Cellular Privacy, SS7 Security Shattered at 31C3

Researchers Tobias Engel and Karsten Nohl demonstrated serious vulnerabilities in the SS7 protocol for cellular service, putting the privacy of phone calls and users’ location data at risk for intercept.

The recently concluded Chaos Communications Congress (31c3) in Hamburg, Germany was an all-out assault on cellular call privacy and security. Of particular interest was the SS7 protocol used to route calls between switching centers.

Researchers, doing parallel research as it turns out, found gaping holes in the protocol that allow an attacker to sit in a man-in-the-middle position and re-route calls and SMS messages, or carry out denial-of-service attacks. More worrying to physical security is also the ability to learn a person’s location and track them.

The bugs are a spy’s dream, and Tobias Engel said he is aware of one real-world attack carried out in the Ukraine and discovered by a telecommunications operator in that country carried out by a Russian SS7 network.

Engel, founder of Sternraute, a Berlin-based service provider specializing in privacy, said that an attacker would need only to know his target’s phone number in order to track their location or spy on their calls. The maligned SS7 protocol was designed in the 1980s, long before mainstream cellular use, and security and privacy shortcomings have not kept up with the times, Engel said. Services built on top of SS7 to enable mobile communication, MAP and CAMEL, operate without authentication, Engel said, leaving the door wide open for abuse.

Karsten Nohl, of SR Labs in Germany, also spoke at 31c3 and tore into SS7 and demonstrated that attacks can also be carried out over 3G networks in order to record voice and SMS communication as well. He released a tool for Android devices called SnoopSnitch that detects IMSI catchers and other attacks over SS7.

“I think it’s really scary. You don’t have to know somebody, you just have to know his phone number and you can track him from the other side of the world. You don’t have to be near him, you just need SS7 access,” Engel said, pointing out that such access can be purchased from telecom and network operators. Also, he said, there are vendors selling products that maneuver against SS7. “Companies offering these services are saying they are only offering them to law enforcement and government agencies. I don’t know about you but there are many countries in the world whose governments I wouldn’t trust with this functionality.”

Governments have been known not only to monitor call activity of citizens and high-value industrial or government targets, but also track the location of activists and dissidents in oppressed parts of the world. Engel’s SS7 presentation included a demonstration of tracking he did of a volunteer, mapping out their journey from Seattle, to their home in the Netherlands and eventually to Hamburg and 31c3.

https://www.youtube.com/watch?v=lQ0I5tl0YLY

Engel’s attack takes advantage of the Home Location Register (HLR), a database containing subscriber data including their phone number. The HLR, he said, knows which mobile switching center, or visitor location register (VLR) is closest to the subscriber in order to deliver calls and SMS messages. An attacker can use a Mobile Application Part (MAP) anyTimeInterrogation request to the HLR to learn the subscriber’s cell ID, which then pages the right switching center and returns the information to the attacker, Engel said. European networks block ATI requests for the most part, but that won’t deter an attacker, who instead can just ping the mobile switching center directly to learn the cell ID and IMSI number. Most switching centers, he said, accept requests from anywhere and no plausibility checks are done, Engel said.

https://www.youtube.com/watch?v=GeCkO0fWWqc

Engel brought the problem to the attention of a number of German operators, he said. The operators looked at their traffic and saw a lot of it carried people’s geo-positions. After filtering out the ability to learn IMSI and switching center location, attack traffic dropped 80 percent, Engel said. The remaining traffic were either misconfigured networks, or unknown traffic that he said were requests by state actors or other network operators. Some attacks persist because an attacker can learn the IMSI from other sources, or brute-force a number range from the switching center.

Engel also demonstrated how an attacker could abuse the CAMEL protocol to overwrite switching center data belonging to the subscriber with the attacker’s GSM address without the subscriber’s knowledge. When a subscriber makes a call, he said, the switch center would instead contact the attacker’s ID. The attacker could record traffic, learning what numbers are dialed and bridge calls, sitting in the middle and recording content, Engel said.

“Everybody who has a phone in his pocket indirectly uses SS7,” Engel said. “Every movement can be tracked and every call can be intercepted.”

Suggested articles

Discussion

  • qq on

    [:|||||||||:] . Was published by Positive Technologies and P1 in 2013/early 2014 http://blog.ptsecurity.com/2014/08/cell-phone-tapping-how-it-is-done-and.html http://blog.ptsecurity.com/2014/04/search-and-neutralize-how-to-determine.html PS. Ukrainian telecom? Which one? MTS? Beeline? Kyevstar? Ukrainian?
    • Ben on

      Its MTS Ukraine, although maybe other, details are here: http://www.adaptivemobile.com/blog/russia-ukraine-telecom-monitoring
      • qq on

        An now, the news! http://www.youtube.com/watch?v=ZhSFV_M1Hv8 MTS (Ukraine) is Russian company and can use different routes for IP/SS& traff optimisation without any spy story.
        • Ben on

          Good song!, but to clarify news: you didnt read the article or understand signaling7? MTS ukraine is owned by mts russia , but their hlr database is in ukraine territory so to do the things mentioned needs "external interference" by ss7. Also ,as link says all ukraine telecoms affected, not mts only
          • qq on

            Which other? Beeline and Kyevstar? Both are Vumpelcom brands. Why as a provider (if it not prohibited by local personal data protection law) i can't move part of capacities to other HLR to optimise routing. Please check SS7Map talk from 31C3 for examples.
  • javier falbo on

    This was publich on MAY 2014 http://www.slideshare.net/phdays/phd4-pres-callinterception119 At least, please include the credits from where you have take that information. There is NO mention on the ccc talk about the real authors. Only tobias engel mention them. Karsten Nohl uses PLAGIARISM of real authors. Cheaters. Authors: Sergey Puzankov and Dmitry Kurbatov

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.