German researchers have discovered security flaws that could let hackers, spies and criminals listen to private phone calls and intercept text messages on a potentially massive scale – even when cellular networks are using the most advanced encryption now available. The flaws, to be reported at a hacker conference in Hamburg this month, are the latest evidence of widespread insecurity on SS, the global network that allows the world!s cellular carriers to route calls, texts and other services to each other. "xperts say it!s increasingly clear that SS, first designed in the #$%&s, is riddled with serious vulnerabilities that undermine undermine the privacy of the world!s billions of cellular customers. The flaws discovered by the German researchers are actually functions built into SS for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that t hat hackers can repurpose for surveillance because of the lax security on the network. Those skilled at the myriad functions built into SS can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption. There also is potential to defraud users and cellular carriers by using SS functions, the researchers say. These vulnerabilities continue to exist even as cellular carriers invest billions of dollars to upgrade to advanced advanced 'G technology aimed, aimed, in part, at securing communications against unauthori(ed eavesdropping. )ut even as individual carriers harden their t heir systems, they still must communicate with each other over SS, leaving them open to any of thousands of companies worldwide with access to the network. That means that a single carrier in *ongo or +a(akhstan, for
example, could be used to hack into cellular networks in the t he nited States, "urope or anywhere else. -t!s like you secure the front door of the house, but the back door is wide open,/ said Tobias Tobias "ngel, one of the German German researchers. "ngel, founder of Sternraute, and +arsten 0ohl, chief scientist for Security 1esearch 2abs, separately discovered these security weaknesses as they studied studied SS networks in recent months, after The 3ashington 4ost reported the widespread marketing marketing of surveillance systems that use SS networks to locate callers anywhere in the world. The 4ost reported that that do(ens of nations had had bought such systems to track surveillance targets and that skilled hackers or criminals could do the same using functions built into SS. 5The term is short for Signaling System and replaced previous networks called SS6, SS7, etc.8 The researchers did not find evidence that their latest discoveries, which allow for the interception interception of calls and texts, texts, have been marketed to governments on a widespread basis. )ut vulnerabilities publicly reported by security researchers often turn out to be tools long used by secretive intelligence services, such as the 0ational Security 9gency or )ritain!s G*H:, but not revealed to the public. -;any of the big intelligence agencies probably have teams that do nothing but SS research and exploitation,/ said *hristopher Soghoian, principal technologist for the 9*2 and an expert on surveillance technology. -They!ve likely sat on these things and
problems with the network and said it was due to be replaced over the next decade because of a growing list of security and technical issues. The German researchers found two distinct ways to eavesdrop on calls using SS technology. n the first, commands sent over SS could be used to hi>ack a cell phone!s -forwarding/ function ?? a service offered by many carriers. Hackers would redirect calls to themselves, for listening or recording, and then onward to the intended recipient of a call. @nce that system was in place, the hackers could eavesdrop on all incoming and outgoing calls indefinitely, from anywhere in the world. The second technior .S. carriers have not been tested, though 0ohl and "ngel said it!s likely at least some of them have similar vulnerabilities. 5Several smartphone?
based text messaging systems, such as 9pple!s i;essage and 3hatsapp, use end?to?end encryption methods that sidestep traditional cellular text systems and likely would defeat the techniect of 0S9 surveillance. The techni
that several companies were offering governments worldwide the ability to find virtually any cell phone user, virtually anywhere in the world, by learning the location of their cell phones through an SS function called an -9ny Time nterrogation/
customers in order to route calls to the nearest cellular towers, but they are not re
the phone number. That allows location tracking within a certain area, such as near government buildings. The German senator who cooperated in 0ohl!s demonstration of the technology, Thomas ar(ombek of ;erkel!s *hristian Eemocratic nion party, said that while many in that nation have been deeply angered by revelations about 0S9 spying, few are surprised that such intrusions are possible. -9fter all the 0S9 and Snowden things we!ve heard, guess nobody believes it!s possible to have a truly private conversation on a mobile phone,/ he said. -3hen really need a confidential conversation, use a fixed?line/ phone.
