"Roger at Bugsweeps" <bugs...@earthlink.net>: May 13 09:27AM
-0600
http://spectrum.ieee.org/tech-talk/telecom/security/alarming-security-defect
s-in-ss7-the-global-cellular-networkand-how-to-fix-them
Alarming Security Defects in SS7, the Global Cellular Network-and How
to Fix
Them
By Amy Nordrum <http://spectrum.ieee.org/author/nordrum-amy>
Posted 27 Apr 2016 | 14:00 GMT
AddThis Sharing Buttons
Share to FacebookShare to TwitterShare to Hacker NewsShare to
RedditShare to
EmailShare to PrintMore AddThis Share options
http://spectrum.ieee.org/img/RMGettyImages83121790d-1461698877157.jpgPhoto-i
llustration: Getty Images
The global network that transfers calls between mobile phone carriers
has
security defects that permit hackers and governments to monitor users'
locations and eavesdrop on conversations. As more reports of these
activities surface, carriers are scrambling to protect customers from a
few
specific types of attacks.
The network, called Signaling System 7, or SS7, is a digital signaling
protocol that mobile phone carriers including AT&T, T-Mobile, and
Sprint use
to send messages to each other about who is a subscriber, where
subscribers
are located, and how calls should be routed to reach them.
SS7 began as a closed network shared among a few major mobile phone
carriers, but grew porous as more carriers joined. Hackers and
governments
can now gain access by purchasing rights from a carrier (which many are
willing to provide for the right price) or infiltrating computers that
already have permission.
Once they're in, hackers and government intelligence agencies have found
ways to exploit security defects to monitor users or record calls.
Experts
who study SS7 have found some individuals are tracked by as many as nine
entities at once. While the average citizen isn't likely to be a target,
it's impossible for consumers to know whether or not they're being
watched.
The problem
The sheer scale of SS7 means that these flaws present a massive
cybersecurity problem that could theoretically affect any mobile phone
user
in the world. "Technically speaking, more people use the SS7 than use
the
Internet," says Cathal McDaid
<https://www.linkedin.com/in/cathal-mc-daid-b775b23>
, chief intelligence
officer at network security firm AdaptiveMobile. "It's the majority of
the
world's population."
To inspire a solution, Karsten Nohl, a computer scientist at Security
Research Labs <https://srlabs.de/>
in Berlin, has exposed several methods
through which governments and hackers could conduct surveillance and
monitor
calls using SS7. He recently appeared on 60 Minutes
<http://www.cbsnews.com/news/60-minutes-hacking-your-phone/>
to show that
he could hack a cellphone provided to U.S. congressman Ted Lieu using
only
Lieu's phone number (Lieu agreed to participate in the demonstration).
It's
a stunt Nohl had executed before, once hacking a German senator
<https://www.washingtonpost.com/news/the-switch/wp/2014/12/18/german-researc
hers-discover-a-flaw-that-could-let-anyone-listen-to-your-cell-calls-and-rea
d-your-texts/> 's phone.
In an interview with IEEE Spectrum, Nohl describes a few ways that
hackers
and governments that have gained access to SS7 can manipulate the
network to
listen to calls or track users:
1. Impersonate a network
When a customer places a call, the phone company sends digital packets
of
information along dedicated channels within SS7 to find the recipient.
Along
the way, the company receives information from other carriers about
where
the recipient is located and which cell tower the call should be routed
through.
To make sure incoming calls can find them, phones periodically send
messages
to nearby towers identifying a user's location.
Hackers can hijack this process by flooding the system with their own
messages pretending to be a network that contains a specific phone.
This can
cause some confusion since the original phone will continue to transmit
its
actual location, but hackers can usually overcome true signals.
"Your phone only says 'Hi' once every six hours where we can say 'Hi'
every
minute so we can dominate that ping pong game," Nohl says.
In this way, hackers can intercept all calls destined for a certain
number
and send the calls through their computers first. Then, they can
instruct
their system to connect the call to the number the caller originally
dialed.
A hacker can listen in while the caller talks with the recipient,
oblivious
to the third party on the line.
