Cell phone eavesdropping and passcode theft: SS7 is as open to attacks as a barn door

Derek Muller’s science YouTube channel “Veritasium” has drawn attention to serious gaps in the mobile phone system that have existed for years in a recent video. Together with YouTuber Linus Sebastian (Linus Tech Tips), he demonstrates how his cell phone can be tapped and one-time passwords for 2-factor authentication can be stolen via SMS. Within a day, the video received more than three million views and almost 10,000 comments.

Advertisement

The cause of the problem has been known for more than a decade: SS7, the signaling system number 7 used in 2G and 3G networks. It is used for authorization and billing when switching between mobile networks, and in particular enables roaming. Muller does not infiltrate the communication with his friend’s smartphone himself, but with the help of Berlin security researcher Karsten Nohl and his team.

The experts from the Chaos Computer Club (CCC) explained back in 2014 that SS7 is as open to attacks as a barn door. Since it has no authentication functions, anyone with access to the network can basically do whatever they want with it. For example, you can have calls and SMS redirected, decrypted and listened to. Location and tracking are also often child’s play. However, a tracking attempt at Sebastian’s provider failed due to built-in firewalls.

SS7 was developed by the telephone companies in the 1980s because of weaknesses in the old signaling system, which was susceptible to phreaking, for example. This at least ruled out the possibility of someone controlling the network by sending tones over the voice line.

Thousands of ways to attack in SS7

“SS7 is a global network, just like the Internet,” Nohl explains in the video. Such infrastructures require an addressing scheme that says: “This is me and this is you.” SS7 uses Global Titles (GTs) instead of IP addresses. To ensure global roaming coverage, network operators enter into agreements with two providers in each country. Both sides generally only accept messages or commands in the form of GTs with which they have such cooperations. But while in the 1980s there were only a few large, reputable operators who could largely trust each other, there are now over 1,200 operators and 4,500 networks, many of which require SS7 access.

“Some of them sell their services to third parties, some accept bribes, some can be hacked,” says Nohl. SS7 access can be obtained for a few thousand dollars a month. In addition to the phone number, attackers need the IMSI (International Mobile Subscriber Identity) of a victim in order to appear trustworthy in the SS7 network. This is not difficult to determine; it can be obtained, for example, via routing information. Muller explains: “By making the network believe that their phone is roaming, we can rewrite the number” that a victim calls “into a number that we control.” As an intermediary, it is also possible to “sit on the line and record the conversation.” It is similar with SMS, so Muller was able to get a passcode for Sebastian’s YouTube account and thus gain access to it.

Why SS7 successors have not yet prevailed

There are still 2.5 million tracking attempts and millions more malicious SS7 requests per year, says Muller. After the first SS7 vulnerability reports in 2014, many providers began to reject particularly dangerous GTs such as an at-anytime query request. Nohl believes, however, that there are over 150 other comparable titles that need to be stopped for full SS7 protection. The new signaling system for 5G seems to be quite secure, but is still used by few operators. There is “no global push to replace SS7 with one of the two newer versions of the technology.”

Unless there are any unexpected incidents, it could take up to 20 years for the SS7 networks, which are deeply intrusive into privacy, to be “finally shut down,” the expert fears. The protocol is still “the backbone of 2G and 3G communication,” Muller adds. The EU emergency call eCall, for example, is based on these mobile phone generations. Last year, researchers at Citizen Lab also warned that SS7 security gaps in 5G remained a major threat despite technical advances.

(Mack)