The Critical Hole At the Heart Of Our Cell Phone Networks

An anonymous reader writes: Kim Zetter from WIRED writes an intriguing report about a vulnerability at the heart of our cell phone networks. It centers around Signaling System No. 7 (SS7), which refers to a data network -- and the protocols or rules that govern how information gets exchanged over it. Zetter writes, "It was designed in the 1970s to track and connect landline calls across different carrier networks, but is now commonly used to calculate cellular billing and send text messages, in addition to routing mobile and landline calls between carriers and regional switching centers. SS7 is part of the telecommunications backbone but is not the network your voice calls go through; it's a separate administrative network with a different function." According to WIRED, the problem is that SS7 is based on trust -- any request a telecom receives is considered legitimate. In addition to telecoms, government agencies, commercial companies and criminal groups can gain access to the network. Most attacks can be defended with readily available technologies, but more involved attacks take longer to defend against. T-Mobile and ATT have vulnerabilities with fixes that have yet to be implemented for example.

Why the euphemism

[Wootery]

vulnerabilities with fixes that have yet to be implemented

Unfixed vulnerabilities, then.

Pssh

It's not complicated. Previously control signals had been sent in-band with the data. This allowed malicious users to hijack the phone system. It used to be as simple as playing a 2600Hz tone... you could make untraceable calls, eaves-drop on others calls, etc. etc. etc.

So along comes SS7. It makes one change: Signalling is now done out of band on a separate channel from the data. This prevents malicious users from sending control signals over the line without access to SS7 facilities. However, it does not prevent those with administrative access to an SS7 facility from doing malicious things. In fact, this is exactly why the NSA sets up people at your local telecom... because by having administrative access they can view all traffic.

You can encrypt your communications to stop typical malicious users (it won't be effective against determined state actors). But how do you prevent an SS7 administrator from seeing where you are calling from, where you are calling to, when you switch towers, the duration of the call, etc. etc. when the SS7 system needs that information to connect your call and provide billing? What fix would resolve this?

How is hijacking an SS7 switch any different then hijacking an internet backbone router?