A staple of movies such as 1983’s Wargames or 1995’s Hackers, are devices and methods used to take advantage of the public phone network. Blue Boxes once permitted long distance calls without charges and War Dialers would patiently work through every number in an exchange, looking for modems attached to vulnerable systems.
Many things have changed dramatically since the WOPR famously asked David Lightman “Shall we play a game?” One thing that has not changed is Signaling System 7 (SS7), the protocol used by phone company switches to control traffic.
A recent article in the Washington Post somewhat breathlessly describes some SS7 vulnerabilities identified by German researchers. Those who work in the mysterious netherworld of telco central offices have long understood these hazards.
Down the Central Office Rabbit Hole
What happens when you pick up your grandmother’s telephone, that old fashioned beast with a base that weighs four pounds, plugs into a jack in the wall, and still rings even if the power is out? Somewhere within about 20,000 feet of grandma’s house, there is a phone company facility where the analog information that is your voice gets converted into a 64 kilobit digitized signal.
The system that digitizes your voice has a digital trunk to a central office that houses a Class Five Switch. That switch could be anything from a room sized Alcatel-Lucent 5ESS in an urban area to a rural town’s diminutive Metaswitch VPS2510, roughly the size of a large microwave oven.
No matter which brand of switch grandma’s carrier has, they all require a connection to the Signaling System 7 network if they’re going to route your call anywhere outside the local neighborhood. This switch to switch protocol was developed in order to provide a richer set of services to subscribers, but as a side effect calls were only controlled by touch tones on the loop from the phone to the first digital device. The rest of the control work is done with SS7 packets.
SS7 is a packetized network, but they are not the IP packets you know from the internet. This network is its own separate kingdom, where each telephone exchange has a Service Switching Point ID and they talk to Service Control Points via pairs of T1 or E1 leased lines. This network was secured largely by virtue of the cost of entry. Prices on switches capable of talking SS7 only got under the $100,000 mark in the last ten years, T1 loops in a carrier hotel might only cost $100/month, but a would-be intruder would have to both convince an SS7 provider of their need and PAY for access. This kept SS7 network experiments the domain of those who were employed in the field.
That all started to change with SIGTRAN, a newer standard which provides a means to transport SS7 packets inside IP packets. Control of the phone network moved into the same format as internet service. Cell phone base stations had to have internet connections to support phones with data plans; things got confused, things got sloppy, and that’s how trouble starts.
The SS7 Situation Today
When you dial a phone number your call setup includes the number you are calling in the form of the DNIS, or dialed number identification service, and the origin of the call is sent as the ANI, or automatic number identification. If you own a switch, or pay for a service like SpoofCard, you can put anything you want into the ANI, even the number of the person you are calling. This has many legitimate uses, for example, a national restaurant chain might have a single 800 number for customer service, and all stores would display that rather than their own local number. There are an equal number of unsavory applications.
The situation for mobile customers is far more complex, with a protocol that was meant for interfacing telco ‘big iron’ now exposed to the perils of the internet, and there are apparently a lot of gaps. The event where these hazards will be revealed, unnamed in the WaPo article, is the 31st Chaos Communications Congress, which is being held in Hamburg from December 27th through the 30th.
The talk, entitled SS7map : mapping vulnerability of the international mobile roaming infrastructure, will be given by Laurent Ghigonis and Alexandre DeOliveira. The introduction for the talk offers a recipe for absolute mayhem for those in a position to exploit mobile networks.
SS7 has been shown repeatedly as an insecure protocol: spoofing, faking, crash through fuzzing, fraud. The main question of our study is to determine how this insecurity is mitigated by network operator’s action to prevent compromise on both network exposure of infrastructure and privacy compromise of subscribers.
The goal of SS7map is to provide a global overview by building the first SS7 signaling network world map revealing how vulnerable and exposed telecom operators and their subscribers are. We explain how it is possible for each mapped network to abuse legitimate signaling messages and call flows to discover and fingerprint equipment, intercept SMS messages, and perform massive location tracking of subscribers.
More than pure analysis of vulnerability, this map rates and ranks the vulnerability of countries and operators showing discrepancies in the level and type of protection: SCCP screening, SS7 policing, MAP filtering, rate limiting, Network Element security configurations. We then conclude on the direction of signaling security and its current trend and development in the LTE world that shares many similar design insecurities with SS7.
This promises to be an interesting talk for those who are concerned about mobile security. You can follow the overall flow of events at the 31st Chaos Communication Congress via their official twitter account, @ccc.
Images from Shutterstock.
San Bernadino iPhone Case: Major Press Agencies Are Suing the FBI
The Associated Press, Gannett, and VICE Media are suing the FBI to know more details about the agency’s hack of the San Bernadino killer’s iPhone.
Toward Unbreakable Quantum Encryption for Everyone
Hacked recently covered the efforts of the Chinese government to build unbreakable quantum communication networks. According to analysts, quantum communications networks are so expensive that they could have a “recentralizing effect,” enabling states to recover the ground that they have lost to decentralizing digital technologies. But what if ultra-secure quantum cryptography could be made available to everyone at low cost?
The Chinese Quantum Satellite QUESS: Toward Unbreakable Quantum Networks
One year ago Hacked covered the race between the US and China to develop “military super-powers” by harnessing quantum science, and noted that Chinese scientists were developing quantum communication satellites that support unbreakable encryption. A few weeks ago, China launched its first quantum satellite.
- Bitcoin Futures Officially Launch on CBOE
- Bitcoin Plunges $2,000 on Eve of Futures Contract
- Trade Recommendation: Stellar
- Ethereum’s Pullback from Record Territory Co...
- Technical Analysis: Litecoin Continues Surge as Bi...
- Trade Recommendation: Zcash
- Asian Market Update – Monday: Bitcoin surges after...
- Ethereum Flirts With Record Highs as Buterin Compares Crypto Surge to Salvator Mundi Auction December 12, 2017
- Altcoin Investing Strategy as Futures Hit the Market December 12, 2017
- Companies are Lining Up to Launch Bitcoin ETF, According to SEC December 12, 2017
- Technical Analysis: Litecoin Continues Surge as Bitcoin Tests Highs December 11, 2017
- Trade Recommendation: Ride ETN and EW on Breakout December 11, 2017
- Trade Recommendation: Buy BBY, ZNH, CLX, and USCR December 11, 2017
- Power Consumption for Bitcoin Mining Is Now Ranked 61st in the World December 11, 2017
- Trade Recommendation: USDCHF December 11, 2017
- ICO Analysis: Gimmer Token December 11, 2017
- Swiss Banks Join Forces to Launch Ethereum Platform December 11, 2017
A part of CCN
Analysis1 week ago
Long-Term Cryptocurrency Analysis: A Major Top Could Be In
Altcoins1 week ago
IOTA Doing Big Things as Microsoft Partnership Announced
Recommendations4 days ago
Trade Recommendation: Litecoin
Analysis2 days ago
Long-Term Cryptocurrency Analysis: Look Out Below?
Cryptocurrencies1 week ago
Trade Recommendation: Neo
Analysis7 days ago
$100 Litecoin Looks Poised for Greater Upside
Cryptocurrencies1 week ago
Trade Recommendation: Zcash
Cryptocurrencies3 days ago
Trade Recommendation: Stellar