SS7 Phone-Switch Flaw Enabled Surveillance

Interesting:

Remember that vulnerability in the SS7 inter-carrier network that lets hackers and spies track your cellphone virtually anywhere in the world? It's worse than you might have thought. Researchers speaking to Australia's 60 Minutes have demonstrated that it's possible for anyone to intercept phone calls and text messages through that same network. So long as the attackers have access to an SS7 portal, they can forward your conversations to an online recording device and reroute the call to its intended destination. This helps anyone bent on surveillance, of course, but it also means that a well-equipped criminal could grab your verification messages (such as the kind used in two-factor authentication) and use them before you've even seen them.

I wrote about cell phone tracking based on SS7 in Data & Goliath (pp. 2-3):

The US company Verint sells cell phone tracking systems to both corporations and governments worldwide. The company's website says that it's "a global leader in Actionable Intelligence solutions for customer engagement optimization, security intelligence, and fraud, risk and compliance," with clients in "more than 10,000 organizations in over 180 countries." The UK company Cobham sells a system that allows someone to send a "blind" call to a phone--one that doesn't ring, and isn't detectable. The blind call forces the phone to transmit on a certain frequency, allowing the sender to track that phone to within one meter. The company boasts government customers in Algeria, Brunei, Ghana, Pakistan, Saudi Arabia, Singapore, and the United States. Defentek, a company mysteriously registered in Panama, sells a system that can "locate and track any phone number in the world...undetected and unknown by the network, carrier, or the target." It's not an idle boast; telecommunications researcher Tobias Engel demonstrated the same thing at a hacker conference in 2008. Criminals do the same today.

Posted on August 21, 2015 at 6:47 AM • 28 Comments

Comments

ramriotAugust 21, 2015 7:22 AM

Flaw?

I don't think so, very likely a required feature. As to who wrote the requirements doc, well we really cannot say.

remember that the SS7 signaling spec goes back to the early days of GSM and every carrier since has had to support the full spec to allow for connection of old devices. Also that there was an assumption of trust in the equipment implementing the network. What has changed is the abilities of external users.

Like any protocol with an assumption of trust, once an invader can get access to the network infrastructure all bets are off and control is lost, its actually not the owners network any more.

jpolznerAugust 21, 2015 8:10 AM

Actualy, the SS7 protocol was around since before cell phones were a thing at all. It was originally designed for out-of-band call setup/teardown between switches on the PSTN. Everything else like database services, SMS, roaming, etc.....were all "tacked on" afterward.

deLaBoetieAugust 21, 2015 8:28 AM

@jpolzner - exactly, SS7 was around before I was working in public telecoms and SS7 from 1978.

Of course, the exposure with GSM is more severe because of the SMS and location services, but the call recording aspect would work just as well with POTS.

I'd be astonished if this "feature" weren't done with at least the encouragement of the spooks if not the demand - you have to remember that the big telcos and their suppliers had, let's say, a close partnership with the security services (and of course, still do, though they're nominally private companies). If they couldn't get in through the front door of lawful intercept, they'd want to get in the back door easily.

Presuming so, it's another very good illustration - if any were needed - why backdoors are such a spectacularly bad idea.

WinterAugust 21, 2015 9:13 AM

@deLaBoetie
"Presuming so, it's another very good illustration - if any were needed - why backdoors are such a spectacularly bad idea."

Maybe a good idea to tell politicians that all their wrangling about getting "secure" cellphones is wasted effort.

They can be surveyed and tapped by anyone who can access an SS7.

Clive RobinsonAugust 21, 2015 9:46 AM

I've said this before, SS7 is directly traceable to work carried out prior to and in the 1960's by the UK's General Post Office ( GPO ) which is now British Telecom ( BT ) who were for a period of time Bruce's employer.

As the GPO they were "an organ of state" with the Post Master General being a UK Ministerial position occupied by a politician selected by the Prime Minister.

The GPO had security cleared engineers often refered to as "squirrel's" that placed telephone taps and did other secret things, for the Home Office via MI5 (domestic intel service) and many police forces, the Foreign and Commonwealth Office via MI6 (foreign intel / secret service) and for the likes of GCHQ and even very occasionaly the Diplomatic Wireless Service (DWS). Some of this got detailed in the first half of the book Spy Catcher.

The GPO was also a leading research establishment in all forms of communications, and had and as far as I can tell still have close contact with GCHQ in various places and the various spooks and other IC weenies at Hanslope Park etc.