Have more to say about this topic? Join us today for our weekly live chat, Switchback. We'll kick things off at a.m. !astern. "ou can submit your #uestions now, right here. Hackers demo network-level call interception January 05, 2015 More Sharing ServicessharerintShare on email!mail "hite-hat hackers at the #1st $haos $omputer $ongress have demonstrated %undamental &aws in the underlying in%rastructure o% 2' and #' mo(ile phone networks) *he &aws allow attackers to covertly track the location o% a phone num(er as well as intercept calls and SMS - all at the network level) *o(ias !ngel %rom the $haos $omputer $lu( demonstrated in %ront o% a live audience how it was possi(le to send a %ake network message %rom his laptop to (lock a phone %rom making calls and even divert calls to another phone) *his could (e diverted to a man-in-the-middle recording o% the conversation) He also showed how a couple o% volunteers were tracked over a %ew weeks as they travelled around the +nited States and !urope again (y spoo%ed network messages simply asking the mo(ile service center MS$ server %or the location o% the su(scri(er) !ngel said that a .ournalist has contacted him with claims %rom a security company o/ering tracking o% individuals down to the city street with .ust their phone num(er, and asked how it could (e done)
'SM and +M*S systems all depend on a protocol called Signalling System SS which was designed around ed line telephones in the 1340s) "ith each phone line at a physical house and most telcos (eing trusted stateowned operators, privacy was not a concern at the time) SS has (een etended with new protocols added over time to allow %or mo(ility, tet messages and geo-location and roaming, %or instance) *he pro(lem is that SS %undamentally does not have any authentication) Many operators are selling legitimate access to SS, %or instance %or tet messaging or vehicle &eet management) "ith the advent o% %emto cells, it is even possi(le %or people to hack into their %emto units to gain direct access to the SS network) 6n order to track a target with simply his phone num(er, the attacker with access to SS can simply ask the H78 home location register %or the international mo(ile su(scri(er identity 6MS6 and the mo(ile switching center MS$ that the target is currently using) *his is done (y using what is called an anytime interrogation SS message to the H78) Many networks have (locked anytime interrogation messages (ut a workaround is to use the SMS routing to nd the 6MS6 and MS$ instead again with SS messages) 6% that %ails with home SMS routing installed an attacker with the 6MS6 address gained through out-o%-(and means can simply (rute-%orce re9uests to MS$s all over the world until the right MS$ is %ound) :rmed with the 6MS6 and the MS$, the attacker then send an SS message directly to the MS$ to 9uery the location o% the target) ;*he MS$ does not do plausi(ility assessments) 6% a 'erman user is in his home network, an 6ndonesian network should not have anything to do with it <(ut is not prevented=) Most MS$s accept re9uests %rom anywhere and anyone,> he said) !ngel said that some networks have implemented a veri%y sender address mechanism %or geo-location) ?ut he said that simply (y spoong the source address, called the glo(al title, to something that looks similar to the glo(al title o% the MS$, it was possi(le to circumvent the check and (e treated as a legitimate, local server) :way %rom location, it is possi(le to use SS messages to manipulate a targets phone) Since this is at the network level, it is irrelevant i% it is a smartphone or a simple %eature phone) !ngel demonstrated in %ront o% the live audience how it was possi(le to send SS messages to the MS$ in order to (lock calls to a phone and divert calls to a third party) *his could (e used to set up a man-in-the-middle to eavesdrop on calls) *his was possi(le (ecause when roaming, users o%ten dial local num(ers without the international pre) *here is an SS message that allows the H78 to tell the MS$, ;when this su(scri(er makes a call, ask me rst>) *he idea is that when, %or instance, a 'erman su(scri(er is roaming in @rance, %or
domestic 'erman num(ers to (e added with the international country code o% 'ermany so it can (e routed correctly) ?ut since the H78s SS messages can (e spoo%ed, an attacker with access to the SS network can send a message pretending to (e the targets H78 and tell the MS$ to ask it when the target tries to make a call and there(y set up the man-in-the-middle attack) *he same can (e done %or SMS, +SSA and, !ngel said, pro(a(ly data though he said that was not tested yet) Bet another vulnera(ility detailed involved de-anonymiCing temporary mo(ile su(scri(er in%ormation *MS6 num(ers and get the 6MS6 and phone num(ers %or other users in the vicinity o% the attacker) ?y simply capturing *MS6 paging re9uests over the air it is possi(le to send an SS update to the MS$ that will result in the %ull H78 details (eing returned) ;6% you do that o%ten enough in ?erlin, 6 dont know how long it would take you to get :ngela Merkels