SS7 Vulnerabilities

There are security vulnerabilities in the phone-call routing protocol called SS7.

The flaws discovered by the German researchers are actually functions built into SS7 for other purposes -- such as keeping calls connected as users speed down highways, switching from cell tower to cell tower -- that hackers can repurpose for surveillance because of the lax security on the network.

Those skilled at the myriad functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption. There also is potential to defraud users and cellular carriers by using SS7 functions, the researchers say.

Some details:

The German researchers found two distinct ways to eavesdrop on calls using SS7 technology. In the first, commands sent over SS7 could be used to hijack a cell phone's "forwarding" function -- a service offered by many carriers. Hackers would redirect calls to themselves, for listening or recording, and then onward to the intended recipient of a call. Once that system was in place, the hackers could eavesdrop on all incoming and outgoing calls indefinitely, from anywhere in the world.

The second technique requires physical proximity but could be deployed on a much wider scale. Hackers would use radio antennas to collect all the calls and texts passing through the airwaves in an area. For calls or texts transmitted using strong encryption, such as is commonly used for advanced 3G connections, hackers could request through SS7 that each caller's carrier release a temporary encryption key to unlock the communication after it has been recorded.

We'll learn more when the researchers present their results.

Posted on December 19, 2014 at 6:41 AM • 14 Comments

Comments

Poul-Henning KampDecember 19, 2014 7:55 AM

I'm sorry, but this is *not* news.

SS7 has been a disaster from the day incumbent telcos invented it to talk between themselves: It never had a security model apart from "We're the good guys and we trust each other."

I can't wait until the researchers try to send malformed SS7 messages, there are tons of "undocumented" facilities for manufactureres to remote debug equipment, including full R/W/X memory access om most major telephone switches.

Joe KleinDecember 19, 2014 8:22 AM

SS7 has been a problem since last 1980's, during the development and subsequent roll out by the nation-state focused ITU-T.

"Inasmuch as SS7 was not designed with security in mind, surveillance technology within the capabilities of non-state actors can be used to track the movements of cell phone users from virtually anywhere in the world with a success rate of approximately 70%." http://www.idahostatesman.com/2014/08/26/3341664_for-sale-systems-that-can-secretly.html?rh=1

Many of these companies selling product in this space have been around for decades.

Clive RobinsonDecember 19, 2014 8:23 AM

@ Bruce,

As Poul-Henning Kamp above says "this is *not* news" if you have been involved with telcos or their history, or are aware of how various intel agencies finnessed the standards.

The original POTS networks built on the mechanical exchange systems used "out of band signalling" that was not available on the consumer side of the exchange.

Since that time technology has moved on but the "world view" has not. So now we have Signaling System Seven (SS7) which has no security or authentication available in band on digital networks, and most telcos internally route it over IP networks which are also accessable publicaly if you know how.

There are a whole load more tricks you can play, as I've indicated in the past many of these "features" have been carried forward from previous standards going back to WWII or before. Some were originaly added directly at the behest of intel agencies under the cloak of either "safety" or "test" features. Others are modifications or augments of functions used to provide new services, the augments get pushed through on the basis of providing foundations for future new services. In some cases such as VM the services actually happened, but the real reason was not for "customer benifit" it was usually as a way to convert "non revenue non pickup" calls into "revenue" calls. This reason was also used to justify other "hooks" that provide benifit to intel agencies. Occasionaly things work slightly differently such as the secondary service SMS, it is now nolonger clear if it was a hook for a new service added to the OTA update of SIMS or the other way around. Either way it also serves a usefull purpose for the sort of skullduggery we have recently seen various intel / LE agencies use.

War GeekDecember 19, 2014 9:01 AM

The UUdial complex of dialup networking (legacy AOL and darn near everyone else) was 'upgraded' to do connections over SS7 over ten years ago at least in part for CALEA compliance (supporting on the fly tapping of AOL customers). Quotes added because it wasn't really an upgrade for the end users...ss7 tunnels were flaky as hell back then.