As I've also mentioned in the past both the spooks and GCHQ had and still do have a major influence on any "standards" for communications. By the delightfull process of "finnessing" they ensure that surveillance friendly modifications happen. Usually under the guise of "Safety regulations". This goes all the way down to the wire including the odd electrical design of the POTS demarc, etc.

So the UK along with other FiveEyes nations frequently "play tag" on this sort of behaviour at international standards meetings. Once they have slipped something in --often several decades ago-- they keep it there by "compatability" argument etc. Which is one of the reasons you can remotly turn the microphone on, on digital phones even when they are still "on hook" (look through history of UK System X, European ISDN, European GSM etc).

Why people are supprised about this always makes me scratch my head, I guess we need another "Snowden" style revelation of documents etc to make people jump out of their cozy little self delusions.

Clive RobinsonAugust 21, 2015 10:06 AM

@ Winter,

Maybe a good idea to tell politicians that all their wrangling about getting "secure" cellphones is wasted effort.

It may not be if they use "end to end encryption" at the analog level, and stop the phones inbuilt microphone being used to do an "end run" around the analog encryptor.

Speaking of which anybody know what happened to that KickStarter project to build a fully external analog encryptor for POTS & Mobiles?

!_-°´°-_!August 21, 2015 10:23 AM

It's friday, so I would like to ask a question :-)

If a would be the bad guy and want to encrypt messages using book cipher, would it be wise to use one or more daily newspapers that can be bought all over the world?

One advantage (from my point of view) would be, that the content of newspapers change daily, so the cipher for the same cleartext would change from day to day, too. Another advantage would be, that some newspapers are available in allmost all countires in the world, so the receiver of my message could decrypt it easily without the need of more information than the newspapers name and without the need of digital traces.

deLaBoetieAugust 21, 2015 10:46 AM

@Clive Robinson - good summary, and indeed, we can go back a little further to the work GPO were assisting with at Bletchley Park and other places during WWII, ensuring communications links and subsequently using developments of Colossus for stored-program control switches that were the basis for digital circuit switching and SS7. The stored-programs being paper tape!

I think in the mind-numbing standards meetings, there was always the presumption that circuit-switching was ideally suited for monitoring, lawful intercept was in there from the start, and "obviously" you needed to be able to monitor call quality at any point....

fortunate hydrofoilAugust 21, 2015 11:29 AM

@ !_-°´°-_! •

Two thoughts spring to mind: you would need a system to inform your recipient of the date in which the message was written so he can use the correct cipher for decryption (i.e. purchase the correct newspaper, which may be hard to obtain after a couple of days, especially abroad) and natural language is not as secure as a random cipher.

JeffAugust 21, 2015 2:00 PM

@Clive:

odd electrical design of the POTS demarc

Can you expand on that a little?

rgaffAugust 21, 2015 3:43 PM

@st37

Downloading or browsing something online leaves TONS of digital traces of what you're doing everywhere, all around the world...

KevAugust 21, 2015 9:20 PM

@ deLaBoetie

I'm not surprised by any of this be cause telecom is a nations critical infrastructure. As much as surveillance efforts go, they are so first targets during air raids on hostile regimes, which loses radars and puts them in a no early warning position.

Thus it was critical to move from a circuit switched design to a more IP relay based standard in the backbone. This progression was easily envisioned 30-50 years ago, perhaps even earlier. Not surprised

tyrAugust 21, 2015 9:24 PM


Telco stuff was always security by obscurity which made it
a lovely target for nosey kids back in the early days.

It is a mess that grew with demand instead of being planned
out rationally. Now that it needs to be redone rationally
the extent of the mess is apparent. It is a terrible way
to run things and every gotcha moment when we realize how
bad it is should reinforce the demand to fix it. There is
no way a modern politician is going to fix any technical
problem even if they wanted to, which is doubtful.

Unless you apply Camerons solution, open it all up to all
comers and see what survives the free for all. Placing ICs
on the surveillance radar of the whole planet might make
a different world. As long as there is a separation into
them and us it won't happen for them.

toddAugust 21, 2015 9:38 PM

@ tyr

The integrity of cost is self evident in telco stuff as in aviation engineering. The two runs similarities where risks has no bounds. Where telco stuff must reach a budget trade off, aviation and other critical engineering sport less tolerance. This is not to be inferred with envisioning only in telco stuff the visions are harder to carry out. Obviously I'm not a trekky. Thus no beaming me up, Scottie.

JackedIntentionsAugust 21, 2015 11:05 PM

Jackpair considerations
1) Does the target phone device have one or more digitally controlled mic's where the break is logical not physical.
Many modern phones have multiple microphones.

2) Does the phone physically disconnect the internal speaker in addition to the mic(s).
Any speaker can also be operated as a microphone.

