Flaw allows eavesdropping and tracking of mobile phone users
German hacker Karsten Nohl has demonstrated to the crew of CBS News’ 60 Minutes program how easy it can be for well-resourced attackers to eavesdrop on the phone calls and track the current geographic position of any one user.
All the attacker needs to know about the target is his or her phone number, and have access to Signalling System No. 7 (SS7).
The vulnerability
SS7 is a set of telephony signaling protocols that are used by thousands of telecoms around the world so that their users can connect to different telecom networks, make phone calls, send text messages, etc, when traveling, and for several other purposes and services that simplify the life of both the users and the operators.
Unfortunately, some things SS7 allows can easily be taken advantage of by attackers. For example, it allows telecoms to “ask” the user’s phone to share its location. It also allows the telecom to route calls and messages through a proxy server with the caller/sender and the party on the receiving end being none the wiser, record calls, and decrypt them (if they are encrypted).
These capabilities are exactly those that Nohl took advantage of in order to demonstrate his capability to follow US congressman Ted Lieu’s location and eavesdrop on his calls (the congressman agreed to be part of the test).
Granted, Nohl had apparently been given access to an operator’s network, and that might not be easy to achieve if you’re a lowly, random hacker. On the other hand, state-sponsored hackers, intelligence agencies, and even some well-heeled criminal gangs could find a way to do it, either through social engineering tricks, bribery, or by simply using secret court orders.
This particular flaw in the SS7 has been discovered and publicly revealed by Nohl and researcher Tobias Engel in 2014. Even before that, it was widely known that dozens of countries have bought or leased surveillance technology that allowed them to take advantage of this flaw to track people.
SS7 is still widely in use even though many mobile carriers are apparently already switching to an alternative protocol (Diameter). But it will take years for the switch to become total.
What others think of it?
John Marinho, VP of cybersecurity and technology at CTIA – The Wireless Association, an international industry trade group that represents the interests of wireless telecommunications companies, dismissed the risk.
“While we are aware of the research hackers’ manipulation to exploit SS7 technology in the international wireless networks, it’s important to note that they were given extraordinary access to a German operator’s network,” he told The Register.
“That is the equivalent of giving a thief the keys to your house; that is not representative of how US wireless operators secure and protect their networks. We continue to maintain security as a top industry priority.”
But unfortunately, attackers don’t read such statements and say: “Oh, OK then, we won’t even try, there’s no way we’ll get in.” Also, they know – as does all of the infosec industry – that every system can be hacked into and it’s just a matter of enough time, resources, and effort.
Lookout founder John Hering, who has also been asked to contribute to the program and who, along with other hackers and security experts showed how easy it is generally to hack mobile phones and collent information from them, said that the average person does not have to worry about most of these attacks.
Still, he noted that their goal was to show what’s possible, so that people can understand that if we don’t address security issues, we’ll live in a world where we cannot trust the technology that we use.
The US congressman was appropriately horrified by the result of the demonstration, and expressed his opinion that anyone in the US intelligence agencies who knew about the flaw and let it remain secret so that they could use it should be fired. He also called for a congressional investigation into the flaw and its ramifications, as well as who in government knew about it.