The Critical Hole at the Heart of Our Cell Phone Networks
In February 2014, the US ambassador to Ukraine suffered an embarrassing leak. A secret conversation between him and US Assistant Secretary of State Victoria Nuland got posted to YouTube, in which Nuland spoke disparagingly about the European Union.
The conversation occurred over unencrypted phones, and US officials told reporters they suspected the call was intercepted in Ukraine, but didn’t say how. Some people believe it occurred using vulnerabilities in a mobile data network known as SS7, which is part of the backbone infrastructure of telecoms around the world to communicate between themselves about how to route calls and text messages.
A little-noticed report released by the Ukrainian government a few months after the leak gives credence to this theory. Although the report didn’t mention the ambassador, it revealed that for three days in April that year, location data for about a dozen unidentified mobile phone customers in Ukraine got mysteriously sent to a Russian telecom using SS7 vulnerabilities. Text messages and phone calls of some of those customers also got diverted to Russia, where someone could have eavesdropped on the conversations and recorded them.
The industry has known for years that SS7 is vulnerable to spying, but did little about it because many assumed the risks were theoretical. This changed in the wake of the Ukrainian incidents, says Cathal McDaid, head of the threat intelligence unit for AdaptiveMobile, a mobile telecom security firm. His company and others devised ways to detect SS7 attacks, and since then they have discovered suspicious activity in the networks of multiple telecom customers, suggesting that SS7 attacks are very much real—and ongoing. AdaptiveMobile released a little-noticed report in February highlighting some of those attacks.
SS7 is just now getting more public attention because of a 60 Minutes piece last week, which showed researchers using SS7 to spy on US Congressman Ted Lieu. Lieu has called for a congressional hearing to look into SS7 vulnerabilities, and the Federal Communications Commission has plans to examine it, too.
So what is SS7 and why is it so vulnerable?
Graph showing how one system in Western Europe used SS7 to track a single subscriber over two days by sending location requests to the subscriber’s carrier. A day later, a cascade of tracking requests for the same subscriber came in over SS7 from multiple systems in different countries.
SS7, a Primer
SS7, also known as Signaling System No. 7, refers to a data network—and the series of technical protocols or rules that govern how data gets exchanged over it. It was designed in the 1970s to track and connect landline calls across different carrier networks, but is now commonly used to calculate cellular billing, send text messages, and route calls between carriers and regional switching centers. SS7 is part of the telecommunications backbone but is not the network your voice calls go through; it’s a separate administrative network with a different function. Think of it like a passenger train system—SS7 is the maintenance tunnels workers use rather than the main tunnels through which passenger trains travel.
SS7 is often used now to set up roaming so that when you travel, say, from New York to Mumbai, you can make and receive calls and texts outside your carrier’s range. An outside carrier will send a request to your carrier via SS7 to obtain your phone’s unique ID to track your device, and also request that your communications be redirected to its network so that it can deliver calls and text messages to you. It’s a way of making sure calls and messages are delivered between networks.
The problem is that SS7 is based on trust. Any request a telecom receives is considered legitimate. Therefore anyone with access to a server or gateway on the SS7 network can send a location or redirect request to your telecom for purposes of roaming, and the telecom will likely comply, even if the roaming request comes from St. Petersburg or Mumbai and you and your phone are in New York. This makes it possible for a remote attacker to spy on lawmakers, corporate executives, military personnel, activists and others. It should be noted that in grabbing texts, and attacker will also be able to grab your two-factor authentication log-in codes that Gmail and other services send via text to access your accounts. An attacker who already knows the username and password for an account can intercept these codes before you receive them in order to log in to your accounts.
Who has access to SS7? Hundreds of telecoms around the world use it. Government intelligence agencies can also gain access to the network, either with the permission of telecoms or not. Commercial companies also sell SS7 phone tracking services to governments and other customers. Criminal groups able to purchase access from corrupt telecom workers can also use SS7, as can hackers who hijack unsecured SS7 equipment.
It wasn’t until December 2014 that telecoms began to implement ways to thwart SS7 attacks. That’s when Karsten Nohl of the Berlin-based Security Research Labs and an independent researcher named Tobias Engel gave presentations about SS7 at the Chaos Communication Congress in Germany, months after the Ukrainian incidents were discovered. Engel had demonstrated an SS7 method for tracking phones in 2008, but that method wasn’t as refined as the ones he and Nohl described in 2014. The latter prompted regulators in Northern Europe to demand that carriers there implement measures to mitigate SS7 attacks by the end of 2015.
“[T]he bulk of SS7 attacks can be prevented with technologies that are readily available,” Nohl told WIRED. “There’s a few cases that require more involved defenses that one could argue could take two years to implement… but at least the basic defenses [are] in most networks in Northern Europe and in many other networks around the world.”