phone num(er,> he said) *hough SS is used on 'SM and +M*S #' networks, 7*! uses a new protocol called Aiameter) However, Aiameter has apparently copied many o% the &aws o% SS and still does not have end-to-end authentication) :sked a(out this revelation, :6S vice-president %or networks Saran haloprakarn pointed out one &aw in the doomsday scenario laid out (y the $haos $omputer $lu() "hile he acknowledged that the SS protocol was %undamentally &awed, he said the SS hacks could (e detected at the network level with proper monitoring) Deither Atac nor *rueMove responded to 9uestions (y time o% going to press 'erman researchers have announced the discovery o% news security &aws in SS protocol that could (e eploited (y an attacker to spy on private phone calls) : team o% 'erman researchers has discovered security &aws that (e eploited (y a threat actor to spy on private phone calls and intercept tet messages on a large scale, even when the mo(ile cellphone are using the most advanced encryption now availa(le) *he &aws will (e reported at the net hacker con%erence in Ham(urg, and once again the attackers will eploit insecurity in the SS protocol, also known as Signaling System Dum(er , that is the protocol suite used (y several telecommunications operators to communicate with one another with directing calls, tets and 6nternet data) *he researchers also eplained that the &aws in the SS protocol could (e also eploited (y criminal crews to de%raud users and cellular carriers) ;*he &aws, to (e reported at a hacker con%erence in Ham(urg this month, are the latest evidence o% widespread insecurity on SS, the glo(al network that allows the worlds cellular carriers to route calls, tets and other services to each other) !perts say its increasingly clear that SS, rst designed in the 1340s, is riddled with serious vulnera(ilities that undermine the privacy o% the
worlds (illions o% cellular customers) *he &aws discovered (y the 'erman researchers are actually %unctions (uilt into SS %or other purposes E such as keeping calls connected as users speed down highways, switching %rom cell tower to cell tower E that hackers can repurpose %or surveillance (ecause o% the la security on the network)> reports *he "ashington ost) *he SS protocol allows cell phone carriers to collect location data related to the users device %rom cell phone towers and share it with other carriers, this means that eploiting the SS a carrier is a(le to discover the position o% its customer everywhere he is) 6n a previous post, 6 eplained that surveillance vendors using the SS protocol are a(le to geo-localiCe users with great precision) ;*he tracking technology takes advantage o% the la security o% SS, a glo(al network that cellular carriers use to communicate with one another when directing calls, tets and 6nternet data)> reports the "ashington ost) :s eplained (y the researchers, the pro(lem resides in the intrinsic security o% the rotocol that is considered outdated due to the presence o% several serious security vulnera(ilities which can lead to the violation o% the privacy %or (illions o% mo(ile users worldwide) 6n time 6m writing, the researchers havent provided other in%ormation on the security vulnera(ilities discovered in the SS protocol, (ut the eperts (elieve that hackers can eploit them to track an individual or redirect user calls to the attackers) SS protocol *he attack scenario is worrying and open the door to massive surveillance activities, *he :merican $ivil 7i(erties +nion :$7+ has also warned people against possi(le a(use o% such vulnera(ilities (y 6ntelligence agencies and 7aw en%orcement) ;Aont use the telephone service provided (y the phone company %or voice) *he voice channel they o/er is not secure,> principle technologist $hristopher Soghoian told 'iCmodo) ;6% you want to make phone calls to loved ones or colleagues and you want them to (e secure, use third-party tools) Bou can use @ace*ime, which is (uilt into any ihone, or Signal, which you can download %rom the app store) *hese allow you to have secure communication on an insecure channel)> +n%ortunately, the vulnera(ilities into SS protocol will continue to (e present, even as cellular carriers upgrade to advanced #' technology to avoid eavesdropping) ;?ut even as individual carriers harden their systems, they still must communicate with each other over SS, leaving them open to any o% thousands o% companies worldwide with access to the network) *hat means that a single carrier in $ongo or FaCakhstan, %or eample, could (e used to hack into cellular networks in the +nited States, !urope or anywhere else)> states the "ashington ost ;6ts like you secure the %ront door o% the house, (ut the (ack door is wide open,> said *o(ias !ngel, one o% the 'erman researchers) *he team o% researchers did not nd evidence that the &aws discovered have (een ;marketed> to governments on a widespread (asis, anyway it is impossi(le to understand is intelligence agencies are already eploiting them %or their operations)
