Tracking People From their Cell Phones with an SS7 Vulnerability

What's interesting about this story is not that the cell phone system can track your location worldwide. That makes sense; the system has to know where you are. What's interesting about this story is that anyone can do it. Cyber-weapons arms manufacturers are selling the capability to governments worldwide, and hackers have demonstrated the capability.

Posted on September 17, 2014 at 7:15 AM • 22 Comments


nobody@localhostSeptember 17, 2014 8:19 AM

To me, the question is not whether cell phones are an evil to be avoided. As much has been obvious for many years.

Rather, how to survive without them? And how to avoid drawing suspicion for not having them?

In the old days (before phones), people generally offered hospitality and assistance to travellers in emergency. Later came the era of payphones. Nowadays, payphones are vanishing; and asking strangers for assistance can automatically be interpreted as a threat, depending on the area and how unlucky you are. Keeping a cell phone in a radio opaque container with the battery out will also be flagged as suspicious, if and when you turn it on.

Worse, it already brings odd looks to be without the cell phone. Even poor people have "smartphones" in many U.S. areas now (I wish that were hyperbole; it is not). Resistance is evidence of thoughtcrime. I consider feigning conversion to an anti-technology religion (but then it would be difficult to explain all my computers).

T!MSeptember 17, 2014 8:33 AM

@ Bruce Schneier
Isn't this, what the modern world describe at best like almost any information on your blog?

Every day there are more and more devices, services, apps that increase complexity of our technology addicted world. There is almost no time for testing before releasing and the money signs in the managers eyeground hides the need of security awareness.
The more complex the systems and architectures are, the easier it is to find vulnerablilities that can be used to abuse these systems and the informations processed.

After releasing the FinSpy-Software there are much more ways to give "anyone" access to informations that were intended for goverments, I think.

You use the words "What's interesting about this story" and this is interesting, too. Years ago I'm sure you and I would have said "The shocking insight of this story is, that anyone can spy like professionals." but today we all are blunt and accepted, that tracking cell phones is just a feature and that anyone is able to use it to decay privacy to almost nothing is part of the world 2.0.

It's like always, the best protection against abuse of features is the abstinence of these feature. From this perspective the old, more analog, world wasn't perfect, too, but much better (= less complex). Today you don't even need to get off the chair to ruin a company or person. Very sad evolution from my perspective.

bobSeptember 17, 2014 9:21 AM


Why wouldn't you carry one? Camera, calculator, address book, music player, GPS, radio all in one unit. What's not to love? No wonder people find it odd when you don't carry one.

...just keep it in airline mode; "Oh, I"m saving the battery".

nobody@localhostSeptember 17, 2014 10:02 AM


"What's not to love?" Oh, people are so easily seduced by shiny toys! [not verified by me; contrast]

It is well-known, these devices can be remote activated when turned "off". So you suggest that I would trust "airline mode" because... why?

A few years ago, a wiseman I know observed that a stereotypical paranoiac delusion is the belief of having been implanted with a tracking/bugging device by government/aliens/whatever; yet if you merely offer all those tasty human resources some "Camera, calculator, address book, music player, GPS, radio all in one unit", they will pay money for the privilege of carrying the implant with them. Problem solved! Indeed, the mewling thralls will even use peer pressure to enforce amongst each other the command that everybody shall carry the tracking device everywhere, all the time. "No wonder people find it odd when you don't carry one."

Thank you for making my point. Quod erat demonstrandum.

Clive RobinsonSeptember 17, 2014 10:19 AM

The attack as described is an "active attack" and can therefor be spotted by the network operators if they chose to.

However there is a passive method I've mentioned before which is to watch the handover messages. I worked contract for a company that did precisly this to form "traffic census" and "build up detection". The only difference between their software and a mass surveillance software system, was that their software had an anonymising system added to it.

This was back at the begining of the century, just before the US installed finger print readers at their boarders.

I'm not surprised AT&T were a bit coy on answering questions because they were one of the places we installed the software, and they did ask a lot of questions about the anonymiser and how it might fail...

If I was the NSA then I would be watching the handover messages, they are not even clasified as "call meta data" because they are not related to the placing or receiving of a call --directly-- they are technically "network engineering/technical" data to do with the running of the network, so "no foul" if they recorded them all...

jonesSeptember 17, 2014 10:21 AM

@ Bob S.

Tinfoil does seem to work. A few years ago Milwaukee police were found to be disabling the GPS devices on their squad cars by wrapping the antennae in tin foil:

If the police don't like being subject to these capabilities, it should certainly make the rest of us give things a second thought.

I wonder if anybody is selling a "faraday sleeve" to stow cellphones while not in use... It might be an interesting way to test (using market mechanisms) how much dissatisfaction there is among the general population....

Tasha'sSeptember 17, 2014 10:43 AM

Just use Sprint. Then you can carry a functioning cellphone but it won't really work and be used by anyone. And think of the money you'll save on aluminum foil!

T!MSeptember 17, 2014 11:06 AM

@ Bob S.

Maybe one of the Apple developer wanted to protect the customers and we all misunderstood this as a form of incompetence and called it "Antennagate".

Maybe in future people learn to be more extrovert again to get back a little bit of privacy. Maybe in this future it would be enough to take the clothing, watch, glasses, etc. off and go into an empty room without windows to give nobody the chance to spy (assumed that this person has no implants and room is on the -5. floor, of course).

Maybe until this time we all have body-implants cheap enough to distribute them within Cornlakes or Cheeseburgers or Cola or medicine or air-conditioning or whatever.

