{"id":680,"date":"2024-10-03T09:35:30","date_gmt":"2024-10-03T15:35:30","guid":{"rendered":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/?p=680"},"modified":"2024-10-03T09:42:32","modified_gmt":"2024-10-03T15:42:32","slug":"is-your-phone-listening","status":"publish","type":"post","link":"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/2024\/10\/03\/is-your-phone-listening\/","title":{"rendered":"IS YOUR PHONE LISTENING?"},"content":{"rendered":"\n
Phones are a very core part of our everyday lives, but most people believe they are more secure than they actually are. Using SS7 I would like to prove to you that your phone may actually be listening to you.<\/p>\n\n\n\n
What is SS7 and how does it work?<\/strong><\/p>\n\n\n\n
Signalling System No. 7 (SS7) is a set of protocols developed in the 1970s that is used to set up and tear down telephone calls on most parts of the global public switched telephone network (PSTN).<\/p>\n\n\n\n
\n
\u201cThe protocol also performs number translation, local number portability, prepaid billing, Short Message Service (SMS), and other services.\u201d[1]<\/p>\n<\/blockquote>\n\n\n\n
\n
Every time we make a call or send an SMS message, or anything related to 2G\/3G or even 4G; it all goes through SS7. A signal with your information as well as the action you want to take is sent to a network access point, called Global Title (GT).<\/p>\n<\/div>\n\n\n\n
\n
All of this sounds normal so far. Obviously we need a way to differentiate features, we don’t want our phone to make a call when we want to send a message or contact the wrong number. The issue is the way this system is implemented and the lack of security.<\/p>\n<\/div>\n\n\n\n
What are the issues and how is it not secure?<\/strong><\/p>\n\n\n\n
The problem lies with the GTs. The way the system was intended is that we would have a couple of GTs that were authorized and trusted to deal with SS7. When someone makes a request, it would go to a GT and the GT would connect the call or text etc. The issue however happened over time, as we started adding more and more GTs..<\/p>\n\n\n\n
If you see where I’m going with this, that’s because this problem is very similar to the issue with CAs. We started off with a couple of reputable CA\u2019s and over time bad actors emerged.<\/p>\n\n\n\n
Because these systems were not built with security in mind, GTs and CAs are trusted, so getting access to one is like getting access to all.<\/p>\n\n\n\nDesigned by Freepik<\/figcaption><\/figure>\n\n\n\n
If you can gain access to a GT, you can make an Anytime Interrogation Request<\/strong> which would allow you to locate anyone if you had their IMSI. The International Mobile Subscriber Identity is a 15 digit number stored on your sim card. This request was widely used by hackers until Karsten Nohl [2], and Tobias Engel [3], exposed this vulnerability in 2014. Telecommunications providers soon after started refusing these AIR requests.<\/p>\n\n\n\n
You can also do all of this with just a phone number if you can query a GT for the IMSI directly.<\/p>\n\n\n\n
\n
\n
\u201cThe hackers demonstrating the attack in 2014, and again for 60 Minutes, explained that it is an \u201copen secret\u201d that law enforcement and security services, including the US National Security Agency, were aware of and use it to spy on targets using just their phone number.\u201d [4]<\/p>\n<\/blockquote>\n\n\n\nCBS News<\/figcaption><\/figure>\n<\/div>\n\n\n\n
Accessing a trusted GT isn’t even that hard. Global Title Leasing is a practice where service providers lease access to Global titles and Hosts to businesses.<\/p>\n\n\n\n
\n
\u201cThe desire to monetize one\u2019s network is legitimate. Some early use cases revolved around value added services such as enabling new mobile operators to rapidly expand their roaming footprint. However, other use cases were a lot more problematic. For these problematic use cases, was appropriate due diligence and a full security review ever conducted? Whatever the case, Operators provided third parties access to their GT assets, and by extension to the SS7 network, usually without the ability to control or supervise the third parties\u2019 activities. All of this was done without the agreement of their roaming partners whose networks were being remotely accessed. This meant that unknown and untrusted parties were able to access some sensitive subscriber information held by mobile operators.\u201d[5]<\/p>\n<\/blockquote>\n\n\n\n
Another flaw in the system is roaming.<\/p>\n\n\n\nDesigned by Freepik<\/figcaption><\/figure>\n\n\n\n
\n
\n
“When travelling internationally, your phone is essentially a guest on another network. Global titles allow networks worldwide to identify you and route calls, SMS, and data services as if you were still within your home network.”[6]<\/p>\n<\/blockquote>\n<\/div>\n\n\n\n
This makes sense, when you are roaming your network needs to be able to provide your information(IMSI) to the GT closest to you so that you can use your phone. The problem is that hackers can use this fact to reroute your call to their own phone. They can even do this with SMS. This should technically not be an issue once you connect back to your network, and they figure out that you are not in Moscow, but all they need is seconds to be able to copy a 2FA code.<\/p>\n\n\n\n
\n
“Everyone’s accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw. Both the FCC and telecom industry have been aware that hackers can acquire our text messages and phone conversations just knowing our cell phone number. It is unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security. I urge the Republican-controlled Congress to hold immediate hearings on this issue.” Congressman Ted Lieu [7]<\/p>\n<\/blockquote>\n\n\n\nDesigned by Freepik<\/figcaption><\/figure>\n\n\n\n
OK.. it’s time to come clean.. Your phone isn’t actually listening to you, but someone else might be. All a hacker would need to do is re-route your calls to their phone, start recording and then reroute it back to you, and they would hear everything and you wouldn’t be able to tell the difference. They would know your dog’s name, your favorite restaurant and even the answer to your security questions from when you called your bank.<\/p>\n\n\n\n
If it’s so bad.. Why are we still using it?<\/strong><\/p>\n\n\n\n
Here is where I tell you that we already have a solution. The latest version of SS7 that works with 5G is by all accounts pretty secure. The only issue is the first mover disadvantage. Way too many things use 4G, 3G, and sometimes even 2G. Emergency response systems for example. Even the latest smartphones; how many times have you noticed your phone switch to 4G because the connection is bad or there are too many people in one area. <\/p>\n\n\n\n
The solution is simple, we just need to use 5G, it’s just this will take a while.<\/p>\n\n\n\n
\n
If we look at 3G as an example of what we might expect, it took over two decades from its commercial launch in 2001 to the beginning of its phase-out in the US in 2022. If 4G has as good a run as 3G did, then we won\u2019t have to worry about the 4G phase-out until close to the year 2030.[8]<\/p>\n<\/blockquote>\n\n\n\n
What can we do right now?<\/strong><\/p>\n\n\n\n
The biggest step we can take is to use authenticator Apps or hardware tokens for 2FA. This means the hacker would have to steal your phone to get any one time codes. We can also use encryption based internet calling services like Signal or WhatsApp. This makes it so no one can listen to your calls or redirect you messages. If you choose not to take any of these steps, then all you can do is hope you are not a part of the next SS7 attack.<\/p>\n\n\n\n
![\"location](\"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-content\/uploads\/sites\/119\/2024\/10\/location-1024x771.png\")
![\"Sharyn](\"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-content\/uploads\/sites\/119\/2024\/10\/congresshacker.jpg\")
![\"roaming\"](\"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-content\/uploads\/sites\/119\/2024\/10\/roaming-1024x771.png\")
![\"hacker\"](\"https:\/\/wpsites.ucalgary.ca\/jacobson-cpsc\/wp-content\/uploads\/sites\/119\/2024\/10\/hackermans-1024x683.jpg\")