Phones are a very core part of our everyday lives, but most people believe they are more secure than they actually are. Using SS7 I would like to prove to you that your phone may actually be listening to you.
What is SS7 and how does it work?
Signalling System No. 7 (SS7) is a set of protocols developed in the 1970s that is used to set up and tear down telephone calls on most parts of the global public switched telephone network (PSTN).
“The protocol also performs number translation, local number portability, prepaid billing, Short Message Service (SMS), and other services.”[1]
Every time we make a call or send an SMS message, or anything related to 2G/3G or even 4G; it all goes through SS7. A signal with your information as well as the action you want to take is sent to a network access point, called Global Title (GT).
All of this sounds normal so far. Obviously we need a way to differentiate features, we don’t want our phone to make a call when we want to send a message or contact the wrong number. The issue is the way this system is implemented and the lack of security.
What are the issues and how is it not secure?
The problem lies with the GTs. The way the system was intended is that we would have a couple of GTs that were authorized and trusted to deal with SS7. When someone makes a request, it would go to a GT and the GT would connect the call or text etc. The issue however happened over time, as we started adding more and more GTs..
If you see where I’m going with this, that’s because this problem is very similar to the issue with CAs. We started off with a couple of reputable CA’s and over time bad actors emerged.
Because these systems were not built with security in mind, GTs and CAs are trusted, so getting access to one is like getting access to all.
If you can gain access to a GT, you can make an Anytime Interrogation Request which would allow you to locate anyone if you had their IMSI. The International Mobile Subscriber Identity is a 15 digit number stored on your sim card. This request was widely used by hackers until Karsten Nohl [2], and Tobias Engel [3], exposed this vulnerability in 2014. Telecommunications providers soon after started refusing these AIR requests.
You can also do all of this with just a phone number if you can query a GT for the IMSI directly.
“The hackers demonstrating the attack in 2014, and again for 60 Minutes, explained that it is an “open secret” that law enforcement and security services, including the US National Security Agency, were aware of and use it to spy on targets using just their phone number.” [4]
Accessing a trusted GT isn’t even that hard. Global Title Leasing is a practice where service providers lease access to Global titles and Hosts to businesses.
“The desire to monetize one’s network is legitimate. Some early use cases revolved around value added services such as enabling new mobile operators to rapidly expand their roaming footprint. However, other use cases were a lot more problematic. For these problematic use cases, was appropriate due diligence and a full security review ever conducted? Whatever the case, Operators provided third parties access to their GT assets, and by extension to the SS7 network, usually without the ability to control or supervise the third parties’ activities. All of this was done without the agreement of their roaming partners whose networks were being remotely accessed. This meant that unknown and untrusted parties were able to access some sensitive subscriber information held by mobile operators.”[5]
Another flaw in the system is roaming.
“When travelling internationally, your phone is essentially a guest on another network. Global titles allow networks worldwide to identify you and route calls, SMS, and data services as if you were still within your home network.”[6]
This makes sense, when you are roaming your network needs to be able to provide your information(IMSI) to the GT closest to you so that you can use your phone. The problem is that hackers can use this fact to reroute your call to their own phone. They can even do this with SMS. This should technically not be an issue once you connect back to your network, and they figure out that you are not in Moscow, but all they need is seconds to be able to copy a 2FA code.
“Everyone’s accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw. Both the FCC and telecom industry have been aware that hackers can acquire our text messages and phone conversations just knowing our cell phone number. It is unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security. I urge the Republican-controlled Congress to hold immediate hearings on this issue.” Congressman Ted Lieu [7]
OK.. it’s time to come clean.. Your phone isn’t actually listening to you, but someone else might be. All a hacker would need to do is re-route your calls to their phone, start recording and then reroute it back to you, and they would hear everything and you wouldn’t be able to tell the difference. They would know your dog’s name, your favorite restaurant and even the answer to your security questions from when you called your bank.
If it’s so bad.. Why are we still using it?
Here is where I tell you that we already have a solution. The latest version of SS7 that works with 5G is by all accounts pretty secure. The only issue is the first mover disadvantage. Way too many things use 4G, 3G, and sometimes even 2G. Emergency response systems for example. Even the latest smartphones; how many times have you noticed your phone switch to 4G because the connection is bad or there are too many people in one area.
The solution is simple, we just need to use 5G, it’s just this will take a while.
If we look at 3G as an example of what we might expect, it took over two decades from its commercial launch in 2001 to the beginning of its phase-out in the US in 2022. If 4G has as good a run as 3G did, then we won’t have to worry about the 4G phase-out until close to the year 2030.[8]
What can we do right now?
The biggest step we can take is to use authenticator Apps or hardware tokens for 2FA. This means the hacker would have to steal your phone to get any one time codes. We can also use encryption based internet calling services like Signal or WhatsApp. This makes it so no one can listen to your calls or redirect you messages. If you choose not to take any of these steps, then all you can do is hope you are not a part of the next SS7 attack.
References
- https://en.wikipedia.org/wiki/Signalling_System_No._7#:~:text=In%20contrast%2C%20SS7%20uses%20common,both%20signaling%20and%20channel%20usage
- https://www.youtube.com/watch?v=nRdJ0vaQt0o&list=PLozs3s3_h1-bq1uQ0feSaXk4e4-dZh0jh&index=11&ab_channel=media.ccc.de
- https://www.youtube.com/watch?v=-wu_pO5Z7Pk&list=PLozs3s3_h1-bq1uQ0feSaXk4e4-dZh0jh&index=7&ab_channel=media.ccc.de
- https://www.theguardian.com/technology/2016/apr/19/ss7-hack-us-congressman-calls-texts-location-snooping
- https://www.gsma.com/solutions-and-impact/technologies/security/latest-news/fighting-back-against-the-abuse-of-global-title-leasing/
- https://www.infobip.com/glossary/global-title#what-is-global-title-leasing
- https://lieu.house.gov/media-center/press-releases/rep-lieu-statement-hackers-draining-bank-accounts-ss7-flaw?ref=blogapp.bitdefender.com
- https://www.highspeedinternet.com/resources/is-4g-dead#:~:text=If%20we%20look%20at%203G,close%20to%20the%20year%202030.
- https://www.lighthousereports.com/investigation/ghost-in-the-network/
- https://www.cbsnews.com/news/60-minutes-hacking-your-phone/
- https://en.wikipedia.org/wiki/SMS
- https://en.wikipedia.org/wiki/SIM_card
- https://www.techtarget.com/searchnetworking/definition/Signaling-System-7#:~:text=While%20Global%20System%20for%20Mobile,and%20can%20be%20easily%20read
I think this is one of the most talking topic of recent time which is “Can our phone listen to us?”. I guess the demonstration you have brought up can enlighten many of our thought about it. However, I think there is a very little space between the good and bad uses of SSL and GTs. Sometimes that is for our safety and sometime hackers can also use it for bad purpose. But the shocking thing is vulnerability of those systems which resolve only a decade ago. I think the communication sector should be serious about it and the normal people should have the idea about those features that installed on their smartphone. Because I think, everyone has the right to know it.
Great work Abdul! Your explanation on the vulnerability of Anytime Interrogation Requests shows that there is a clear case for concern on this issue. Considering how easy a feature meant for proper network operations might be misused for spying purposes is quite alarming. The fact that state actors were aware of this vulnerability and may have used it before it was made public raises serious concerns regarding the ethics of vulnerability disclosure and the obligations of individuals who are aware of such defects.
I understand the urgent need to transition to more secure technologies like 5G is compelling and completely inevitable. However, this also presents an issue with the cost and compatibility especially in critical systems like emergency services as you rightly stated. I believe the International Telecommunication Union (ITU) and all responsible parties need to devise a more innovative solution to bridge this transitional period and ensure security for all users is paramount. Also, just like 2G, 3G, and 4G attackers will never stop exploiting the vulnerabilities with SS7 protocols, hence the importance of continuous security assessments and updates to adapt the emerging threats. The ITU has shared some useful tips on how to detect and avoid common SS7 protocol attacks as well as some several other information on https://www.itu.int/en/ITU-T/extcoop/figisymposium/Documents/Technical%20report%20on%20SS7%20vulnerabilities%20and%20mitigation%20measures%20for%20Digital%20Financial%20Services%20transactions.pdf
Very interesting post, Abdul! Your post provides some reassurance that our phones are not actively listening to us. I found your point on 3G, 4G, and 5G quite interesting as I was unaware of the greater security provided by 5G compared to 3 and 4G. Now, I will keep an eye out to ensure I am using 5G as opposed to 3 or 4G. As you say, at the end of the day, the most secure way to ensure we don’t get hacked is 2FA and the usage of encrypted apps such as WhatsApp and Signal.
Hello Abdul, I really enjoyed reading your discussion post. I was able to understand a wide range of things I was previously unaware of. The first thing that caught my eye was the inherent lack of security for the SS7. Although it is an outdated protocol that was implemented to manage phone communications, because it is still used in some 2g, 3g, and 4g networks, it is highly susceptible to attacks. Additionally, the vulnerabilities of Global Titles definitely pose a considerable risk, as you mentioned, if hackers gain access to GT and request information of users, there is no method to restrict this access as hackers would be able to track locations, reroute calls and intercept sms messages due to their access of GT. Furthermore, when you mentioned the aspect of government awareness of this known vulnerability, it was very concerning since SS7 is still used predominantly in many functions, and law enforcement agencies and intelligence services have the ability to access the weakness. Lastly, with the promising future that 5G has, especially in terms of being a solution to this vulnerability, the only issue is the transition period from the legacy systems.
Awesome post Abdul! Really interesting learning about how insecure phone calls and SMS is. It’s also wild that there’s little oversight and push to harden up these global titles. This is likely because like you mention the NSA and law enforcement also take advantage of this lack of security to help spy and caught criminals. So, they have no real incentive to crack down on this badly managed service. This idea though of your phone might be listening to you is something I always think of. I never like turning on the voice commands on Siri and other phone assistants and why I don’t like having the smart home assistant devices too. Even though I know they aren’t supposing to be listening and collecting data, I can help but be paranoid about it with how some companies in the past have misused data for profit.