2. Intercept a forwarded call
Each mobile phone carrier also operates a Home Location Register, which
is
the primary database of information about its subscribers. Hackers can
use
this register to re-route requests or instructions placed by a
particular
phone.
For example, when a customer sets up call forwarding to send calls
directly
to voicemail, to a secretary, or to another phone, that transfer is
coordinated through the register. The customer's phone sends out digital
packets to their carrier's register that effectively say, "Mary would
like
her calls to go to this new number."
A hacker can divert this message and insert instructions, called
supplementary service codes, to again route the call to their own
computers.
Then, they can connect the call to the number that the caller intended
to
reach and record the conversation, unbeknownst to anyone else on the
call.
3. Fake out CAMEL
Mobile carriers rely on a protocol called CAMEL to make sure the people
using their network are real subscribers who have paid their bills. The
protocol essentially manages permissions for each registered phone
number,
but comes with some built-in capabilities that are extremely convenient
for
hackers.
One such function is that when a user dials a phone number, their phone
sends out a request, asking, "Is Mary permitted to call this number?"
Normally, a carrier might respond via the CAMEL protocol with a simple
"Yes"
or "No," (or perhaps "Yes, but only for three minutes" if a user is
running
low on prepaid credits).
However, CAMEL also allows carriers to basically say, "Yes, but the
number
Mary really wants to call is XXX-XXX-XXXX." Such a function could come
in
handy if, for example, a caller forgot to dial a country code.
But it also allows hackers to pose as a carrier by sending out their own
message that routes every phone call originating from a specific number
through their system first. Or, as Nohl says, "We can make it so that
every
number you dial is us."
The solution
The growing number of attacks has captured the attention of mobile
carriers
and governments around the world. McDaid of AdaptiveMobile estimates
that
each day, an average-sized carrier that serves 1 to 5 million customers
might be subject to thousands of simple attacks, and a few dozen
sophisticated ones.
So what can carriers do to protect customers?
Many have already begun to install protections. AdaptiveMobile has
developed
firewalls and software for 70 or 80 carriers since 2013. Nohl compares
this
shift in awareness to the early days of the Internet, when companies and
consumers first realized they needed to protect computers from viruses.
McDaid says carriers don't have any other choice. "The network, it's
really
not going to be going anywhere. It's a multi-billion dollar system that
allows mobile carriers to be mobile carriers, basically," he says.
"There
really is no alternative to protecting it."
In some countries, regulators have compelled companies to install
certain
protections, saying communications is as essential to public
infrastructure
as water and power. After the 60 Minutes episode, the U.S. Federal
Communications Commission said it would study
<http://www.reuters.com/article/us-usa-cybersecurity-phones-idUSKCN0XH2MC>
SS7 design flaws and Lieu also asked the House Oversight Committee to
examine the network.
In addition to describing the hacks, Nohl and McDaid spoke to IEEE
Spectrum
about a couple of the most popular protections implemented by mobile
carriers today:
1. Checking the plausibility of requests
One way to fend off would-be hackers is to deny requests that don't make
sense based on what a carrier knows about a particular user. This is
similar
to automatic denials that many credit card companies have in place.
Requests
or messages that claim a user is in Europe, for example, can be thrown
out
if the user was detected just five minutes ago in the U.S. Nohl
estimates
that about 39 percent of SS7 hacks could be prevented if carriers
instituted
so-called plausibility checks.
2. Blocking "anytime interrogation"
Carriers can also weed out illicit requests known as "anytime
interrogations," which Nohl admits is a "very creepy name" for a "very
creepy functionality." Carriers send these requests to inquire about a
user's whereabouts, but the requests are also frequently exploited for
government surveillance.
Nohl says the ability to conduct an anytime interrogation was only
supposed
to permit carriers to locate their customers, and never meant to be
shared.
Therefore, blocking all such requests that originate outside of a
carrier's
network is an easy way to prevent outside monitoring. He says
installing a
firewall that denies anytime interrogations as well as a range of other
suspicious messages could prevent another 60 percent of SS7 attacks.
|