Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Critical Hole At the Heart Of Our Cell Phone Networks (wired.com)

Posted by BeauHD on from the Led-Zeppelin-era dept.

An anonymous reader writes: Kim Zetter from WIRED writes an intriguing report about a vulnerability at the heart of our cell phone networks. It centers around Signaling System No. 7 (SS7), which refers to a data network -- and the protocols or rules that govern how information gets exchanged over it. Zetter writes, "It was designed in the 1970s to track and connect landline calls across different carrier networks, but is now commonly used to calculate cellular billing and send text messages, in addition to routing mobile and landline calls between carriers and regional switching centers. SS7 is part of the telecommunications backbone but is not the network your voice calls go through; it's a separate administrative network with a different function." According to WIRED, the problem is that SS7 is based on trust -- any request a telecom receives is considered legitimate. In addition to telecoms, government agencies, commercial companies and criminal groups can gain access to the network. Most attacks can be defended with readily available technologies, but more involved attacks take longer to defend against. T-Mobile and ATT have vulnerabilities with fixes that have yet to be implemented for example.

32 comments

  1. Slow news? by Errol+backfiring · · Score: 1

    Didn't I read the same story a week ago on slashdot?

    --
    Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
    1. Re:Slow news? by Voyager529 · · Score: 1

      You heard about it on 60 Minutes last week: http://www.cbsnews.com/news/60....

    2. Re:Slow news? by Anonymous Coward · · Score: 0

      Last week?!? Dude, it was eleven days ago. That's like last year's iPhone news.

      Then again, we saw this on 19 Dec. 2014 and 12 Oct. 2012.

      TL;DR: SS7 is broken.

    3. Re:Slow news? by Striek · · Score: 1

      Not exactly. This is Wired covering the story - the same story that The Guardian covered two weeks ago showed up here on the 18th of this month.

      It's the same story essentially. If you follow the research back far enough you'll find the same sources. But Wired does, IMHO, a far better job of covering it.

      (Too bad they jumped on the anti-adblock bandwagon. Their reporting has always been top notch.)

      --
      "Government is like fire; a handy servant, but a dangerous master." -- George Washington
    4. Re:Slow news? by Z00L00K · · Score: 1

      I'm surprised it hasn't been used to bring down telecom operators totally yet.

      But maybe there's more profit in spoofing phone calls to install malware at stupid people.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    5. Re:Slow news? by wyHunter · · Score: 1

      It has been discussed literally for decades, too. There was talk at Bell Labs about this in the 1980s.

    6. Re:Slow news? by Minupla · · Score: 3, Interesting

      Same reason that BGP isn't toast. Those who have the knowledge of how weak the locks are have no reason to leave the doors open behind them. It's really more surprising to anyone who's spent any time in the plumbing of the internet that it still functions, given the weaknesses in some of the protocols (check youtube for the looking glass site vulnerability talk from Defcon a couple of years ago for an example of how bad it is) then that it has holes.

      Telephone system is the same way, the people with the skills to exploit SS7 are the people who are invested in keeping the holes there. It's more useful to be able to track an arbitrary cell phone then it is to be able to bring down the international phone system and force the telcos to fix it.

      Min

      --
      On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
  2. Again? by Anonymous Coward · · Score: 0

    Seems like we just read this on April 18th

  3. U can rip off SS7 by Anonymous Coward · · Score: 0

    With a blue box.

  4. Its not a bug, its a feature by Anonymous Coward · · Score: 1

    With all of the attempts to hobble encryption and force companies to cooperate with authorities against consumers people are assuming this is anything but intentional? The only "bug" in this system from the governments perspective is that people besides them can now exploit it. The cell network from its inception could have probably been designed with much more security, privacy and redundancy without too much additional effort. But all of that would have made warrantless use of stingrays, call records subpoenas and other intrusions into peoples lives more difficult.

  5. Why the euphemism by Wootery · · Score: 2, Insightful

    vulnerabilities with fixes that have yet to be implemented

    Unfixed vulnerabilities, then.

    1. Re:Why the euphemism by Anonymous Coward · · Score: 0

      Not just any unfixed vulnerabilities, but unfixed vulnerabilities for which fixes haven't yet been implemented.

      That's not a euphemism; it's just plain English.

    2. Re:Why the euphemism by Wootery · · Score: 1

      I guess that makes sense, if you interpret 'fixed' to refer to deployment, not to implementation.

  6. very old news by Anonymous Coward · · Score: 0

    very old news

  7. what intriguing vulnerability? by Anonymous Coward · · Score: 0

    grumble grumble click bait not including critical information in the summery.....

    Its essentially a MIM attack, FTFA

    "Therefore anyone with access to a server or gateway on the SS7 network can send a location or redirect request to your telecom for purposes of roaming, and the telecom will likely comply, even if the roaming request comes from St. Petersburg or Mumbai and you and your phone are in New York.... an attacker will also be able to grab your two-factor authentication log-in codes that Gmail and other services send via text so you can access your accounts."

