Vulnerabilities in Signaling System 7, telephony signaling protocols used by carriers worldwide, allow third parties to listen to people’s cellphone calls and intercept text messages despite encryption, The Washington Post reported last week.
German cybersecurity researchers Tobias Engel of Sternraute and Karsten Nohl of Security Research Labs separately discovered these vulnerabilities following an August Washington Post report on tracking users’ locations via their cellphones.
At the paper’s request, Engel succeeded in tracking a Post employee’s whereabouts to within a city block with only her phone number to go on, according the article. The employee had consented to the experiment.
Engel and Nohl will present their findings at the 25th Chaos Communication Congress hacker conference in Hamburg, tentatively scheduled for Dec. 27-30.
The problem is not so much that there are flaws in SS7 as that the protocol was defined as a standard by the International Telecommunication Union in 1980.
“SS7 was created before there was an Internet and was never designed to be secure in today’s world,” said Rob Enderle, principal analyst at the Enderle Group.
“Its security was based on the fact that no one other than carriers and some governments could access it,” he told TechNewsWorld. “It’s a technology well past its prime — but to its credit, it still works amazingly well.”
The SS7 Holes
Surveillance systems that use SS7 to locate callers anywhere in the world abound, and one of those is Verint’s Skylock Systems, according to the Post’s August report.
Skylock can track GSM and UMTS phones’ locations worldwide with a predicted hit rate of at least 70 percent, according to Verint.
The system uses the international SS7 network and can track any mobile phone, even if it isn’t GPS-enabled. It uses intelligent routing that masks queries, making it “virtually impossible to monitor or trace” the SS7 commands sent.
Getting Around SS7
Engel and Nohl found two ways to eavesdrop on calls using SS7 technology, the Post said.
In one, commands sent over SS7 are used to hijack a cellphone’s forwarding function to redirect a call to a hacker, then forward it to the intended recipient. The second technique uses radio antennae to collect all calls and texts made in a particular area. Hackers can make an SS7 request to carriers for a temporary decryption key to unlock encrypted communications.
Cellphones can be tracked through their GPS processors, but “GPS is not required” on phones tracked through SS7, Cathal McDaid, head of data intelligence and analytics at AdaptiveMobile, told TechNewsWorld.
Security and the Mobile Device
“With apps that can tap into GPS, cellular and WiFi, all it takes is a simple app that can track you anywhere,” said Jim McGregor, principal analyst at Tirias Research.
For example, RemoteCellSpy.com offers a tracking system that lets users monitor all calls, texts and GPS locations on a target’s cellphone for a one-time payment of US$27.
The app is installed on the user’s phone. Calling the target’s cellphone automatically accesses the app on that device even if it is password protected.
“The cellular industry didn’t start out with security built in to begin with, and it moves so quickly that it’s difficult to keep up,” McGregor told TechNewsWorld. “It has exploded — and so have the threats and the danger of intrusion.”
The Need for a New Protocol
“Until the protocol is upgraded, there isn’t a solution to this problem,” Jean Taggart, a security researcher at Malwarebytes, told TechNewsWorld.
Over time, the SS7 protocol will be replaced, McDaid said, but “it’s still going to be controlling the vast amount of mobile networks for the next few years, due to the sheer difficulty and cost to replace.”
The Diameter protocol is already the successor to SS7, Strategy Analytics’ Sue Rudd told TechNewsWorld.
However, both McGregor and Enderle expect that carriers will move to VoIP.