Exposing Fragility in Mobile Phone SS7
A staple of movies such as 1983’s Wargames or 1995’s Hackers, are devices and methods used to take advantage of the public phone network. Blue Boxes once permitted long distance calls without charges and War Dialers would patiently work through every number in an exchange, looking for modems attached to vulnerable systems.
Many things have changed dramatically since the WOPR famously asked David Lightman “Shall we play a game?” One thing that has not changed is Signaling System 7 (SS7), the protocol used by phone company switches to control traffic.
A recent article in the Washington Post somewhat breathlessly describes some SS7 vulnerabilities identified by German researchers. Those who work in the mysterious netherworld of telco central offices have long understood these hazards.
Down the Central Office Rabbit Hole
What happens when you pick up your grandmother’s telephone, that old fashioned beast with a base that weighs four pounds, plugs into a jack in the wall, and still rings even if the power is out? Somewhere within about 20,000 feet of grandma’s house, there is a phone company facility where the analog information that is your voice gets converted into a 64 kilobit digitized signal.
The system that digitizes your voice has a digital trunk to a central office that houses a Class Five Switch. That switch could be anything from a room sized Alcatel-Lucent 5ESS in an urban area to a rural town’s diminutive Metaswitch VPS2510, roughly the size of a large microwave oven.
No matter which brand of switch grandma’s carrier has, they all require a connection to the Signaling System 7 network if they’re going to route your call anywhere outside the local neighborhood. This switch to switch protocol was developed in order to provide a richer set of services to subscribers, but as a side effect calls were only controlled by touch tones on the loop from the phone to the first digital device. The rest of the control work is done with SS7 packets.
SS7 is a packetized network, but they are not the IP packets you know from the internet. This network is its own separate kingdom, where each telephone exchange has a Service Switching Point ID and they talk to Service Control Points via pairs of T1 or E1 leased lines. This network was secured largely by virtue of the cost of entry. Prices on switches capable of talking SS7 only got under the $100,000 mark in the last ten years, T1 loops in a carrier hotel might only cost $100/month, but a would-be intruder would have to both convince an SS7 provider of their need and PAY for access. This kept SS7 network experiments the domain of those who were employed in the field.
That all started to change with SIGTRAN, a newer standard which provides a means to transport SS7 packets inside IP packets. Control of the phone network moved into the same format as internet service. Cell phone base stations had to have internet connections to support phones with data plans; things got confused, things got sloppy, and that’s how trouble starts.
The SS7 Situation Today
When you dial a phone number your call setup includes the number you are calling in the form of the DNIS, or dialed number identification service, and the origin of the call is sent as the ANI, or automatic number identification. If you own a switch, or pay for a service like SpoofCard, you can put anything you want into the ANI, even the number of the person you are calling. This has many legitimate uses, for example, a national restaurant chain might have a single 800 number for customer service, and all stores would display that rather than their own local number. There are an equal number of unsavory applications.
The situation for mobile customers is far more complex, with a protocol that was meant for interfacing telco ‘big iron’ now exposed to the perils of the internet, and there are apparently a lot of gaps. The event where these hazards will be revealed, unnamed in the WaPo article, is the 31st Chaos Communications Congress, which is being held in Hamburg from December 27th through the 30th.
The talk, entitled SS7map : mapping vulnerability of the international mobile roaming infrastructure, will be given by Laurent Ghigonis and Alexandre DeOliveira. The introduction for the talk offers a recipe for absolute mayhem for those in a position to exploit mobile networks.
SS7 has been shown repeatedly as an insecure protocol: spoofing, faking, crash through fuzzing, fraud. The main question of our study is to determine how this insecurity is mitigated by network operator’s action to prevent compromise on both network exposure of infrastructure and privacy compromise of subscribers.
The goal of SS7map is to provide a global overview by building the first SS7 signaling network world map revealing how vulnerable and exposed telecom operators and their subscribers are. We explain how it is possible for each mapped network to abuse legitimate signaling messages and call flows to discover and fingerprint equipment, intercept SMS messages, and perform massive location tracking of subscribers.
More than pure analysis of vulnerability, this map rates and ranks the vulnerability of countries and operators showing discrepancies in the level and type of protection: SCCP screening, SS7 policing, MAP filtering, rate limiting, Network Element security configurations. We then conclude on the direction of signaling security and its current trend and development in the LTE world that shares many similar design insecurities with SS7.
This promises to be an interesting talk for those who are concerned about mobile security. You can follow the overall flow of events at the 31st Chaos Communication Congress via their official twitter account, @ccc.
Images from Shutterstock.