A critical hole in the heart of cellular networks

As for the attacks on SS7, there have already been several detailed technical content articles on our resource:

• Attacks on SS7: yesterday for special services, today for all
• Listening Ukrainian mobile phones: how it is done and how to protect
• How to hack Telegram and WhatsApp: special services are not needed

But in this article, what is happening is explained in simpler words, and may interest people far from the internal structure of mobile networks.

In February 2014, the US ambassador to Ukraine was the victim of a disgraceful diversion. A secret conversation between him and Assistant Secretary of State for European and Eurasian Affairs Victoria Nuland, in which she spoke about the European Union in rude expressions , was posted on YouTube.

The conversation was conducted through an unprotected connection , and representatives of the US government told reporters about their suspicions of intercepting a call in Ukraine, but not the methodology of this interception. Some believe that this was due to the exploitation of vulnerabilities in the SS7 mobile data network, which is part of the basic infrastructure used by telephone providers around the world for inter-provider communication, call forwarding and text messaging.

The report of the Ukrainian government, which remained almost unnoticed, was released a few months after the incident, lent credibility to this theory. Although the ambassador was not mentioned in the report, it said that within three days in April, data on the location of a dozen unknown mobile phone users in Ukraine were sent to a Russian provider through the use of vulnerabilities in SS7. Some text messages and phone calls were also forwarded to Russia, where someone could listen and record them.
')
For many years now, providers have known that SS7 is vulnerable to wiretapping, but they did little about it, because it was believed that these risks were more theoretical. Everything changed after the incident in Ukraine, says Cathal McDaid, head of threat intelligence at mobile security at AdaptiveMobile. Some companies, including his company, have developed methods for detecting attacks on SS7, and since then they have already detected suspicious activity in the networks of various providers, which proves not only the reality of attacks on SS7, but also that they occur periodically. AdaptiveMobile released a report in February, which described in detail some of the attacks.

SS7 is only now appearing in public attention, for example, because of the plot in the 60 Minutes program last week, in which two researchers from Germany used SS7 to spy on US Congressman Ted Lew — with his permission. Lew organized a congressional hearing to investigate SS7 vulnerabilities, and the FCC also has plans to study them.

So what is SS7 and why is it so vulnerable?


The graph shows how one system in Eastern Europe used SS7 to track one subscriber for two minutes, sending requests to the location of the subscriber provider. In a minute, the cascade of requests for the same subscriber came from many systems from different countries.

SS7 Alphabet

SS7, or Signaling System No. 7 (signal system No. 7) is a digital network and a set of technical protocols or rules governing the exchange of data over this network. It was developed in the 1970s to track and connect telephone calls on landlines between different networks, and now it is used to calculate bills for mobile calls and SMS, in addition to roaming and calls between landlines and regional PBXs. SS7 is part of the foundation of telecommunications, but this is not the network that your conversations go through - it is a separate administrative network that performs other tasks. If you imagine a passenger train system, then the SS7 is the technical tunnels that workers use instead of the main tunnels, where passenger trains run.

Now SS7 is often used for roaming, so when traveling you can receive and make calls and send SMS even where your home provider is not working. The external provider, via SS7, sends your request to get your phone's unique ID to track it, and request that your communications be transferred to its network so that it can provide call and message translation.

Problem

The problem is that the SS7 network works on trust . Any request received by the network is considered legitimate. Therefore, any person with access to a server or gateway on an SS7 network can send a request for location or redirection for roaming purposes, and the provider will most likely respond to it, even if the request goes from St. Petersburg to Bombay, and you are on the phone with New York. The attacker can thus spy on officials, company directors, military, activists and others. It is worth noting that intercepting your messages and calls means that an attacker will also be able to intercept two-factor authentication codes, which are sent via SMS to Gmail and other services to access your accounts. The attacker, knowing the username and password of the account, can intercept these codes before you receive them.

Access to SS7 is from hundreds of providers around the world. Various government intelligence agencies can also access networks, either with or without the provider’s permission. Commercial companies also sell SS7 hacking services to governments and other customers. Criminals can buy network access from dishonest providers, and hackers can hack into unsafe equipment that serves SS7.

But providers began to use ways to prevent attacks no earlier than December 2014. It was then that Carsten Nohl from the German company Security Research Labs and independent security researcher Tobias Engel made a presentation on SS7 at the Chaos Communication Congress in Germany. It took place a few months after the opening of the Ukrainian incidents. Engel showed the method of tracking phones via SS7 in 2008, but he was not as comfortable as the ones he and Nol described in 2014. As a result, Nordic regulators demanded that providers enter measures to prevent SS7 attacks by the end of 2015.

