Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Critical Hole At the Heart Of Our Cell Phone Networks (wired.com)

Posted by BeauHD on from the Led-Zeppelin-era dept.

An anonymous reader writes: Kim Zetter from WIRED writes an intriguing report about a vulnerability at the heart of our cell phone networks. It centers around Signaling System No. 7 (SS7), which refers to a data network -- and the protocols or rules that govern how information gets exchanged over it. Zetter writes, "It was designed in the 1970s to track and connect landline calls across different carrier networks, but is now commonly used to calculate cellular billing and send text messages, in addition to routing mobile and landline calls between carriers and regional switching centers. SS7 is part of the telecommunications backbone but is not the network your voice calls go through; it's a separate administrative network with a different function." According to WIRED, the problem is that SS7 is based on trust -- any request a telecom receives is considered legitimate. In addition to telecoms, government agencies, commercial companies and criminal groups can gain access to the network. Most attacks can be defended with readily available technologies, but more involved attacks take longer to defend against. T-Mobile and ATT have vulnerabilities with fixes that have yet to be implemented for example.

18 of 32 comments (clear)

  1. Slow news? by Errol+backfiring · · Score: 1

    Didn't I read the same story a week ago on slashdot?

    --
    Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
    1. Re:Slow news? by Voyager529 · · Score: 1

      You heard about it on 60 Minutes last week: http://www.cbsnews.com/news/60....

    2. Re:Slow news? by Striek · · Score: 1

      Not exactly. This is Wired covering the story - the same story that The Guardian covered two weeks ago showed up here on the 18th of this month.

      It's the same story essentially. If you follow the research back far enough you'll find the same sources. But Wired does, IMHO, a far better job of covering it.

      (Too bad they jumped on the anti-adblock bandwagon. Their reporting has always been top notch.)

      --
      "Government is like fire; a handy servant, but a dangerous master." -- George Washington
    3. Re:Slow news? by Z00L00K · · Score: 1

      I'm surprised it hasn't been used to bring down telecom operators totally yet.

      But maybe there's more profit in spoofing phone calls to install malware at stupid people.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    4. Re:Slow news? by wyHunter · · Score: 1

      It has been discussed literally for decades, too. There was talk at Bell Labs about this in the 1980s.

    5. Re:Slow news? by Minupla · · Score: 3, Interesting

      Same reason that BGP isn't toast. Those who have the knowledge of how weak the locks are have no reason to leave the doors open behind them. It's really more surprising to anyone who's spent any time in the plumbing of the internet that it still functions, given the weaknesses in some of the protocols (check youtube for the looking glass site vulnerability talk from Defcon a couple of years ago for an example of how bad it is) then that it has holes.

      Telephone system is the same way, the people with the skills to exploit SS7 are the people who are invested in keeping the holes there. It's more useful to be able to track an arbitrary cell phone then it is to be able to bring down the international phone system and force the telcos to fix it.

      Min

      --
      On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
  2. Its not a bug, its a feature by Anonymous Coward · · Score: 1

    With all of the attempts to hobble encryption and force companies to cooperate with authorities against consumers people are assuming this is anything but intentional? The only "bug" in this system from the governments perspective is that people besides them can now exploit it. The cell network from its inception could have probably been designed with much more security, privacy and redundancy without too much additional effort. But all of that would have made warrantless use of stingrays, call records subpoenas and other intrusions into peoples lives more difficult.

  3. Why the euphemism by Wootery · · Score: 2, Insightful

    vulnerabilities with fixes that have yet to be implemented

    Unfixed vulnerabilities, then.

    1. Re:Why the euphemism by Wootery · · Score: 1

      I guess that makes sense, if you interpret 'fixed' to refer to deployment, not to implementation.

  4. This is not the Hole you are looking for by TheRealHocusLocus · · Score: 2, Informative

    Geez... IF ONLY the ability to hack into the signalling network and make some free calls was the worst of our problems. What a wonderful world that would be.

    How about... the fact that you are probably within a thousand feet of a cell tower that is too bloody stupid to connect your cell phone with your neighbor's cell phone? How we made a transition over the last couple of decades from a Bell Standard Practice of completely autonomous wired phone systems in hardened buildings, each with the capability to provide complete functionality and call completion to its area served so long as you keep a single generator running... and if your neighboring cities or counties keep the generators their buildings running, you can call them too...

    To a cell phone patchwork abortion of distributed virtual networks. Now, depending on the size of your state, instead of dozens there are hundreds, even thousands of emergency generators that must keep running if grid power fails, some on towers that are necessary to connect the edge networks with a fragile few, centralized CO/HLR platforms to handle roaming and billing, which may be hundreds of miles and several hops away. As one AC in the linked thread says, "A large wireless carrier for example has three switches for the entire state. What that means is if that central switch goes down, you cannot call people local to your area/CO."