I wait for the first article about the new iPhone, that someone can use the heartbeat for biometrical identification or to detect if you are lying or someone is able to overload the device to harm the user. We live in an world full of dualuse features and people smart enough to find the flaws and people evil enough to use it ... and many consumers only seeing the benefit of all these features, of course.

vas pupSeptember 17, 2014 11:36 AM
AT&T is developing new technology to be utilized by Big and less big brothers (employers) as well. I still wonder why you as a customer not authorized (by law or at least FCC regulation) simultaneously do recording of all conversations with reps of any business when they stated they do recording (for whatever purposes)? When Gov become for the people first, and for the business second? Based on current trends you all may come to the same answer...

cfSeptember 17, 2014 11:41 AM

“I’m worried about foreign governments, and I’m even more worried about non-governments,” Peha said. “Which is not to say I’d be happy about the NSA using this method to collect location data. But better them than the Iranians.”

Pretty sure Iran is a country with a government.

Spaceman SpiffSeptember 17, 2014 11:48 AM

To (mis)quote the Moody Blues (one of my favorite 1960's bands), "Thanks to the Great Computer, we are all magnetic ink!"...

What more can you say?

Gerard van VoorenSeptember 17, 2014 11:50 AM

Bill: "I did not sleep with that woman!"

Hillary: "Yes you did. I checked it myself."

Bill: "... But you were at home. I checked that too. (...) Never mind."

Bill: "She did have a fine cigar. Cuban."

Z.LozinskiSeptember 17, 2014 3:36 PM

The fundamental issue is that when common channel signalling (CCS) was designed there was as assumption that anything that was connected via SS7 was trusted. In the 1988 ITU-T Blue Book there are no security requirements around the SS7 protocols. When the SS7 network was limited to a monopoly operator's network, this was probably valid. Now with deregulation, hundreds of operators in a country and IP-to-SS7 gateways, not so.

There is a certain irony that the driver for the introduction of CCS was security. Specifically, revenue assurance by preventing network signalling messages to be sent from an end device such as a blue box attached to an analogue handset.

This tracking technology may not work quite as well as the designer intended though, as a number of networks have limitations on how frequently they update location information. Remember you only need the paging area - which covers a set of cells, not the individual cell - in order to route an incoming call or SMS in a mobile network. Some of the major equipment vendors charge for network equipment by the number of transactions (ie number of SS7 messages it can process) so making the granularity of update too fine gets expensive. This is one of the reasons for the popularity of over-the-air IMSI catchers in shopping malls.

lnewtonSeptember 17, 2014 8:55 PM

The system does not need to know where you are to contact you—that's how it happens to be implemented, because it was easy, but Tor hidden services demonstrate that it's not a requirement. (And Zero Knowledge Systems already figured out how to use Chaumian cryptocurrency to charge anonymous users for network access.)

chief michael airic white srSeptember 17, 2014 9:00 PM

One time a mirror who i thought was a friendly mirror HM was requesting permission to chat with the server about confidential case and mentioned travel to a specific location that he would only know about if he were a friendly... my speaker was bugged on my house phone and the feds were listening.... just called his bluff and told him my left upper crown was a transmitter (gutsout) he ran for the door on his cell. I tracked it back and was victor

lnewtonSeptember 17, 2014 9:12 PM

The article mentions that carriers can prevent this, but even many European carriers have this flaw. It's almost certainly illegal under European data protection laws to reveal the location of subscribers without a warrant or similar justification. Complaints to the national data protection authorities might get it fixed.

Fazal MajidSeptember 17, 2014 9:38 PM

A lot of what passes for security in the telco/cellco world is nothing more than security by obscurity (and SS7 is famously obscure, the standards don't fully specify the protocols, national variants like France's SSUTR2, and the only way to interoperate with the big carrier vendors requires reverse-engineering). The Internet world had the same issues, and BGP4 is light years ahead of telcos in this respect, despite having its own share of unresolved issues.

If a carrier doesn't have a firewall filtering SS7 messages from outside its network, then it does not have denial of service protection either. SS7's underlying MTP/SCCP network and transport protocols fail catastrophically under load, like old-fashioned half-duplex Ethernet, and thus it is conceivable an attacker may be able to cripple an entire nation's telephone infrastructure by a DDOS using the same entry vectors.

Norman YarvinSeptember 18, 2014 7:40 PM

Hmm. The technique developed by Tobias Engel only permits localization to an MSC (a switching center that typically serves many cell towers), yet the commercially available services described in the Washington Post article offer "cell site" data, which is a lot more fine-grained. I wondered if the commercial services were blowing smoke on this, for promotional purposes, but the Verint brochure (linked to in the article) really doesn't make it sound like that; there is much talk, for instance, of various databases of cell towers, each with millions of entries, that their software can use. It sort of makes sense that you can get the MSC, via SS7: that's where you need to send the call to, for the recipient to get it. But that might only tell you that the target was in Berlin somewhere. How could you get the cell site data, which might tell you which city block he was in? Is that also via SS7? If so, why would the SS7 network make this data available in the first place?

PaoloSeptember 19, 2014 6:06 AM

A solution to avoid this trick can be call forwarding. I can keep the sim with my official personal number outside of the phone with call forwarding set to the real sim I use, possibly bought under another name and known only by me.
If it's still a problem it can be a call forwarding putting the sim on a device (asterisk pbx, for example) that forward the call via VoIP or other way.

Of course, if the malicious tracker can access to carriers data (ie governments), or can use a fake bts, may discover my real number.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.