with the public key Bob previously gave me; even if the cert has a valid their part signature and is otherwise valid. Users could easily exchange keys in person using bluetooth + pin etc.
This would allow LEAs to eavesdrop by MTIMing calls between say an individual and a financial institution. With a warrant the third party CA the financial uses could be compelled to provide the LEA with valid cert for that subject hopefully with a expiry of only a few days. Of course techniques like cert pinning could be used to detect this by individuals. It would leave LEA's with no easy avenue to eavesdrop on calls between Bob and myself. I think this is a reasonable compromise.
On the other hand it still does nothing to address the mass surveillance concern. It will still be easy for instance for an LEA to obtain call records from the phone company. They won't have the content and won't be able to get at it, but they absolutely can know when, how long, and how often Bob and I spoke. They can also know who else Bob and I called. We know that this information is very revealing, its been used very effectively to identify relationships. Its less clear it violates the 4th than accessing the content. I don't like it but it might be again part of an acceptable compromise.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Your friend is most likely lying. The phones in the switch (specifically for QC) would only hear one side of the conversation. If you hear both sides, there was an echo issue (and the conversation wouldn't continue between the two parties).
If the speaker was connected to a local loop, then it would hear both sides. (While I agree it should not have been connected to a local loop, I would not be surprised if (occassionally) it was.)
Phones designed for use with traditional land lines have echo-suppression circuits. As do the equipment at the switching office. This was done to avoid the cost of a third wire and because using either earth or electrical ground was too noisy.
An old design: http://www.epanorama.net/circu...
A somewhat modern design: http://www.epanorama.net/circu...
Also, very early telephone designs did not have echo suppression. I have one that one of my grandmothers bought at an auction (a certificate of legal sale was included with the phone). In theory, it is compatible with the current land line system, though I have never tried it. It is very similar to this: http://oldphoneman.com/images/...
Don't try to out wierd me, three-eyes. I get stranger things than you, free with my breakfast cereal. --Zaphod Beeblebr
Except with the land line, someone has to go find your physical wire pair and connect to it. This is a software hack.
As far back to (at least) the 1970's/80's there was the "Infinity device". You connected it between your phone and landline, dial any number and that phone would connect without ringing. This allowed the person using the device to eavesdrop on the conversation in the room the target phone was located.
(From Wiki): An infinity transmitter (also known as a harmonica bug) is a surveillance device used to covertly monitor conversation in a room through a telephone line. Its name derives from the fact that, by using a telephone line as a transmitter, it can work at an infinite distance, unlike other bugging devices that have only a finite signal range. The alternative name 'harmonica bug' refers to the fact that such devices were originally activated using the tone produced by a harmonica. Design of infinity transmitters has varied, according to developments in telephone systems. In some instances, the bug is activated after the target answers and hangs up their phone. In countries where there is a delay between connection and the first ring, the bug can be activated before the target phone rings, so that the infinity transmitter essentially 'answers' the call. In more advanced systems, the transmitter can be placed in a parallel telephone line to prevent the victim's phone line remaining engaged. As modern telephone lines no longer establish a voice path until the call is answered a variant of this now exists that uses CND, or caller ID. Usually an unusual sequence of non printing characters is used and thus will not show up on a display device. Sometimes the caller ID device itself has the bug but it can be nearly anywhere. In much the same manner a cellphone can be configured for silence on ring and auto answer and hidden, frequently placed inside something that has power available to maintain the battery. This allows the infinity transmitter to be hidden inside an automobile or other location where a land line is not an option.
http://en.wikipedia.org/wiki/I...