;Many o% the (ig intelligence agencies pro(a(ly have teams that do nothing (ut SS research and eploitation) *heyve likely sat on these things and 9uietly eploited them,> Soghoian said) Stay *uned %or %urther in%ormation G ierluigi aganini Security :/airs E SS protocol, surveillance Share it please )))*weet a(out this on *witterShare on 'oogleShare on @ace(ookShare on 7inked6nin on interestShare on 8eddit!mail this to someoneShare on Stum(le+pon Share thisI !mail*witterrint7inked6n15@ace(ook#More :$7+:merican $ivil 7i(erties +nioneavesdropping'$HKDS:SS protocolsurveillance*he "ashington ost Hacking Security SH:8! LD
ierluigi aganini ierluigi aganini is $hie% 6n%ormation Security Lcer at ?it6d, rm leader in identity management, mem(er o% the !D6S: !uropean +nion :gency %or Detwork and 6n%ormation Security*reat 7andscape Stakeholder 'roup, he is also a Security !vangelist, Security :nalyst and @reelance "riter) !ditor-in$hie% at N$y(er Ae%ense MagaCineN, ierluigi is a cy(er security epert with over 20 years eperience in the eld, he is $ertied !thical Hacker at !$ $ouncil in 7ondon) *he passion %or writing and a strong (elie% that security is %ounded on sharing and awareness led ierluigi to nd the security (log NSecurity :/airsN recently named a *op Dational Security 8esource %or +S) ierluigi is a mem(er o% the N*he Hacker DewsN team and he is a writer %or some ma.or pu(lications in the eld such as $y(er "ar Oone, 6$**@, 6n%osec 6sland, 6n%osec 6nstitute, *he Hacker Dews MagaCine and %or many other Security magaCines) :uthor o% the ?ooks N*he Aeep Aark "e(N and ;Aigital Pirtual $urrency and ?itcoin> Surveillance E How to secretly track cellphone users position around the glo(e Septem(er 14, 201 ?y ierluigi aganini @(-?utton +sing the proper surveillance systems availa(le on the market it is easy and 9uick to track cellphone and the movements o% targets everywhere on the glo(e) "e recently discussed a(out the decision o% "ikileaks to pu(lish copies o% the criticiCed surveillance so%tware @in@isher, highlighting the dangers %or the militariCation o% the cy(erspace and in particular %or the use o% spyware to track users) *he principal vendors o% surveillance plat%orms de%end their (usiness
declaring that the solutions are only %or law en%orcement and intelligence agencies) +n%ortunately the reality is 9uite di/erent, (ecause many threat actors worldwide use surveillance malware to track individual %or di/erent reasons) *he "ashington ost pu(lished an interesting article a %ew weeks ago on surveillance technology that can (e used to track individuals anywhere in the world through the localiCation o% their mo(ile devices) *he post eplains that surveillance vendors using the SS protocol, aka Signaling System Dum(er, are a(le to geo-localiCe users with great precision) ;*he tracking technology takes advantage o% the la security o% SS, a glo(al network that cellular carriers use to communicate with one another when directing calls, tets and 6nternet data)> reports the "ashington ost) SS or Signaling System Dum(er is a protocol suite used (y several telecommunications operators to communicate with one another with directing calls, tets and 6nternet data) *he SS protocol allows cell phone carriers to collect location data related to the users device %rom cell phone towers and share it with other carriers, this means that eploiting the SS a carrier is a(le to discover the position o% its customer everywhere he is) ;*he system was (uilt decades ago, when only a %ew large carriers controlled the (ulk o% glo(al phone trac) Dow thousands o% companies use SS to provide services to (illions o% phones and other mo(ile devices, security eperts say,> eplains the post) ;:ll o% these companies have access to the network and can send 9ueries to other companies on the SS system, making the entire network more vulnera(le to eploitation) :ny one o% these companies could share its access with others, including makers o% surveillance systems)> continues the "ashington post) :nother %amily o% devices sold (y companies which provide surveillance solutions are the 6MS6 catchers, also known (y one popular trade name, Sting8ay) :n 6MS6 catcher 6nternational Mo(ile Su(scri(er 6dentity is device %or telephony eavesdropping commonly used %or intercepting mo(ile phone trac and tracking movement o% mo(ile phone users) !ssentially, it operates as a (ogus mo(ile cell tower (etween the target mo(ile phone and the service providers real towers) *he 6MS6 catcher runs a Man 6n the Middle M6*M attack that could not (e detected (y victims using commercial products) *he use o% trackers (ased on eploitation o% the SS protocol is recommended with ;6MS6 catchers,> in %act while SS tracker locate the victim the 6MS6 catchers can (e deployed e/ectively) Sting8ays are common surveillance devices that allow are a(le to intercept calls and 6nternet trac, send %ake tets, install malware on a phone, and o% course nd the precise location o% the victim) ;"hats interesting a(out this story is not that the cell phone system can track your location worldwide,>;*hat makes senseQ the system has to know where you are) "hats interesting a(out this story is that anyone can do it)> said the popular epert ?ruce Schneier) rivacy advocates are really concerned with possi(le misuse o% such technology, %oreign state-sponsored hackers and cy(er criminals could use it %or illegal activities) 7ets remem(er that it is illegal in many countries to track individuals without a court order, (ut there is no clear international legal %ramework that punishes ill intentioned %or secretly tracking people in other countries) *he @$$ recently created an internal task %orce to study the misuse o% 6MS6 catchers in the cy(ercrime ecosystem and %oreign intelligence agencies, which demonstrated that this technology could (e used to spy on :merican