Then we have the rest of the "normal" concerns. Supply chain, chip tampering, potential for weak keys, random number generation, backdoors due to architecturally influenced weak algorithms, key reuse, no option to validate firmware or do a firmware update. Bet firmware is unsigned.

3) No validation open source suite, no open source download available, nada opened up publicly yet.

Promises to open it in advance of end user exploitation pre shipping are just unfulfilled intentions.

Shrug

Nick PAugust 21, 2015 11:21 PM

@ Thomas

I'm one of the funders so I get periodic updates from them. The last one was here. Essentially, going from user-voted design and PCB to manufactured device on the cheap isn't easy. There's plenty of obstacles one might face. They've run into quite a few with resulting delays. They make more progress each time, though, rather than sounding like vaporware that has nothing to show.

So, whatever date they give me I don't really buy. I haven't since the beginning. However, I'm fine so long as they keep at it, eventually make it, and sell it. I funded it so other people would have something to use immediately that people like me could later improve on once it was selling and hopefully financially sustainable. Plus, to get phone OS and hardware out of the Trusted Computing Base. Too much attack surface and complexity...

Nick PAugust 21, 2015 11:29 PM

@ Thomas, Clive

EDIT: I forgot to add that they've gone pretty far with only $44,661 worth of help from Kickstarter. That's less than the cost of one, embedded engineer in the U.S.. I'm not sure what prototyping, tooling, and so on costs are for something like this. I'd have *guessed* that it's higher than $44k. So, they're either spending their own money on top of that, doing really good with the Kickstarter money, or hardware devices are so cheap to make I need to get in the industry pronto. ;)

LitronAugust 22, 2015 10:36 AM

@Nick P:

I'm EXTREMELY suspicious about this thing, and I'm afraid that your donation has gone down the drain. I'm also quite puzzled how Bruce Schneier could appear to endorse this thing. Is he privy to more information than a mortal like could find?

A device inserted in the audio connector would essentially have to transform a speech-like signal into another speech-like signal, which would preserve the information content once it went through an unspecified codec operating at an unknown compression ratio.

These strip away as much as possible any redundancy in the signal, and the parts which the human ear wouldn't be able to perceive anyway, and then proceed to code them with as few bits they can get away with. A transformed audio signal may not play well with all that processing.

That's a very tall order for me.

Furthermore, many mobile phones systems work on the premise that speech communication is half duplex to make a better use of the spectrum.

Does this device also output a signal when the audio input is idle? This would especially create problems when calling a 2-wire landline from a mobile phone, especially on long-distance calls.

Speech scramblers have been around since the 1920s, but it was quickly realized that the transposition and/or permutations and/or inversion of a signal in the time and/or frequency domain did not result in secure communication. Only a handful of combinations wouldn't permit comprehension by a trained listener.

Germans listened in on scrambled transatlantic phone channels, on both shortwave and the one-of-a-kind 60kHz long-wave system at the outset of the WW2 hostilities, and filled reams of transcripts.

This all stopped when SIGSALY was introduced: the output of a vocoder-based digital speech encoder was encrypted using a one-time key recorded on two special phonograph records played synchronously at both ends. The terminals were literally only a couple of pounds less heavy than a sawmill, but that was what was needed to keep Churchill and Roosevelt chatting in confidence.

GSM provided at the outset special modes allowing the transparent transmission of FAX and data modem signals, but these would be more adapted to the needs of the 1980s than those of 2015, and I doubt that these are supported by a lot of models.

Merely sending a Modem carrier over a microphone is very unlikely to provide good results.

Nick PAugust 22, 2015 11:54 AM

@ Litron

I can tell you researched all kinds of things, except JackPair. Many of your questions are answered at Kickstarter page. Some relevant parts below:

"AWIT is consists of a small engineering team with high-caliber professionals in the field of distributed networking, embedded systems, peer-to-peer, mobile game, security, and online/web technologies. From the very beginning of this JackPair project, we had the debate of whether it should be a pure software, mobile app solution, or a standalone hardware product."

" After surveying the current software solutions on the market, it became clear to us that it’s just too easy to break these mobile apps, and both ends of the conversation must use smart phones for it to work. A hardware product built from scratch is the only way to have the security clearance. The current secure phones on the market costs anywhere from over six hundred to a few thousand dollars, which are out of reach for most people. The challenge is how to build a hardware solution that is affordable, easy-to-use, and compatible with most people’s existing phones at hand."