    1. Re: what intriguing vulnerability? by Anonymous Coward · · Score: 0

      Grumble grumblr cant spell summary....

    2. Re: what intriguing vulnerability? by Anonymous Coward · · Score: 0

      Grumble grumble can't include necessary apostrophes in contractions or spell "grumble" correctly twice in a row.

  8. Anti-adblock on Wired by Anonymous Coward · · Score: 0

    Makes it not worth visiting.

    It's like TMZ trying to charge you money.

  9. SS7 is the reason for spoofed CallerID by Anonymous Coward · · Score: 0

    The SS7 system is the reason for spoofed CallerID's and why people are being fooled into giving out their personal information over the phone.

  10. This is not the Hole you are looking for by TheRealHocusLocus · · Score: 2, Informative

    Geez... IF ONLY the ability to hack into the signalling network and make some free calls was the worst of our problems. What a wonderful world that would be.

    How about... the fact that you are probably within a thousand feet of a cell tower that is too bloody stupid to connect your cell phone with your neighbor's cell phone? How we made a transition over the last couple of decades from a Bell Standard Practice of completely autonomous wired phone systems in hardened buildings, each with the capability to provide complete functionality and call completion to its area served so long as you keep a single generator running... and if your neighboring cities or counties keep the generators their buildings running, you can call them too...

    To a cell phone patchwork abortion of distributed virtual networks. Now, depending on the size of your state, instead of dozens there are hundreds, even thousands of emergency generators that must keep running if grid power fails, some on towers that are necessary to connect the edge networks with a fragile few, centralized CO/HLR platforms to handle roaming and billing, which may be hundreds of miles and several hops away. As one AC in the linked thread says, "A large wireless carrier for example has three switches for the entire state. What that means is if that central switch goes down, you cannot call people local to your area/CO."

    So to describe it in layman's terms, if you wanted to complete a call on a Bell network the answer was FUCK YEAH, so long as it didn't have too many different digits. For cell phones the answer is FUCK NO BY DEFAULT unless a deliciously complicated procedure involving connectivity and negotiation to distant computers completes quickly and successfully. This system was built out by telecommunications engineers making a series of decisions. Each decision made the system more fragile, and they kept making them for years. It was always someone else's job to look at the whole and say, "Well sheeit. This is a whole lot stupider than the system it is replacing, if something bad happens." And that someone else never showed up for work. These engineers were all grown-ups, but their collective decision was infantile.

    So enjoy your 2G and your 3G and your 4G while it lasts. Dance on Ma Bell's grave and laugh at those gutted terminal boxes in your neighborhood with their covers off, raindrops dripping off the rainbow of copper wires going nowhere. But unlike the 'dark ages' of the 1970s,should something should go wrong and the power goes out and it becomes critical for communities to communicate with one another, it's all the way back to Pony Express, baby. Better gas up yer horse.

    --
    <blink>down the rabbit hole</blink>
    1. Re:This is not the Hole you are looking for by Lumpy · · Score: 0

      your cellphone cant connect to your friends cellphone next to you for one reason only.... you cant be billed for that so it will never happen.

      the tech is there, the devices are capable of it, the cellphone companies dont want you to have it.

      --
      Do not look at laser with remaining good eye.
    2. Re:This is not the Hole you are looking for by rickb928 · · Score: 1

      0 - None of this has to do with the 'old days', when roaming cost real $, and carriers were competitive with each other at the local market level?

      1- Nor does it have to do with the old 'wireline' v 'non-wireline' distinctions?

      2 - When wireline ruled, all you really needed in the CO were those old batteries, charged and ready, to survive maybe 48 hours without utility power. Fire off the generators 4 hours in if it seemed desperate. Of course, you should then start calling around to get spare battery packs and chargers for all the SLICs that would die, and diesel to supply your generators. Maine, 1998.

      3 - Without reading the usual, it seems secure gateways could be fashioned out of leftover PCs and a reasonably well secured Linux firewall, maybe even one of several purpose-built boxen or maybe something from Cisco? Is this so hard? Really? I know, TLS is probably secretly broken, and MITM attacks can be made, but is this so hard to fix? Oh yea, put a honking UPS on that gateway.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    3. Re:This is not the Hole you are looking for by fortfive · · Score: 1

      We're all dooooooomed!

    4. Re:This is not the Hole you are looking for by TheRealHocusLocus · · Score: 0

      your cellphone cant connect to your friends cellphone next to you for one reason only.... you cant be billed for that so it will never happen.

      I was not suggesting that there should be some directly integrated peer-to-peer cellphone protocol, though that would be nice. It would result in us having walkie-talkies that work rather than nothing at all.

      The problem is that there was never any real mandate to ensure that your 'local' phones have any local functionality.
      Towns, cities and counties have no guarantee that their cell phones will work at all if their network becomes isolated.
      No guarantees, no responsibility, no problem.