citiCens, (usinesses and diplomats) surverillance Aont %orget that government to track us .ust need to type our phone num(er into a computer portal, which then collects data a(out our location, to within a %ew (locks in an ur(an area or a %ew miles in a rural one, %rom data(ases maintained (y cellular carriers) *he "ashington ost made eplicit re%erence to a 2-page marketing (rochure %or the cellular tracking system sold (y Perint codenamed Sky7ock) *he document, dated January 201# and la(eled ;$ommercially $ondential,>, reveals the system o/ers government agencies ;a cost-e/ective, new approach to o(taining glo(al location in%ormation concerning known targets)> *he (rochure includes screen shots o% maps depicting location tracking in what appears to (e Meico, Digeria, South :%rica, ?raCil, $ongo, the +nited :ra( !mirates, Oim(a(we and several other countries) Perint says on its "e( site that it is ;a glo(al leader in :ctiona(le 6ntelligence solutions %or customer engagement optimiCation, security intelligence, and %raud, risk and compliance,> with clients in ;more than 10,000 organiCations in over 140 countries)> :s said (y !ric Fing, deputy director o% rivacy 6nternationalI ;:ny tin-pot dictator with enough money to (uy the system could spy on people anywhere in the world,> ;*his is a huge pro(lem)> ierluigi aganini Security :/airs E Surveillance, privacy *he recently concluded $haos $ommunications $ongress #1c# in Ham(urg, 'ermany was an all-out assault on cellular call privacy and security) L% particular interest was the SS protocol used to route calls (etween switching centers) 8esearchers, doing parallel research as it turns out, %ound gaping holes in the protocol that allow an attacker to sit in a man-in-the-middle position and reroute calls and SMS messages, or carry out denial-o%-service attacks) More worrying to physical security is also the a(ility to learn a persons location and track them) 8elated osts *hreatpost Dews "rap, March R, 2015 March R, 2015 , 11I50 am $on%usion 8eigns Lver @?6s lans %or Dational Security 7etter 'ag Lrders March R, 2015 , 11I24 am 'oogle @ies 51 ?ugs in $hrome 1 March , 2015 , 1I54 pm *he (ugs are a spys dream, and *o(ias !ngel said he is aware o% one realworld attack carried out in the +kraine and discovered (y a telecommunications operator in that country carried out (y a 8ussian SS network) !ngel, %ounder o% Sternraute, a ?erlin-(ased service provider specialiCing in privacy, said that an attacker would need only to know his targets phone num(er in order to track their location or spy on their calls) *he maligned SS protocol was designed in the 1340s, long (e%ore mainstream cellular use, and security and privacy shortcomings have not kept up with the times, !ngel said) Services (uilt on top o% SS to ena(le mo(ile communication, M: and
$:M!7, operate without authentication, !ngel said, leaving the door wide open %or a(use) Farsten Dohl, o% S8 7a(s in 'ermany, also spoke at #1c# and tore into SS and demonstrated that attacks can also (e carried out over #' networks in order to record voice and SMS communication as well) He released a tool %or :ndroid devices called SnoopSnitch that detects 6MS6 catchers and other attacks over SS) ;6 think its really scary) Bou dont have to know some(ody, you .ust have to know his phone num(er and you can track him %rom the other side o% the world) Bou dont have to (e near him, you .ust need SS access,> !ngel said, pointing out that such access can (e purchased %rom telecom and network operators) :lso, he said, there are vendors selling products that maneuver against SS) ;$ompanies o/ering these services are saying they are only o/ering them to law en%orcement and government agencies) 6 dont know a(out you (ut there are many countries in the world whose governments 6 wouldnt trust with this %unctionality)> 'overnments have (een known not only to monitor call activity o% citiCens and high-value industrial or government targets, (ut also track the location o% activists and dissidents in oppressed parts o% the world) !ngels SS presentation included a demonstration o% tracking he did o% a volunteer, mapping out their .ourney %rom Seattle, to their home in the Detherlands and eventually to Ham(urg and #1c#)