So, a team that's already built hardware and other interesting stuff decided safest bet is dedicated hardware compatible with phones people carry around. I agreed it's the smartest bet for both security and marketing given the audience. Chang had previously done the networking-related work on Tandem's NonStop system. If his team is similarly skilled, this would be a toy project to them far as the hardware design. The constraints, esp cost/size, would be the real headaches. I expected delays.

"Speech scramblers have been around since the 1920s"

The RTFA effect is strong here in that the article addressed your point:

"Is JackPair a voice scrambler?"
"No. Jackpair is not your WW-II analog scrambler..."

(Holy shit, it's like they anticipated your exact words! That's weird!)

"...which is easy to break and gives you a false sense of security. All human voice traffic between two matching JackPair devices are protected by full digital encryption through keys generated on the fly and thrown away immediately after."

The crypto, described on same page, is a protocol leveraging a one-time session key, Salsa20 encryption, a DH key exchange, and voice confirmation of codes like other encrypted phones use. Plenty of potential risk but no more than competitors. I'm sure the security community will shred and improve their code when it's published. If it's not published or they go back on word, then they've already established a model for how the next project should work. :)

"Merely sending a Modem carrier over a microphone is very unlikely to provide good results."

*That* is a legitimate concern. The vocoder's algorithm and performance has me wondering, too. Like with most investments, I really banked on the team. They're smart people that say they used established methods in a novel way to solve that problem. They also asked for a relatively small amount of money to develop the product. The individual investment was significant compared to some projects but small compared to investments in general. So, I decided to invest in it and now I must wait to see what their solution was. If it fails, I know I made a principled decision to invest in best startup at the time for phone security. If it succeeds, then we have a start on phone security that can be improved (or copied) as sales occur. I win either way. :)

LitronAugust 22, 2015 2:14 PM

@Nick P:

I glanced at the page. It tells you what they claim it ISN'T, but doesn't tell you what it IS.

The crypto mumbo-jumbo doesn't tell me anything about how the signal, ciphered or not, is transmitted from one black box to the other one.

Again:

The issue isn't the crypto, but with basic signal processing and transmission.

If it isn't a mere speech scrambler, then what is it?

Could it be: A speech coder, followed by a crypto, followed by a modulator?

At the receiving end, the operations would have to be performed in reverse.

Might work on an 2-wire landline. There were 56kb/s modem standards which approached the theoretical limit of the channel when it was connected to a digital exchange. The absolute limit imposed by the ADC was 64kb/s, but certain forms of trunks signaling robbed a bit now and then, and there was also spectral constraints on the line. The rate was achieved by a carefully designed equalizer.

This little feat could be achieved as PCM was _extremely_ simple in comparison with the codecs used in mobile phones, and you only had few variations to take care of.

But is that feasible on a mobile phone, or Skype?

A mobile phone codec transforms speech into a bit-stream with a rate between something like 2 to 13kb/s, depending on the standard and other parameters. The channels they provide are not at all transparent.

The encoder in your little black box would have to put out a comparable bit rate to achieve the same quality. It can only be lower than the the phone's own throughput, never higher.

A robust way must be found to map this signal onto something the phone coder's will accept, without as little penalty as possible, and including all the necessary handshakes, and impervious to transcoding, dropouts, and other problems. The box would have to figure by itself what bit rate is achievable on the channel, how the phone compresses the signal, what signal levels should be used, and that without any cooperation from the phone.

That's a tough requirement, to say the least.

In the present case, I really believe that we have a choice candidate for the previous post's Snake Oil Cryptography Competition.

I checked patents, there's nothing in the firm or inventor's name, except US2013080639A1, which is about software engineering and not crypto or modem design per se.

Executing the crypto outside the communication device isn't a bad idea per se. I could imagine a bluetooth headset providing this function, with the smartphone being used only for data transmission.

But not over the audio lines.

While I'm mentioning patents: there are a few SS7 firewalls out there, and the security issue was already known in the 1990s. Why aren't these widely used? If the CO equipment is crap, a competent telco operator could still secure its domain by filtering and logging all unusual traffic at its network boundaries.

ThomasAugust 22, 2015 4:30 PM

@Litron
> But is that feasible on a mobile phone, or Skype?

The voice encoder (codec2) is designed for extremely low bit-rates (down to 700 bits/second, the sort of thing you get over HF radio links):
https://en.wikipedia.org/wiki/Codec2

There is degradation, but then these heathens probably don't even use cryogenically treated audio cables...

> A robust way must be found to map this signal onto something the phone coder's will accept, ... That's a tough requirement, to say the least.

True, but with an encoder that can operate at a low-enough bit-rate it's doable.