Just one of the screw-the-customer features deployed what became Verizon. I think cryptome actually has the menu lists provided by telco's to governments for the $$ the telco expect to be paid for tapping their customers that includes this type of tapping as one of the bits.

javierDecember 19, 2014 9:03 AM

THis is FAKE information. ALL mobile carriers using SS7 block this. Seems security researchers are releasing FAKE information to be notorious. Better learn more about GSM

jokeDecember 19, 2014 10:43 AM

To be concerned with telephone call security is the problem itself. To solve the problem, you simply must realize that there is no telephone call security. To make any assumptions otherwise is dangerous.

Forever forward, if you're communicating without end-to-end encryption, expect that the data and metadata is indexed and searchable and available forever for the whole world to see.

anonymousDecember 19, 2014 11:14 AM

SS7 was designed so that no matter what flavor of switch you originated the call from to intermediate switches to the called party switch as long as they all spoke SS7 the call would route and bill correctly.

bitstrongDecember 19, 2014 11:57 AM

The SS7 was the first intercontinental ballistic missile deployed by the USSR. See Jane's.

NileDecember 19, 2014 12:53 PM

"We'll learn more when the researchers present their results."

Yes, this.

You'd think that the cellphone company's overriding design imperative - bulletproof billing - offers some assurances for general security; we're all optimists here, right?

Oh.

That'll be the sound of people whose optimism was extinguished by a cursory examination of the secure GSM stack in a handset.

Have you ever heard of a Telco sending back base station and network equipment to the supplier because it failed a security audit? I'm kinda hoping that someone will pop up here and contradict me with concrete examples of that: that would be someone well worth listening to.

And *their* reactions to the researchers' results would be quite interesting.

Richard BartelMarch 24, 2016 9:13 PM

I notified the Federal Trade Commission of this SS7 vulnerability on May 20, 1999. (transcript pp. 200-203).

See: BEFORE THE FEDERAL TRADE COMMISSION
IN RE: PAY-PER-CALL WORKSHOP.

THURSDAY, MAY 20, 1999

FEDERAL TRADE COMMISSION
600 Pennsylvania Avenue, N.W.
Room 432
Washington, D.C. 20850

FTC PARTICIPANTS:
EILEEN HARRINGTON, Moderator
ALLEN HILE, Assistant Director
MARIANNE SCHWANKE, Esq.
ADAM COHN, Esq.
CAROLE DANIELSON, Investigator
MARK HERTZENDORF, Economist
REPORTED BY:
DEBRA L. MAHEUX

For The Record, Inc.
Waldorf, Maryland
(301)870-8025

P A R T I C I P A N T S
CYNTHIA MILLER, RICK MOSES, Florida Public
Services Commission
JAMES BOLIN, Esq., AT&T
ALBERT ANGEL, Billing Reform Task Force
ANTHONY TANZI, IAN EISENBERG, Association of
Telecommunications Professionals in Higher Education
RICHARD GORDON, ERIC LEE, LARRY GOOD, Electronic
Commerce Association
KRIS LAVALLA, JOHN GOODMAN, Bell Atlantic
JEFF KRAMER, AARP
JACQUELENE MITCHELL, Coalition to Ensure
Responsible Billing
GARY PASSAN, Teleservices Industry Association
DEBORAH HAGAN, JILL SANFORD, NAAG
PETER BRENNAN, Tele-publishing, Inc.
PHILIP PERMUT, DANNY E. ADAMS, Cable & Wireless,
(W.I.) Inc.
ADELE SIMPSON, International Telemedia
Association
LORETTA GARCIA, Esq., Dow, Lohnes & Albertson
DAVID MATSON, HELEN-SCHALLENBERG-TILLHOF, Sprint
RICHARD BARTEL, Communications Venture Services
LINDA YOHE, MARK FARRELL, SBC Communications
SUSAN GRANT, National Consumers League
CHARULATA B. PAGAR, JOHN AWERDICK, Promotion
Marketing Association

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.