“Most SS7 attacks can be prevented with existing technology,” Nohl said. “There are several cases, the creation of protection against which will take a couple of years ... but at least the main form of protection is in most networks in Northern Europe and in other networks in the world.”

But these corrections were obviously not made by two US providers - T-Mobile and AT & T. Nol and a colleague showed in the 60 Minutes program that both were vulnerable to attack. Verizon and Sprint use other protocols to exchange data, and in theory they are less vulnerable. But McDade said that all mobile networks will eventually move to another signaling system called Diameter. This system “repeats many concepts and devices of previous SS7 networks,” he notes, including the assumption that all requests can be trusted - that which destroys SS7.

And how can you use SS7 to track you personally?

To do this, you can send your Anytime Interrogation (AI) request to your provider to get your phone's unique ID and determine which mobile communication center (MSC) your phone uses. Usually one MSC covers the entire city. Providers use this information to determine your location, to send you calls and messages through the communication tower closest to you. By sending repeated AI requests to get information about you and your GPS coordinates, an attacker can track your phone and you up to a quarter.

Providers could prevent this by blocking AI requests coming from outside their borders, says Nol. But there are other ways to get information about the location, through other requests in SS7, and they are no longer so easily blocked.

And this is not a hypothetical possibility. We know that this method was used in practice. A report from AdaptiveMobile describes one operation in which an attacker sent location requests from multiple systems. Tracking requests for the same customers came from SS7 systems around the world, rather than from one — perhaps not to arouse suspicion, since many requests from one system would be easier to notice. These systems sent several hundred requests per day, tracking certain subscribers, while sending one or two requests per day to the numbers that the hackers tried to hack.

“Obviously, the more you use the system to send requests, the more likely you will issue yourself. But these were valuable targets and their number was small, says McDade. “As long as you send some requests, there is a chance that they will not be noticed.”

Another operation in one of the European countries was to track the phones in the Middle East and Europe from the systems installed in each of the four European providers, which suggests the idea of ​​their involvement. "This is our assumption ... If this is a spying system or a state system, then providers have little choice."

Intercept

Nola describes three technologies for intercepting calls and texts via SS7. One op showed “60 minutes Australia” in the program, sending a request from Germany to an Australian provider, and changing the voice mail policy settings so that incoming calls would be redirected to Nol’s phone. This could have been easily prevented by responding only to inquiries coming from the region where the telephone is located - but few people check it.

Another method uses the ability to change the numbers to which you are calling. If you went abroad and dialed a number from contacts, the function of changing numbers understands that the call is international and adds a country code.

“The country code is added by replacing the“ wrong ”number with the“ correct ”one, with the added code, and sending it back,” explains Nol. - Convenient, right? But an attacker can force a system to replace any number with another. When the call comes, it is forwarded to the desired number, and the attacker remains in the middle, with the ability to listen to and record the call.

The third method takes advantage of the fact that mobile phones are usually in sleep mode until they receive a call or text, and do not communicate with the network. At this time, the attacker tells your provider that you are in Germany, and all communications must be redirected there. Someday your phone in the US will wake up and tell where it is. But an attacker can send another message to refute this.

“If you do this every five minutes, you will very rarely be able to receive calls and SMS exclusively - most of the time we will receive them,” says Nol. You will then notice the roaming bill, but by that time your privacy will have suffered.

“This is not the most elegant method of interception, since you have to pay for roaming. But it works well, ”he says.

What to do?

Such an attack is easily prevented using an algorithm that understands that the user cannot quickly jump between the United States and Germany. “But no one simply introduces such checks,” says Nol.

Personally, you can do little. You can protect your communication with services such as Signal, WhatsApp or Skype, but McDaid says that an attacker can send your provider a request to disable data services. “Therefore, you will only have SMS and calls if you do not have access to Wi-Fi,” he says. And you will remain vulnerable to SS7 attacks.

McDaid says that providers are working to prevent such attacks, but for now most of them are limited to the simplest methods. "Now they have reached the stage at which they have to install much more sophisticated firewalls and algorithms that are trying to detect and prevent more complex attacks," he says. “Attacking is more difficult for them, but it is also harder for the defense to stop them. Believe me - work on these attacks is underway. ”