Re: [TSCM-L] {6660} Digest for tscm-l2006@googlegroups.com - 1 update in 1 topic

47 views
Skip to first unread message

James M. Atkinson

unread,
May 15, 2016, 8:52:50 PM5/15/16
to tscm-...@googlegroups.com



On 5/14/16, 8:23 AM, tscm-...@googlegroups.com wrote:
"Roger at Bugsweeps" <bugs...@earthlink.net>: May 13 09:27AM -0600

http://spectrum.ieee.org/tech-talk/telecom/security/alarming-security-defect
s-in-ss7-the-global-cellular-networkand-how-to-fix-them
 

 
Alarming Security Defects in SS7, the Global Cellular Network-and How to Fix
Them
 
By Amy Nordrum <http://spectrum.ieee.org/author/nordrum-amy>
 
Posted 27 Apr 2016 | 14:00 GMT
 
AddThis Sharing Buttons
 
Share to FacebookShare to TwitterShare to Hacker NewsShare to RedditShare to
EmailShare to PrintMore AddThis Share options
 
http://spectrum.ieee.org/img/RMGettyImages83121790d-1461698877157.jpgPhoto-i
llustration: Getty Images
 
The global network that transfers calls between mobile phone carriers has
security defects that permit hackers and governments to monitor users'
locations and eavesdrop on conversations. As more reports of these
activities surface, carriers are scrambling to protect customers from a few
specific types of attacks.
 
The network, called Signaling System 7, or SS7, is a digital signaling
protocol that mobile phone carriers including AT&T, T-Mobile, and Sprint use
to send messages to each other about who is a subscriber, where subscribers
are located, and how calls should be routed to reach them.
 
SS7 began as a closed network shared among a few major mobile phone
carriers, but grew porous as more carriers joined. Hackers and governments
can now gain access by purchasing rights from a carrier (which many are
willing to provide for the right price) or infiltrating computers that
already have permission.
 
Once they're in, hackers and government intelligence agencies have found
ways to exploit security defects to monitor users or record calls. Experts
who study SS7 have found some individuals are tracked by as many as nine
entities at once. While the average citizen isn't likely to be a target,
it's impossible for consumers to know whether or not they're being watched.
 
The problem
 
The sheer scale of SS7 means that these flaws present a massive
cybersecurity problem that could theoretically affect any mobile phone user
in the world. "Technically speaking, more people use the SS7 than use the
Internet," says Cathal McDaid
<https://www.linkedin.com/in/cathal-mc-daid-b775b23> , chief intelligence
officer at network security firm AdaptiveMobile. "It's the majority of the
world's population."
 
To inspire a solution, Karsten Nohl, a computer scientist at Security
Research Labs <https://srlabs.de/> in Berlin, has exposed several methods
through which governments and hackers could conduct surveillance and monitor
calls using SS7. He recently appeared on 60 Minutes
<http://www.cbsnews.com/news/60-minutes-hacking-your-phone/> to show that
he could hack a cellphone provided to U.S. congressman Ted Lieu using only
Lieu's phone number (Lieu agreed to participate in the demonstration). It's
a stunt Nohl had executed before, once hacking a German senator
<https://www.washingtonpost.com/news/the-switch/wp/2014/12/18/german-researc
hers-discover-a-flaw-that-could-let-anyone-listen-to-your-cell-calls-and-rea
d-your-texts/> 's phone.
 
In an interview with IEEE Spectrum, Nohl describes a few ways that hackers
and governments that have gained access to SS7 can manipulate the network to
listen to calls or track users:
 
1. Impersonate a network
 
When a customer places a call, the phone company sends digital packets of
information along dedicated channels within SS7 to find the recipient. Along
the way, the company receives information from other carriers about where
the recipient is located and which cell tower the call should be routed
through.
 
To make sure incoming calls can find them, phones periodically send messages
to nearby towers identifying a user's location.
 
Hackers can hijack this process by flooding the system with their own
messages pretending to be a network that contains a specific phone. This can
cause some confusion since the original phone will continue to transmit its
actual location, but hackers can usually overcome true signals.
 
"Your phone only says 'Hi' once every six hours where we can say 'Hi' every
minute so we can dominate that ping pong game," Nohl says.
 
In this way, hackers can intercept all calls destined for a certain number
and send the calls through their computers first. Then, they can instruct
their system to connect the call to the number the caller originally dialed.
A hacker can listen in while the caller talks with the recipient, oblivious
to the third party on the line.
 