> I checked patents, there's nothing in the firm or inventor's name, except ...

What do patents have to do with functionality or security?

I suspect this device will make it tough enough so that, if $TLA is after you, they'll resort to other means.
Shifting the "weakest link" to another part of the chain is really all you can expect from any security solution.

Nick PAugust 22, 2015 4:52 PM

@ Litron

Interesting technical points. You also found nothing to the contrary in your searches? Patent search was unnecessary as most IT types publish inventions in papers, online articles, or product docs. So, I typed encrypted over gsm voice into Google. Here was first page:

http://www.academia.edu/9281016/Secure_Data_and_Voice_Transmission_over_GSM_Voice_Channel_Applications_for_Secure_Communications

https://defcon.org/images/defcon-13/dc13-presentations/DC_13-Tanner-Smith-Lareau.pdf

http://www.koreascience.or.kr/search/articlepdf_ocean.jsp?url=http://ocean.kisti.re.kr/downfile/volume/kimics/E1ICAW/2010/v8n1/E1ICAW_2010_v8n1_64.pdf&admNo=E1ICAW_2010_v8n1_64

You might want to call bullshit on all of them while you're at it. Seems to be a trend of people pretending they can use voice channel for encrypted data.

Clive RobinsonAugust 23, 2015 10:59 AM

@ Litron (and others),

You mentioned the higher end --56K-- modems. So you should know a couple of things, firstly they may have got a peek of 56Kbps on the data side but nothing close to that on the audio side (check Shannon limit for a POTS channel). The difference was reached by data compression.

Secondly you should also know that the level of audio tones used for the modem signal exceaded the telco limits by quite a margin. To get "within the audio mask" limits, they used a whitening signal to produce a narrow band Direct Sequence Spread Spectrum signal, which spread the audio tone energy across the POTS bandwidth and thus keep it inside the telco mask.

As others have mentioned there are a whole load of codecs around for speach, some are capable of producing multibit 75baud audio suitable for use on quite dificult HF circuits, that can not actualy carry conventional audio.

However there is a trick that works quite well if you want to do it. In effect it's the reverse of the CCITT whitening technique. Pick an audio tone that is a submultiple of the systems clocking frequency and use a standard PLL to lock to it at the receiver via a suitably low frequency low pass filter to do the clock sync. You then take your digitized audio and put it through your encryption system, the output of which is sufficiently close to be an ideal whitening signal which you then use to DSSS modulate the audio tone. The resulting signal is of similar spectral charecteristics to a 56K system.

There are several otherways to do a similar trick. The one to pick usually becomes obvious when you work out the charecteristics of the channel you are going to use.

Finally, when people speak of an "anolog encryptor" they are generally speaking of the input and output charecteristics, not the nature of the actual encryption, which since WWII has almost always been digital in nature. In a similar way we talk about "block encryption" but don't often mention the mode, unless getting down to nitty gritty details.

UnkownAugust 24, 2015 1:26 PM

SS7 is the main protocol stack used for roaming and communication between networks. When it was designed, there were a handful of state owned operators. Now there are about 800 GSMA members + service provider that rent GT from operators as a wholesale business. SS7 was designed for a closed trusted system. That assumption is simply no longer true. That is all.

The attacks publicly known encompass: eavesdropping, location tracking (MSC; cellID level), SMS spoofing/interception, obtaining crypto keys, IMEI whitelisting and some fraud scenarios.

SS7 / SIGTRAN is not easily secured. Every operator can be target of an attack, but not every operator is vulnerable. IPSec (SIGTRAN) / MAPSec is not an easy answer, we talk here about ALL operators of the world, including poor countries. And you still want things to work, when you roam there.....IPSec, especially in connection with roaming hubs would also only provide hop-by-hop security.....The security web becomes quite complex to maintain and expensive to pay. Who will pay the security bill for the 5th operator in Bangladesh?

Things are not impossible, but either they are just as simple as "Switch it off" or "put on IPSec". The real challenge is Diameter....to-come-...

And please, don't mix up things with GSM air encryption, that is something completly different......

!_-°´°-_! August 25, 2015 9:57 AM

@fortunate hydrofoil

I thought of Ciphers send by Mails or SMS, so the day of receipt would be the correct day of the newspaper. I also thought of using a normal magazin because these are available for weeks.
For paranoid people I would suggest to use old newspapers or books available in libraries, because very old books aren't digital available.

@st37

Downloading a website would create a digital trail. If you leave your mobile at home and buy a newspaper with real money (=not plastic;), it would be much harder to find the correct document you reference to.


I think it's just a way for small messages and mor for private use, than for professionals.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.