!ngels attack takes advantage o% the Home 7ocation 8egister H78, a data(ase containing su(scri(er data including their phone num(er) *he H78, he said, knows which mo(ile switching center, or visitor location register P78 is closest to the su(scri(er in order to deliver calls and SMS messages) :n attacker can use a Mo(ile :pplication art M: any*ime6nterrogation re9uest to the H78 to learn the su(scri(ers cell 6A, which then pages the right switching center and returns the in%ormation to the attacker, !ngel said) !uropean networks (lock :*6 re9uests %or the most part, (ut that wont deter an attacker, who instead can .ust ping the mo(ile switching center directly to learn the cell 6A and 6MS6 num(er) Most switching centers, he said, accept re9uests %rom anywhere and no plausi(ility checks are done, !ngel said)
!ngel (rought the pro(lem to the attention o% a num(er o% 'erman operators, he said) *he operators looked at their trac and saw a lot o% it carried peoples geo-positions) :%ter ltering out the a(ility to learn 6MS6 and switching center location, attack trac dropped 40 percent, !ngel said) *he remaining trac were either miscongured networks, or unknown trac that he said were re9uests (y state actors or other network operators) Some attacks persist (ecause an attacker can learn the 6MS6 %rom other sources, or (rute-%orce a num(er range %rom the switching center) !ngel also overwrite attackers su(scri(er attackers
demonstrated how an attacker could a(use the $:M!7 protocol to switching center data (elonging to the su(scri(er with the 'SM address without the su(scri(ers knowledge) "hen a makes a call, he said, the switch center would instead contact the 6A) *he attacker could record trac, learning what num(ers are
dialed and (ridge calls, sitting in the middle and recording content, !ngel said) ;!very(ody who has a phone in his pocket indirectly uses SS,> !ngel said) ;!very movement can (e tracked and every call can (e intercepted)> - See more atI httpIthreatpost)comcellular-privacy-ss-security-shattered-at#1c#1101#5Tsthash)#M@D$"p3)dpu% *aking up the 'auntletI SS :ttacks $athal McAaid 1Rth Aecem(er 201 *here have (een several recent reports in the media on the results o% new research into SS network) *his interesting research outlines a series o% techni9ues potential attackers can use to listen in to and read the calls and tet messages o% others) :n o(vious 9uestion %or those o% us in the telecom security industry is whether the threat is real and what we should do to address it) 6n considering an answer, we can look at a little-reported incident that occurred in +krainian Mo(ile networks earlier this year) 7ast May, a report was issued (y the +krainian *elecom 8egulator DF8O6<1=) *his document, which went essentially unreported (y the press outside o% +kraine U 8ussia, contains the result o% the investigation o% the DF8O6, assisted (y the +krainian Security Service S?+, into telecom network activity over several days in M*S +kraine) *he key ndings o% this report were that over a # day period in :pril 201, a num(er o% +krainian mo(ile su(scri(ers were a/ected (y suspiciouscustom SS<2= packets %rom telecom network elements with 8ussian addresses, causing their location and potentially the contents o% their phone calls to (e o(tained) *he VattacksV outlined in the document involved SS packets (eing sent (etween the mo(ile operators) "ithout going into specic details, what occurred is a series o% SS packets were received (y M*S +kraineVs SS network which modied control in%ormation stored in network switches %or a num(er o% M*S +kraine mo(ile users) 6n doing so, when one o% the a/ected mo(ile su(scri(ers tried to ring someone else, their call would (e %orwarded to a physical land line num(er in St) eters(urg, 8ussia, without their knowledge - in e/ect the call has (een intercepted) *here is an additional %urther step that could (e taken %or the interception, not outlined in the original +krainian report, (ut suggested (y the "ashington ost article) *he %orwarded-to num(er could have initiated a new call to the original targeted su(scri(er, and then con%erence in the intercepted call, thus allowing itsel% to listen in to the call without the participants (eing aware) 6n the document, the investigation stated that the custom SS packets themselves came %rom links allocated to M*S 8ussia, the parent company o% M*S +kraine) *he +krainian regulator then assigned responsi(ility %or the nodes that generated the SS (ased on the origination addresses in the SS packets received) :ccording to the report, some o% the SS source addresses that originated the attack were assigned to M*S 8ussia, while others were assigned to 8ostov $ellular $ommunications) 6tVs important to keep in mind that this is the report %rom one side only, and it is stated that they ;draw conclusions a(out the potential %or the inter%erence with operation o% telecom networks on the part o% the S*D area in the 8ussian @ederation> , however in the report the regulator %elt that M*S +kraine was not doing enough to maintain the privacy o% su(scri(ers locations and call