2. Intercept a forwarded call
 
Each mobile phone carrier also operates a Home Location Register, which is
the primary database of information about its subscribers. Hackers can use
this register to re-route requests or instructions placed by a particular
phone.
 
For example, when a customer sets up call forwarding to send calls directly
to voicemail, to a secretary, or to another phone, that transfer is
coordinated through the register. The customer's phone sends out digital
packets to their carrier's register that effectively say, "Mary would like
her calls to go to this new number."
 
A hacker can divert this message and insert instructions, called
supplementary service codes, to again route the call to their own computers.
Then, they can connect the call to the number that the caller intended to
reach and record the conversation, unbeknownst to anyone else on the call.
 
3. Fake out CAMEL
 
Mobile carriers rely on a protocol called CAMEL to make sure the people
using their network are real subscribers who have paid their bills. The
protocol essentially manages permissions for each registered phone number,
but comes with some built-in capabilities that are extremely convenient for
hackers.
 
One such function is that when a user dials a phone number, their phone
sends out a request, asking, "Is Mary permitted to call this number?"
Normally, a carrier might respond via the CAMEL protocol with a simple "Yes"
or "No," (or perhaps "Yes, but only for three minutes" if a user is running
low on prepaid credits).
 
However, CAMEL also allows carriers to basically say, "Yes, but the number
Mary really wants to call is XXX-XXX-XXXX." Such a function could come in
handy if, for example, a caller forgot to dial a country code.
 
But it also allows hackers to pose as a carrier by sending out their own
message that routes every phone call originating from a specific number
through their system first. Or, as Nohl says, "We can make it so that every
number you dial is us."
 
The solution
 
The growing number of attacks has captured the attention of mobile carriers
and governments around the world. McDaid of AdaptiveMobile estimates that
each day, an average-sized carrier that serves 1 to 5 million customers
might be subject to thousands of simple attacks, and a few dozen
sophisticated ones.
 
So what can carriers do to protect customers?
 
Many have already begun to install protections. AdaptiveMobile has developed
firewalls and software for 70 or 80 carriers since 2013. Nohl compares this
shift in awareness to the early days of the Internet, when companies and
consumers first realized they needed to protect computers from viruses.
 
McDaid says carriers don't have any other choice. "The network, it's really
not going to be going anywhere. It's a multi-billion dollar system that
allows mobile carriers to be mobile carriers, basically," he says. "There
really is no alternative to protecting it."
 
In some countries, regulators have compelled companies to install certain
protections, saying communications is as essential to public infrastructure
as water and power. After the 60 Minutes episode, the U.S. Federal
Communications Commission said it would study
<http://www.reuters.com/article/us-usa-cybersecurity-phones-idUSKCN0XH2MC>
SS7 design flaws and Lieu also asked the House Oversight Committee to
examine the network.
 
In addition to describing the hacks, Nohl and McDaid spoke to IEEE Spectrum
about a couple of the most popular protections implemented by mobile
carriers today:
 
1. Checking the plausibility of requests
 
One way to fend off would-be hackers is to deny requests that don't make
sense based on what a carrier knows about a particular user. This is similar
to automatic denials that many credit card companies have in place. Requests
or messages that claim a user is in Europe, for example, can be thrown out
if the user was detected just five minutes ago in the U.S. Nohl estimates
that about 39 percent of SS7 hacks could be prevented if carriers instituted
so-called plausibility checks.
 
2. Blocking "anytime interrogation"
 
Carriers can also weed out illicit requests known as "anytime
interrogations," which Nohl admits is a "very creepy name" for a "very
creepy functionality." Carriers send these requests to inquire about a
user's whereabouts, but the requests are also frequently exploited for
government surveillance.
 
Nohl says the ability to conduct an anytime interrogation was only supposed
to permit carriers to locate their customers, and never meant to be shared.
Therefore, blocking all such requests that originate outside of a carrier's
network is an easy way to prevent outside monitoring. He says installing a
firewall that denies anytime interrogations as well as a range of other
suspicious messages could prevent another 60 percent of SS7 attacks.
You received this digest because you're subscribed to updates for this group. You can change your settings on the group membership page.
To unsubscribe from this group and stop receiving emails from it send an email to tscm-l2006+...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages