Slashdot Mirror
Researchers Discover SS7 Flaw, Allowing Total Access To Any Cell Phone, Anywhere
krakman writes: Researchers discovered security flaws in SS7 that allow listening to private phone calls and intercepting text messages on a potentially massive scale – even when cellular networks are using the most advanced encryption now available. The flaws, to be reported at a hacker conference in Hamburg this month, are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network. It is thought that these flaws were used for bugging German Chancellor Angela's Merkel's phone.
Those skilled at the housekeeping functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption (Google translation of German original). There is also potential to defraud users and cellular carriers by using SS7 functions, the researchers say. This is another result of security being considered only after the fact, as opposed to being part of the initial design.
Those skilled at the housekeeping functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption (Google translation of German original). There is also potential to defraud users and cellular carriers by using SS7 functions, the researchers say. This is another result of security being considered only after the fact, as opposed to being part of the initial design.
"Flaw"? Is anyone really that ignorant these days? This is not a bug, it's by design.
SS7 pre-dates the modern processing explosion. Early systems were stretching their embedded 386 just to handle the protocol messages. Any additional security would have made the systems pretty much impractical for another few years.
As a result, it was designed around physical security of the signalling lines, and that is pretty much the way it has stayed. Only certified equipment gets connected to core equipment. Foreign equipment goes through an SS7 gateway (really a firewall of sorts). Encrypted tunnels are use for connecting SS7 networks over insecure channels.
So basically your calls are as good as the physical security of the core switches. Which is generally pretty good. And if you have physical access to the core switches, then there are probably many other ways you could listen in anyway.
SS7 stands for Signalling System No. 7
SS7 protocol enable the cellphone network to identify the identification of a certain user, no matter where that particular user turns up
This isn't even a back door; it's how the system works. Only the authorized licensed carriers are supposed to issue command codes, just like the C,D,E,F touch-tones (yes, Virginia, there are four more than on your phone). What's being described here is a basic fraud, as basic as Charlie Chaplin in a restaurant posing as a waiter and pocketing the money someone else leaves with a bill. The failure is in assuming that someone intending to violate conventions and rules will follow the "authorizations" any more than they will follow any other rules.
This isn't even about a subversion of standards. It's kind of required for cell phones to work that the towers are able to identify your handset and route your calls and messages. This isn't an OTA exploit. You still have to have physical access to the switch and credentials.
OMG guys! I've discovered a terrible, awful vulnerability in Linux!!! If somebody has your root password, they can, with a few keystrokes, have total access to your computer! They can read all your files, change them, delete them, anything! We're doomed!
No, the problem with government surveillance is a political one, not a technological one. As long as they have the authority to hook their boxes into the communications lines, nothing can ever be secure. Somebody has to have root access to the system for the system to work and be maintainable.
I work at a hospital, and I have root access to the database. ZOMG your medical records aren't secure! Somebody sitting at the server with the root password can see everything! Ummmm no, your records are fine. I have to have access to the database to do my job. But we have a political system including an internal review board and threats of felony criminal prosecution if I were to do anything to violate your privacy. Also I'm not a dick. The solution to government surveillance is a political one. We need people who aren't dicks and rules that put them in jail if they intercept your calls.
We don't have a state-run media we have a media-run state.
SS7 dates to the '70s. Pretty much no communications protocols intended for general use were designed with even the thought of security at the time. The number of players in the game was small enough that any bad behavior could be rooted out fairly easily.
Look at email for the same basic problem, it was designed with the assumption that the parties involved could be trusted because on the networks it was designed for that was generally the case. Over time the trustworthiness of the network was degraded for reasons both good and bad, but the common protocols had already been established by then and it's a long road to change.
I won't argue that there probably has been some "influence" on decisions about adopting more secure replacements, but it's a bit tinfoil hattish to claim that the protocols themselves were intentionally made insecure when it's well documented that most protocols from that era just weren't designed to try to be secure in the first place.
I used to get high on life, but I developed a tolerance. Now I need something stronger.
If I break into your house, and then walk into your main hallway, and then say, "There is a security flaw in your home! From this point in your hallway I can listen to any room, or walk down freely into any room." As you're looking at your front door splintered from the battering ram I hit it with to get in, would you call it a "hack," a flaw or something to be concerned about how your hallway(s) go through your house? No, you'd say, "The hallway is fine, I need a stronger front door. BTW, the Glock I'm holding is loaded."
When I start to read, "SS7 was designed in the 80s," I already know I'm dealing wtih a mental midget. Actually, SS7 begain due to the first ever hackers. Remember 2600? As in, 2600 Hz was the signaling frequency for a landline switch. Throw that tone, and you could make calls (for free if it was a payphone). Hence, telecoms came up with an idea to do out of band signaling, which eventually became SS7. So, saying you can "hack" SS7 is very misleading because all SS7 does is coordinate call set up. That "ringing" you hear as you wait for the far, distant switch to reply that the called line is available, is a "comfort tone," as SS7 does it's work. Besides cutting down on fraud, SS7 keeps circuits available, because if the called number is busy, or unavailable, there's no point in setting up a line between your local switch and the switch at the far end.
In the deepest bowels of a switching office, usually near the back, you'll see SS7 racks. These connect from and between local, long-distance and other switches. It's what you'd call, "Back Office," network, similar to the network used by the telecoms to manage their servers your traffic go across but you'll never touch. Such as 3G data going through PCF after it's left the mobile switch, and before it hits an internet backbone ATM. So in simple terms, you'd have to break in, figure out the network, and then figure out a 2nd break in to get to the SS7, and then you'd be in a very small part of the network.
Honestly, if you're going to be doing that much effort, you're NOT going after SS7. Just hack the 3-letter agencies or other LEO server for court-approved wiretapping that is hanging off the switching network and you're in anything, everything, anywhere.