%orwarding routes) @or its part, M*S 8ussia denied that the SS address used was under its control, thus leaving the ultimate instigator a mystery) 6ndeed, in su(se9uent %ollow-ups it was reported that M*S +kraine was not alone o% (eing at risk, as the +krainian *elecom 8egulator stated at a later date that :stelit and Fyivstar E the other main +krainian mo(ile operators E also eperienced Weternal inter%erence) "hilst we donVt have in%ormation on the eact su(scri(ers a/ected, there have (een eamples o% very sensitive phone calls (eing intercepted (y unknown means within the region, when using non government issued cell-phones) 6t is purely speculation on our part, (ut the same SS techni9ues outlined in the report could have conceiva(ly (een used to help achieve these interceptions) 7ooking %orward, an un%ortunate, (ut seemingly inevita(le, side-e/ect o% these techni9ues is that it will lead to countries that have (een a/ected adversely (y SS attacks to attempt to (uild their own capa(ility, thus leading to an WSS arms-race) *his has already (een eperienced in +kraine, where new legislation has (een su(mitted that one media source stated will allow their security services to legally listen in turn to su(scri(ers o% %oreign mo(ile operators, track their location and o(tain Wother in%ormation a(out the activity o% su(scri(ers) *aken to etremes (etween countries, this would lead to a %orm o% Wmutually assured surveillance, with mo(ile operators and mo(ile phone users on (oth sides su/ering) *he +krainian report, and the recent research that has (een released, shows us that we have moved into uncharted territory) Bes, there is a threat, and it is real - as the a(ove eample shows - however it does re9uire considera(le technical epertise to do this level o% network inter%erence) Dot only to run and operate SS nodes capa(le o% doing this - (ut especially to gain access to the SS network in the rst place) lus the nature o% the risk is very di/erentI consider there are more users o% the SS network worldwide than there users o% the internet, yet the num(er o% attacks on 6 networks everyday dwar% what is known to occur over SS) *he SS network is working as designed, (ut V(ad actorsV are increasingly trying to eploit it, the real danger is that we assume that nothing can (e done to the pro(lem and it will .ust get worse as more V(ad actorsV try to get access) :s has (een said (y others, as an industry we need to work together to dene recommendations and implement solutions to detect and stop potential attacks, (ecause de%ences are possi(le and can make a di/erence i% deployed correctly) *his coordination is already well underway, and :daptiveMo(ile are helping to contri(ute to this, (ut no-one should dou(t the amount o% work and e/ort that will (e re9uired to completely secure the SS network %rom organisations that would seek to eploit it) However, at the same time it would (e a mistake %or those using these techni9ues o/ensively to assume that their activities U methods have gone unnoticed) "e are now entering the more pu(lic stage o% a struggle in which the gauntlet was thrown down some time ago)
!ample :daptiveMo(ile visualisation o% SS :ctivity (etween several mo(ile operators over a short time spam - looking %or a(normal (ehaviour) $olours represent a selection o% di/erent SS packet types) *he VclumpsV are groups o%
similar SS node types) "hile unrelated to the events descri(ed in the report, the purpose o% such work is to help investigate ways in which to detect malicious or unusual SS (ehaviour in networks) Such methods will (e called on increasingly in the %uture to help detect and (lock unwanted SS activity)
+pdate I #12015 6n the #rd paragraph o% the original (log entry on 1Rth o% Aecem(er, it was statedI N6n doing so, when someone tried to ring one o% the a/ected mo(ile su(scri(ers)))N *his has now (een updated) 8e%erencesI <1= Dational $ommission %or the State 8egulation o% $ommunications and 6n%ormation XYZ[\]Y^_]Y `\[b[, \ f[b] fjY]j j^Y]] bj[ q` Y []\YYZ[ <2= Signalling System SS, is a catch-all term %or a telecom network technology that is used (y hundreds o% cellular companies to allow them to operate and communicate with each otherQ it is the computer protocol used (y telecom nodes within cellular networks to provide mo(ility control, network registration, call and tet setup etc) 6n short it ena(les mo(ile devices to communicate and roam glo(ally, and it allows mo(ile operators to control and (ill this activity) :ll pieces o% network hardware that operate in the core network use SS to interoperate with the rest o% the network) $ell hone *appingI How 6t 6s Aone and "ill :ny(ody rotect Su(scri(ers Bou pro(a(ly have read on various news we(sites a(out surveillance programs led (y security services in di/erent countries that reach phone and 6nternet communications o% ordinary citiCens) "e have already wrote a(out possi(le threats to mo(ile telecommunication networks and today we want to put more emphasis on one o% the attack vectors against mo(ile su(scri(ers) 6n short, the outline is like this) *he attacker penetrates into the SS Signaling SystemVs Do) network and sends a Send 8outing 6n%o @or SM S86SM service message to the network channel, speci%ying the phone num(er o% an attacked su(scri(er : as a parameter) *he su(scri(erVs : home network sends the %ollowing technical in%ormation as a responseI 6MS6 6nternational Mo(ile Su(scri(er 6dentity and address o% the MS$ currently providing services to the su(scri(er) :%ter that, the attacker changes the (illing system address in the su(scri(erVs prole to the address o% his own pseudo-(illing system and in.ects the updated prole into P78 data(ase via 6nsert Su(scri(er Aata 6SA message)
