Security vulnerabilities in the SS7 phone-call routing protocol that allow mobile call and text message tracking will be revealed this weekend.
Details of SS7 vulnerabilities are due to be revealed to the public for the first time at the Chaos Communication Congress hacker conference in Hamburg on 27 December (schedule here). The talk, entitled SS7: Locate. Track. Manipulate, by Tobias Engel, promises to be absolutely fascinating.
Engel has given a preview interview to the Washington Post outlining what he is due to discuss.
“The flaws discovered by the German researchers are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network,” the Washington Post explains. “Those skilled at the myriad functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption. There also is potential to defraud users and cellular carriers by using SS7 functions.”
Engel, founder of Sternraute, and Karsten Nohl, chief scientist for Security Research Labs who was one of a team that cracked GSM’s A5/1 encryption in 2009, separately discovered vulnerabilities in the SS7 telecom signalling protocol before deciding to present their research findings together. The German researchers discovered it was possible to wiretap mobile calls using SS7 trickery.
Commands sent over SS7 could be used to hijack a mobile phone’s “forwarding” function – a service offered by many carriers. This would allow calls to be routed through a second monitored number before forwarding it to the subscriber, leaving them none the wiser anything amiss was taking place.
The second technique involves re-merging mobile phone traffic before using the SS7 channel to request that the caller’s carrier release a temporary encryption key need to decrypt recorded communication . Such requests can be blocked but this rarely happens in practice, according to test by Engel and Nohl on 20 carriers. The hack would circumvent any network encryption.
Engel explained to us: “The difference with authentication between GSM and UMTS [3G] is that in GSM, the handset has to authenticate itself, but anyone can play network if he has the right equipment (i.e. IMSI catcher). In UMTS, the network also has to authenticate itself. That is why there are no UMTS IMSI catchers, only devices that do a UMTS-to-GSM force-down for the handset and then capture the handset in GSM.”
Engel also told us that while the A5/3 encryption used in 3G (and some GSM) has not been cracked, signalling data which is normally used between switching centres that want to hand over a call if the subscriber travels into a new service area can, however, leak the key.
End-to-end encryption methods are immune to the attack. Nohl was able to collect and decrypt a text message sent using the phone of a German senator, who cooperated in the experiment.
Eh? What's all that in layman's terms?
When you make a call from a mobile, there is a considerable amount of information sent between the handset and the network. This contains details of who you are, who you are calling, where you are, signal strength and so on. The network will check that you have credit and that you are not barred from calling the number you have dialled.
This all happens over a separate channel to the one used for voice. As you move from cell tower to cell tower, the signalling channel is used to hand you over, and if you end a call it closes the voice channel neatly: there is a difference between the signal disappearing and hanging up, so that the network can try to reestablish the link if it fades.
The signalling channel, or SS7, is also used for sending short packets of data. Handsets can be told if you are in a particular cell – cheaper calls from home were fashionable for a while – and it’s the mechanism by which text messages are sent and received.
Since mobile phones went digital more than a decade ago, calls have been encrypted. When the GSM standard was drafted in 1987 it was believed that the security would have life of about 20 years.
The network requires a secure key to talk to the handset. The interception which has been achieved comes from a man-in-the-middle attack where the handset is forced to talk to the person doing the intercept and then onto the network, thanks to a brute force crack of the key.
SS7 security - a brief rundown
SS7 is a call signalling protocol first designed in the 1980s. Anecdotal evidence suggests that signals intelligence agencies are already actively at work exploiting the security shortcomings of the protocol.
Ukrainian mobile subscribers were targeted by suspicious/custom SS7 packets from telecom networks with Russian addresses, causing their location and potentially the contents of their phone calls to be obtained.
Security firm AdaptiveMobile has put together an analysis of this new form of SS7-based attack, which refers to an under-publicised report by the Ukrainian Telecom Regulator, aided by the Ukrainian Security Service (SBU), into suspected telecom network hacking against MTS Ukraine back in April, at the height of a conflict between Russia and Ukraine over the fate of the Crimea.
The 'attacks' outlined in the document involved SS7 packets being sent between the mobile operators… Without going into specific details, what occurred is a series of SS7 packets were received by MTS Ukraine's SS7 network which modified control information stored in network switches for a number of MTS Ukraine mobile users.
In doing so, when someone tried to ring one of the affected mobile subscribers, their call would be forwarded to a physical land line number in St. Petersburg, Russia, without their knowledge - in effect the call has been intercepted.
The investigation stated that the custom SS7 packets themselves came from links allocated to MTS Russia, the parent company of MTS Ukraine. The Ukrainian regulator then assigned responsibility for the nodes that generated the SS7 based on the origination addresses in the SS7 packets received.
According to the report, some of the SS7 source addresses that originated the attack were assigned to MTS Russia, while others were assigned to Rostov Cellular Communications.
The report concludes that over a three day period in April 2014, a number of Ukrainian mobile subscribers were affected by suspicious SS7 packets from telecom network elements with Russian addresses, causing their location and potentially the contents of their phone calls to be intercepted.
MTS Russia denied that the SS7 address used was under its control, leaving the ultimate instigator behind the attacks as something of a mystery. Units of the Russian Federal Security Service (FSB) or Foreign Intelligence Service (SVR) are obvious prime suspects for this sort of malfeasance.
It was reported that MTS Ukraine was not alone of being at risk, as the Ukrainian Telecom Regulator stated at a later date that Astelit and Kyivstar – the other main Ukrainian mobile operators – also experienced “external interference”.
AdaptiveMobile warns that countries affected by this type of attack will be inclined to build their own capability, a situation that could lead to an “SS7 arms-race”. ®