Connect with us

Communication

Exposing Fragility in Mobile Phone SS7

Published

on

A staple of movies such as 1983’s Wargames or 1995’s Hackers, are devices and methods used to take advantage of the public phone network. Blue Boxes once permitted long distance calls without charges and War Dialers would patiently work through every number in an exchange, looking for modems attached to vulnerable systems.

// -- Discuss and ask questions in our community on Workplace.

Many things have changed dramatically since the WOPR famously asked David Lightman “Shall we play a game?” One thing that has not changed is Signaling System 7 (SS7), the protocol used by phone company switches to control traffic.

A recent article in the Washington Post somewhat breathlessly describes some SS7 vulnerabilities identified by German researchers. Those who work in the mysterious netherworld of telco central offices have long understood these hazards.

Also read: Endaga Raises $1.2M to Bring Cellular Coverage Everywhere

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

Down the Central Office Rabbit Hole

old phoneWhat happens when you pick up your grandmother’s telephone, that old fashioned beast with a base that weighs four pounds, plugs into a jack in the wall, and still rings even if the power is out? Somewhere within about 20,000 feet of grandma’s house, there is a phone company facility where the analog information that is your voice gets converted into a 64 kilobit digitized signal.

The system that digitizes your voice has a digital trunk to a central office that houses a Class Five Switch. That switch could be anything from a room sized Alcatel-Lucent 5ESS in an urban area to a rural town’s diminutive Metaswitch VPS2510, roughly the size of a large microwave oven.

No matter which brand of switch grandma’s carrier has, they all require a connection to the Signaling System 7 network if they’re going to route your call anywhere outside the local neighborhood. This switch to switch protocol was developed in order to provide a richer set of services to subscribers, but as a side effect calls were only controlled by touch tones on the loop from the phone to the first digital device. The rest of the control work is done with SS7 packets.

SS7 is a packetized network, but they are not the IP packets you know from the internet. This network is its own separate kingdom, where each telephone exchange has a Service Switching Point ID and they talk to Service Control Points via pairs of T1 or E1 leased lines. This network was secured largely by virtue of the cost of entry. Prices on switches capable of talking SS7 only got under the $100,000 mark in the last ten years, T1 loops in a carrier hotel might only cost $100/month, but a would-be intruder would have to both convince an SS7 provider of their need and PAY for access. This kept SS7 network experiments the domain of those who were employed in the field.

That all started to change with SIGTRAN, a newer standard which provides a means to transport SS7 packets inside IP packets. Control of the phone network moved into the same format as internet service. Cell phone base stations had to have internet connections to support phones with data plans; things got confused, things got sloppy, and that’s how trouble starts.

The SS7 Situation Today

When you dial a phone number your call setup includes the number you are calling in the form of the DNIS, or dialed number identification service, and the origin of the call is sent as the ANI, or automatic number identification. If you own a switch, or pay for a service like SpoofCard, you can put anything you want into the ANI, even the number of the person you are calling. This has many legitimate uses, for example, a national restaurant chain might have a single 800 number for customer service, and all stores would display that rather than their own local number. There are an equal number of unsavory applications.

The situation for mobile customers is far more complex, with a protocol that was meant for interfacing telco ‘big iron’ now exposed to the perils of the internet, and there are apparently a lot of gaps. The event where these hazards will be revealed, unnamed in the WaPo article, is the 31st Chaos Communications Congress, which is being held in Hamburg from December 27th through the 30th.

The talk, entitled SS7map : mapping vulnerability of the international mobile roaming infrastructure, will be given by Laurent Ghigonis and Alexandre DeOliveira. The introduction for the talk offers a recipe for absolute mayhem for those in a position to exploit mobile networks.

SS7 has been shown repeatedly as an insecure protocol: spoofing, faking, crash through fuzzing, fraud. The main question of our study is to determine how this insecurity is mitigated by network operator’s action to prevent compromise on both network exposure of infrastructure and privacy compromise of subscribers.

The goal of SS7map is to provide a global overview by building the first SS7 signaling network world map revealing how vulnerable and exposed telecom operators and their subscribers are. We explain how it is possible for each mapped network to abuse legitimate signaling messages and call flows to discover and fingerprint equipment, intercept SMS messages, and perform massive location tracking of subscribers.

More than pure analysis of vulnerability, this map rates and ranks the vulnerability of countries and operators showing discrepancies in the level and type of protection: SCCP screening, SS7 policing, MAP filtering, rate limiting, Network Element security configurations. We then conclude on the direction of signaling security and its current trend and development in the LTE world that shares many similar design insecurities with SS7.

This promises to be an interesting talk for those who are concerned about mobile security. You can follow the overall flow of events at the 31st Chaos Communication Congress via their official twitter account, @ccc.

Images from Shutterstock.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Communication

San Bernadino iPhone Case: Major Press Agencies Are Suing the FBI

Published

on

The Associated Press, Gannett, and VICE Media are suing the FBI to know more details about the agency’s hack of the San Bernadino killer’s iPhone.

// -- Discuss and ask questions in our community on Workplace.

(more…)

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Continue Reading

Communication

Toward Unbreakable Quantum Encryption for Everyone

Published

on

Hacked recently covered the efforts of the Chinese government to build unbreakable quantum communication networks. According to analysts, quantum communications networks are so expensive that they could have a “recentralizing effect,” enabling states to recover the ground that they have lost to decentralizing digital technologies. But what if ultra-secure quantum cryptography could be made available to everyone at low cost?

// -- Discuss and ask questions in our community on Workplace.

(more…)

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Continue Reading

Communication

The Chinese Quantum Satellite QUESS: Toward Unbreakable Quantum Networks

Published

on

One year ago Hacked covered the race between the US and China to develop “military super-powers” by harnessing quantum science, and noted that Chinese scientists were developing quantum communication satellites that support unbreakable encryption. A few weeks ago, China launched its first quantum satellite.

// -- Discuss and ask questions in our community on Workplace.

(more…)

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Continue Reading

Trending