Those fixes have apparently not been implemented by two vulnerable carriers in the US: T-Mobile and AT&T. Nohl and a colleague showed on 60 Minutes that both were still open to SS7 attacks. Verizon and Sprint use different protocols to exchange most of their data, so in theory are less vulnerable. But McDaid notes that all mobile networks will eventually migrate to a different signaling system called Diameter. That system “uses a lot of the same concepts and design as the previous SS7 network,” he notes, including the assumptions of trust that plague SS7.
How Exactly Can SS7 Be Hacked to Track You?
To track you, an attacker could send what’s called an Anytime Interrogation request to your carrier to get the unique ID of your phone and identify which mobile switching center (MSC) your phone uses—usually one MSC covers an entire city. Carriers use this information to determine your location to route your calls and messages through the cell tower closest to you. By sending repeated Anytime Interrogation requests to get this and your GPS coordinates, an attacker can track your phone, and you, to the street block where you are standing, using Google maps.
Carriers could thwart this by blocking Anytime Interrogation requests coming from outside their boundaries, Nohl says. But there are other ways to get location information using different queries via SS7, and these are not as easily blocked, he says.
This isn’t hypothetical. We know this kind of tracking exists in the wild. AdaptiveMobile’s report describes one SS7 tracking operation in which the attacker sent requests for location information from a number of systems. Requests to track the same phone customers came from SS7 systems around the world instead of from a single system—presumably to avoid suspicion, since many requests from one system would be more noticeable. These systems sent several hundred queries a day to track some phone customers, but only queried once or twice a day for others the attackers were trying to track.
“Obviously the more you use [a system to send requests], the more possibility that you give [yourself] away. But these are low-volume, high-value type of targets,” McDaid says. “As long as you keep these in low-volume, chances are these aren’t actually going to be noticed.”
Another operation in a European country that McDaid won’t identify tracked phones in the Middle East and Europe from systems installed at each of the European country’s four telecoms, suggesting the telecoms were complicit in the tracking. “That’s our assumption … if it is an espionage system or state system, they actually may not have much choice in the matter.”
Nohl describes three techniques for intercepting calls and texts using SS7. One he demonstrated last year for 60 Minutes Australia when he sent a request from Germany to a carrier in Australia requesting a politician’s voicemail settings be reconfigured to forward calls to Nohl. Networks could easily prevent this by only complying if the customer’s phone is in the region where the request originates, but few do this check, Nohl says.
Another method abuses a feature for rewriting numbers you call. If you’re out of the country, for example, and dial a number from your contacts list, the rewrite function will recognize that it’s an international call and automatically add the country code.
“[A]dding in the country code for instance is done by taking the phone number that is the ‘wrong’ number and sending back the ‘right’ number [with the added country code],” Nohl says. Convenient, right? But an attacker can tell the system to replace any number with his own. When calls arrive, he forwards them to the correct number, setting himself up a in the middle of the conversation to listen and record.
A third way takes advantage of the fact that mobile phones are usually in sleep mode until they receive a call or text and won’t contact a network until then. During this time, an attacker can tell your carrier that you’re in Germany and any communication intended for you should be redirected there. Eventually, your phone in the US will wake up and tell your carrier where it is. But the attacker can send another message contradicting this.
“As long as we do this every five minutes, there is only a very, very short time you will exclusively receive your calls or texts, and then all other times we will receive them,” Nohl says. You would later notice the roaming charges on your bill, but by then the damage to your privacy would be done.
“It’s not the most elegant [interception method] because … you will have to pay for these roaming calls. But this one works really well,” he says.
What Can Be Done?
That kind of attack should be easy to thwart with an algorithm that knows it’s illogical for a subscriber to move back and forth between the US and Germany every five minutes. “But, again, nobody has implemented these smart checks,” Nohl says.
There’s not much you can personally do. You could try to protect your communications by using an encrypted service like Signal, WhatsApp or Skype, but McDaid says an attacker could send a request to your carrier to disable data use for your phone, preventing you from using these services.
“[S]o all you’re left with then is text messages and phone calls if you’re in an area with no Wi-Fi,” he says, leaving you vulnerable to an SS7 interception attack.
McDaid says that telecoms are working to thwart SS7 attacks, but most have addressed only the easiest methods so far.
“Now they’re in the stage of having to implement much more sophisticated types of firewalls and [algorithms] to try to detect and block the more sophisticated stuff,” he says. “They’re harder for an attacker to do, but also harder for defense to stop…. Believe me, it is being worked on.”
Read the article: