The Critical Hole At the Heart Of Our Cell Phone Networks

An anonymous reader writes: Kim Zetter from WIRED writes an intriguing report about a vulnerability at the heart of our cell phone networks. It centers around Signaling System No. 7 (SS7), which refers to a data network -- and the protocols or rules that govern how information gets exchanged over it. Zetter writes, "It was designed in the 1970s to track and connect landline calls across different carrier networks, but is now commonly used to calculate cellular billing and send text messages, in addition to routing mobile and landline calls between carriers and regional switching centers. SS7 is part of the telecommunications backbone but is not the network your voice calls go through; it's a separate administrative network with a different function." According to WIRED, the problem is that SS7 is based on trust -- any request a telecom receives is considered legitimate. In addition to telecoms, government agencies, commercial companies and criminal groups can gain access to the network. Most attacks can be defended with readily available technologies, but more involved attacks take longer to defend against. T-Mobile and ATT have vulnerabilities with fixes that have yet to be implemented for example.

Why the euphemism

[Wootery]

vulnerabilities with fixes that have yet to be implemented

Unfixed vulnerabilities, then.

This is not the Hole you are looking for

[TheRealHocusLocus]

Geez... IF ONLY the ability to hack into the signalling network and make some free calls was the worst of our problems. What a wonderful world that would be.

How about... the fact that you are probably within a thousand feet of a cell tower that is too bloody stupid to connect your cell phone with your neighbor's cell phone? How we made a transition over the last couple of decades from a Bell Standard Practice of completely autonomous wired phone systems in hardened buildings, each with the capability to provide complete functionality and call completion to its area served so long as you keep a single generator running... and if your neighboring cities or counties keep the generators their buildings running, you can call them too...

To a cell phone patchwork abortion of distributed virtual networks. Now, depending on the size of your state, instead of dozens there are hundreds, even thousands of emergency generators that must keep running if grid power fails, some on towers that are necessary to connect the edge networks with a fragile few, centralized CO/HLR platforms to handle roaming and billing, which may be hundreds of miles and several hops away. As one AC in the linked thread says, "A large wireless carrier for example has three switches for the entire state. What that means is if that central switch goes down, you cannot call people local to your area/CO."

So to describe it in layman's terms, if you wanted to complete a call on a Bell network the answer was FUCK YEAH, so long as it didn't have too many different digits. For cell phones the answer is FUCK NO BY DEFAULT unless a deliciously complicated procedure involving connectivity and negotiation to distant computers completes quickly and successfully. This system was built out by telecommunications engineers making a series of decisions. Each decision made the system more fragile, and they kept making them for years. It was always someone else's job to look at the whole and say, "Well sheeit. This is a whole lot stupider than the system it is replacing, if something bad happens." And that someone else never showed up for work. These engineers were all grown-ups, but their collective decision was infantile.

So enjoy your 2G and your 3G and your 4G while it lasts. Dance on Ma Bell's grave and laugh at those gutted terminal boxes in your neighborhood with their covers off, raindrops dripping off the rainbow of copper wires going nowhere. But unlike the 'dark ages' of the 1970s,should something should go wrong and the power goes out and it becomes critical for communities to communicate with one another, it's all the way back to Pony Express, baby. Better gas up yer horse.

Pssh

It's not complicated. Previously control signals had been sent in-band with the data. This allowed malicious users to hijack the phone system. It used to be as simple as playing a 2600Hz tone... you could make untraceable calls, eaves-drop on others calls, etc. etc. etc.

So along comes SS7. It makes one change: Signalling is now done out of band on a separate channel from the data. This prevents malicious users from sending control signals over the line without access to SS7 facilities. However, it does not prevent those with administrative access to an SS7 facility from doing malicious things. In fact, this is exactly why the NSA sets up people at your local telecom... because by having administrative access they can view all traffic.

You can encrypt your communications to stop typical malicious users (it won't be effective against determined state actors). But how do you prevent an SS7 administrator from seeing where you are calling from, where you are calling to, when you switch towers, the duration of the call, etc. etc. when the SS7 system needs that information to connect your call and provide billing? What fix would resolve this?

How is hijacking an SS7 switch any different then hijacking an internet backbone router?

Just to have a car analogy...

[Opportunist]

It's the same problem car makers face now with WiFi hackable cars. You can almost see someone stand there at Bosch when they designed the CAN bus...

"Security? Are you high? Let's assume some mundane schmuck even HAS the technology at his hands, if he can get to the bus and attach himself to it and know the protocol and all that shit, he's already in the car. Why the fuck add security?"

And I can almost see the same at AT&T a few years earlier. Just replace car with ... whatever the boxes are called that switch phone stuff.

Re:Slow news?

[Minupla]

Same reason that BGP isn't toast. Those who have the knowledge of how weak the locks are have no reason to leave the doors open behind them. It's really more surprising to anyone who's spent any time in the plumbing of the internet that it still functions, given the weaknesses in some of the protocols (check youtube for the looking glass site vulnerability talk from Defcon a couple of years ago for an example of how bad it is) then that it has holes.

Telephone system is the same way, the people with the skills to exploit SS7 are the people who are invested in keeping the holes there. It's more useful to be able to track an arbitrary cell phone then it is to be able to bring down the international phone system and force the telcos to fix it.

Min