      If this was ever discovered to be the case in the 'olden days' of wired phones, you can bet that Commissioners, Governors and Mayors would get on the line to the phone companies --- even under clear blue skies --- to demand that this was an intolerable situation that needed to be addressed and solved immediately. If it was not, they'd get on radio and TV and plead with the public to create an outcry to end this 'dangerous' practice, one which could even result in needless loss of life as disaster response and communication within the city becomes impossible. State and federal governments would get involved too, declaring that their authority to ensure that the public interest is served gives them the ability to press for change.

      This has nothing whatsoever to do with technology.
      There has been a general decline in the quality of people.
      Bell Systems engineers could never sleep at night if they knew their network was dangling by a thread.
      Cell phone companies have no trouble sleeping at all.

      --
      <blink>down the rabbit hole</blink>
    5. Re:This is not the Hole you are looking for by LDAPMAN · · Score: 1

      This really is a serious issue. Even if the system is not damaged during an emergency, it can be overwhelmed and we lose the ability to communicate. We definitely need to push for reliability standards as the cell system is no longer an auxiliary channel but is the main voice communications system.

    6. Re:This is not the Hole you are looking for by TheRealHocusLocus · · Score: 1

      And I just love drive by meta-mods tagging P and GGP as 'overrated'. Little techno-babies needing to put their fingers in their ears to shut out bad men who talk about the grid going down for any reason, and how it might affect them.

      Don't get me wrong, I am blown away by the technology and consider it a Good Thing. But it was incredibly dumb to completely disregard area-autonomous operation. It was deriliction of duty for the feds not to step in early and mandate it. It's not a wireless thing either. You now have cable IP phones that cannot ring your neighbor's cable IP phone unless a PPPOE/DHCP negotiation to a server six hops and who know how many states away, fails. That is a FAIL in my book.

      Cell/VOIP have become just like those plastic Fischer-Price phones where the buttons are printed on a sticker. You can have lots of fun with them as a kid, but iff'n when the power goes out you will grow up fast and realize they never were 'real' phones.

      --
      <blink>down the rabbit hole</blink>
  11. Pssh by Anonymous Coward · · Score: 4, Insightful

    It's not complicated. Previously control signals had been sent in-band with the data. This allowed malicious users to hijack the phone system. It used to be as simple as playing a 2600Hz tone... you could make untraceable calls, eaves-drop on others calls, etc. etc. etc.

    So along comes SS7. It makes one change: Signalling is now done out of band on a separate channel from the data. This prevents malicious users from sending control signals over the line without access to SS7 facilities. However, it does not prevent those with administrative access to an SS7 facility from doing malicious things. In fact, this is exactly why the NSA sets up people at your local telecom... because by having administrative access they can view all traffic.

    You can encrypt your communications to stop typical malicious users (it won't be effective against determined state actors). But how do you prevent an SS7 administrator from seeing where you are calling from, where you are calling to, when you switch towers, the duration of the call, etc. etc. when the SS7 system needs that information to connect your call and provide billing? What fix would resolve this?

    How is hijacking an SS7 switch any different then hijacking an internet backbone router?

    1. Re:Pssh by phantomfive · · Score: 1

      I think this tweet kind of puts it in perspective.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Pssh by Anonymous Coward · · Score: 0

      Half of what you just mention, I wouldn't use SS7 to track. SS7 is merely for call setup. If I want to know what tower you're on (something the SS7 won't know anyway), duration, etc, then I'm in one of two places: OMP - Operations Maintenance Platform, or the BSC - Base Site Controllers. I can still also tap your call at the switch (Lucent 5ESS, or Nortel DMS100/250 as two common examples in the US), physically jack in at some points, or listen at the echo cancellers (calls from cell to land line convert from 4 wire to 2 wire, which causes echo... and hence there are hundreds of "echo cans" digitally fingerprinting the audio looking for a duplication, which is the echo).

      Long story short, if I'm a switch tech, or a malicious person in the switch, there's nothing you can do to keep me from tracking you. It's my job to be able to do it when things fail.

  12. Just to have a car analogy... by Opportunist · · Score: 2

    It's the same problem car makers face now with WiFi hackable cars. You can almost see someone stand there at Bosch when they designed the CAN bus...

    "Security? Are you high? Let's assume some mundane schmuck even HAS the technology at his hands, if he can get to the bus and attach himself to it and know the protocol and all that shit, he's already in the car. Why the fuck add security?"

    And I can almost see the same at AT&T a few years earlier. Just replace car with ... whatever the boxes are called that switch phone stuff.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  13. Trust was not a problem when Ma Bell owned it all by DutchUncle · · Score: 1

    SS7 was an improvement because it was out-of-band. All SS7 interaction came from The Phone Company, because there was only one in each country. There was not Another System (see "Colossus"); there were no other companies sending SS7 messages over insecure links, because there weren't any of either.