Cell phone tapping and passcode theft: SS7 open to attacks like a barn door
With the help of professionals, Youtubers show how easy it is to redirect and intercept cell phone calls and text messages using SS7 roaming technology.
(Image: oatawa/Shutterstock.com)
In a recent video, Derek Muller's science YouTube channel "Veritasium" has drawn attention to serious gaps in the mobile phone system that have been gaping for years. Together with the Youtuber Linus Sebastian (Linus Tech Tips), he demonstrates how his cell phone can be tapped and one-time passwords for two-factor authentication can be stolen via SMS. Within one day, the video has received more than three million views and almost 10,000 comments.
The cause of the problem has been known for more than a decade: SS7, the signaling system number 7 (Signaling System) used in 2G and 3G networks. It is used for authorization and billing during transitions between mobile networks, in particular to enable roaming. Muller did not infiltrate the communication with his friend's smartphone himself, but with the help of Berlin security researcher Karsten Nohl and his team.
The experts from the Chaos Computer Club (CCC) explained back in 2014 that SS7 is open to attacks like a barn door. As it has no authentication functions, anyone with access to the network can basically do whatever they want with it. For example, calls and text messages can be redirected, decrypted and intercepted. Localization and tracking are also often child's play. However, one tracking attempt at Sebastian's provider failed due to built-in firewalls.
The telephone companies developed SS7 in the 1980s due to vulnerabilities in the old signaling system , which was susceptible to phreaking, for example. This at least prevented anyone from controlling the network by sending tones over the voice line.
Thousands of ways to penetrate SS7
"SS7 is a global network, just like the internet," explains Nohl in the video. Such infrastructures require an addressing scheme that says: "This is me and this is you." With SS7, global titles (GTs) are used instead of IP addresses. To ensure global roaming coverage, network operators conclude agreements with two providers in each country. Both sides generally only accept messages or commands in the form of GTs with which they have such cooperation agreements. But whereas in the 80s there were only a few large, reputable operators who could largely trust each other, there are now over 1200 operators and 4500 networks, many of which require SS7 access.
"Some of them sell their services on to third parties, some can be bribed, some can be hacked," reports Nohl. SS7 access can be obtained for a few thousand dollars a month. Attackers need a victim's IMSI (International Mobile Subscriber Identity) in addition to their telephone number in order to appear trustworthy in the SS7 network. It is not difficult to capture this, as it can be obtained via routing information, for example. Muller explains: "By tricking the network into believing that their phone is roaming, we can rewrite the number" that a victim calls "into a number that we control". As an intermediary, it is also possible to "sit on the line and record the call". It was similar with text messages, allowing Muller to obtain a passcode for Sebastian's YouTube account and thus gain access to it.
Why SS7 successors have not yet caught on
According to Muller, there are still 2.5 million tracking attempts and millions more malicious SS7 requests every year. After the first SS7 vulnerability reports in 2014, many providers began to reject particularly dangerous GTs such as an anytime query request. According to Nohl, however, there are over 150 other comparable titles that need to be stopped for complete SS7 protection. Although the new signaling system for 5G appears to be fairly secure, it is still being used by only a few operators. There is "no global push to replace SS7 with either of the two newer versions of the technology".
Without any surprising incidents, it could take up to 20 years before the deeply intrusive SS7 networks are "finally shut down", the expert fears. The protocol is still "the backbone of 2G and 3G communication", adds Muller. The EU emergency call eCall, for example, is based on these mobile phone generations. Last year, researchers at Citizen Lab also warned that SS7 security vulnerabilities in 5G remained a major threat despite technical progress.
(dmk)