    So to describe it in layman's terms, if you wanted to complete a call on a Bell network the answer was FUCK YEAH, so long as it didn't have too many different digits. For cell phones the answer is FUCK NO BY DEFAULT unless a deliciously complicated procedure involving connectivity and negotiation to distant computers completes quickly and successfully. This system was built out by telecommunications engineers making a series of decisions. Each decision made the system more fragile, and they kept making them for years. It was always someone else's job to look at the whole and say, "Well sheeit. This is a whole lot stupider than the system it is replacing, if something bad happens." And that someone else never showed up for work. These engineers were all grown-ups, but their collective decision was infantile.

    So enjoy your 2G and your 3G and your 4G while it lasts. Dance on Ma Bell's grave and laugh at those gutted terminal boxes in your neighborhood with their covers off, raindrops dripping off the rainbow of copper wires going nowhere. But unlike the 'dark ages' of the 1970s,should something should go wrong and the power goes out and it becomes critical for communities to communicate with one another, it's all the way back to Pony Express, baby. Better gas up yer horse.

    --
    <blink>down the rabbit hole</blink>
    1. Re:This is not the Hole you are looking for by rickb928 · · Score: 1

      0 - None of this has to do with the 'old days', when roaming cost real $, and carriers were competitive with each other at the local market level?

      1- Nor does it have to do with the old 'wireline' v 'non-wireline' distinctions?

      2 - When wireline ruled, all you really needed in the CO were those old batteries, charged and ready, to survive maybe 48 hours without utility power. Fire off the generators 4 hours in if it seemed desperate. Of course, you should then start calling around to get spare battery packs and chargers for all the SLICs that would die, and diesel to supply your generators. Maine, 1998.

      3 - Without reading the usual, it seems secure gateways could be fashioned out of leftover PCs and a reasonably well secured Linux firewall, maybe even one of several purpose-built boxen or maybe something from Cisco? Is this so hard? Really? I know, TLS is probably secretly broken, and MITM attacks can be made, but is this so hard to fix? Oh yea, put a honking UPS on that gateway.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    2. Re:This is not the Hole you are looking for by fortfive · · Score: 1

      We're all dooooooomed!

    3. Re:This is not the Hole you are looking for by LDAPMAN · · Score: 1

      This really is a serious issue. Even if the system is not damaged during an emergency, it can be overwhelmed and we lose the ability to communicate. We definitely need to push for reliability standards as the cell system is no longer an auxiliary channel but is the main voice communications system.

    4. Re:This is not the Hole you are looking for by TheRealHocusLocus · · Score: 1

      And I just love drive by meta-mods tagging P and GGP as 'overrated'. Little techno-babies needing to put their fingers in their ears to shut out bad men who talk about the grid going down for any reason, and how it might affect them.

      Don't get me wrong, I am blown away by the technology and consider it a Good Thing. But it was incredibly dumb to completely disregard area-autonomous operation. It was deriliction of duty for the feds not to step in early and mandate it. It's not a wireless thing either. You now have cable IP phones that cannot ring your neighbor's cable IP phone unless a PPPOE/DHCP negotiation to a server six hops and who know how many states away, fails. That is a FAIL in my book.

      Cell/VOIP have become just like those plastic Fischer-Price phones where the buttons are printed on a sticker. You can have lots of fun with them as a kid, but iff'n when the power goes out you will grow up fast and realize they never were 'real' phones.

      --
      <blink>down the rabbit hole</blink>
  5. Pssh by Anonymous Coward · · Score: 4, Insightful

    It's not complicated. Previously control signals had been sent in-band with the data. This allowed malicious users to hijack the phone system. It used to be as simple as playing a 2600Hz tone... you could make untraceable calls, eaves-drop on others calls, etc. etc. etc.

    So along comes SS7. It makes one change: Signalling is now done out of band on a separate channel from the data. This prevents malicious users from sending control signals over the line without access to SS7 facilities. However, it does not prevent those with administrative access to an SS7 facility from doing malicious things. In fact, this is exactly why the NSA sets up people at your local telecom... because by having administrative access they can view all traffic.

    You can encrypt your communications to stop typical malicious users (it won't be effective against determined state actors). But how do you prevent an SS7 administrator from seeing where you are calling from, where you are calling to, when you switch towers, the duration of the call, etc. etc. when the SS7 system needs that information to connect your call and provide billing? What fix would resolve this?

    How is hijacking an SS7 switch any different then hijacking an internet backbone router?

    1. Re:Pssh by phantomfive · · Score: 1

      I think this tweet kind of puts it in perspective.

      --
      "First they came for the slanderers and i said nothing."
  6. Just to have a car analogy... by Opportunist · · Score: 2

    It's the same problem car makers face now with WiFi hackable cars. You can almost see someone stand there at Bosch when they designed the CAN bus...

    "Security? Are you high? Let's assume some mundane schmuck even HAS the technology at his hands, if he can get to the bus and attach himself to it and know the protocol and all that shit, he's already in the car. Why the fuck add security?"

    And I can almost see the same at AT&T a few years earlier. Just replace car with ... whatever the boxes are called that switch phone stuff.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. Trust was not a problem when Ma Bell owned it all by DutchUncle · · Score: 1

    SS7 was an improvement because it was out-of-band. All SS7 interaction came from The Phone Company, because there was only one in each country. There was not Another System (see "Colossus"); there were no other companies sending SS7 messages over insecure links, because there weren't any of either.