"hen the attacked su(scri(er makes an outgoing call, his switch addresses the attackerVs system instead o% the actual (illing system) *he attackerVs system sends the switch a directive allowing one to redirect a call to a third party controlled (y the attacker)
:t a third-party location, a con%erence call with three su(scri(ers is set up, two o% them are real the caller : and the called ? while the third is introduced (y the attacker illegally and is a(le to listen and record the conversation)
6 would say to skeptics straight o/I this plan is not a %antasy, as you can see, and it could (e practically realiCed) Ln the stage o% development, the SS system was not provided with de%ense mechanisms against such attacks) 6t was meant that SS network itsel% is private enough and an NoutsiderN cannot access it) However, times are changing and we (ecome witnesses o% using telephony technologies with malicious intent) +n%ortunately, one does not simply ena(le eternal SS message ltering, as %ar as it may a/ect the availa(ility o% mo(ile services in roaming) *here is no mo(ile network operator who wants to lose its money)
*he work o% an operator providing services to a large num(er o% su(scri(ers always treads a ne line (etween 6n%ormation Security and availa(ility o% services) *he pro(lem is especially acute %or mo(ile network operatorsI *he range o% services is (road, it is di/erent %or di/erent operatorsQ at the same time, providing services (oth to their su(scri(ers and su(scri(ers %rom other networks within the operatorVs network is desira(le, and in such a manner that su(scri(ers do not %ace the limitations o% mo(ile network services when traveling a(road) "hat you can do 6t would (e good to the so-called Nvulnera(ilitiesN in the SS protocol stack, (ut any epert will tell you that it is impossi(le) : classic eample o% the NitVs not a (ug, itVs a %eatureN thing) 6nstead o% (eing philosophical a(out mo(ile network architecture we must take action) "e can do the %ollowing, %or eampleI er%orm a penetration test in the SS network) Set up monitoring o% warning messages at the operatorVs network perimeter (y all availa(le means) :nalyCe the received in%ormation and take steps to minimiCe the risks) enetration *ests 7etVs talk a (it a(out the (enets o% penetration tests) :s %or operatorVs network, these tests play a role not only in the detection o% vulnera(ilities, (ut also in solving operational tasks) @or instance, you need to per%orm doCens o% tests considering the specics o% each particular network in order to nd out the impact o% ena(ling either one %eature or the other) "hen testing SS warning messages, we consider 10 (asic types o% attacks on a network and mo(ile su(scri(ers) $heck %or the disclosure o% condential technical parametersI su(scri(erVs 6MS6Q MS$ address where the su(scri(er is registeredQ H78 data(ase address, where the su(scri(erVs prole is stored) :n attacker can conduct more complicated attacks using these parameters)
$heck %or the disclosure o% su(scri(erVs cell data) :n attacker can detect su(scri(erVs location using the cell 6A) 6n cities the location can (e determined with an accuracy o% a(out 10 meters httpI(log)ptsecurity)com2010search-and-neutraliCe-how-todetermine)html) $heck %or possi(le violation o% su(scri(erVs availa(ility %or incoming calls AoS against the su(scri(er) 6n case o% a success%ul attack, the victim su(scri(er no longer receives incoming calls and SMS) :t the same time victimVs mo(ile phone indicates the network availa(ility) *he victim su(scri(er will stay in this state until heshe makes an outgoing call, goes to the other switch service area or re(oots the phone) $heck %or private SMS conversations disclosure) *his attack is a conse9uence o% the attack num(er #) 6n case o% a success%ul attack, incoming SMS messages are intercepted (y the attackerVs devices, so it will not (e dicult to read them) *o prevent the %ollowing delivery to the recipient, the attacker sends an SMS delivery notication to the SMS $enter) $heck %or +SSA commands manipulations) 6n case o% a success%ul attack, the attacker is a(le to send +SSA commands on (ehal% o% the su(scri(er) *he possi(le damage will (e assessed with regard to +SSA services provided (y the operator e)g, i% the money trans%er (etween accounts via +SSA commands is availa(le or not) $heck %or spoong su(scri(erVs prole in P78) 6n case o% a success%ul attack, the attacker is a(le to use his e9uipment as an intelligent plat%orm in order to etend the capa(ilities o% voice calls and manipulate the taring o% mo(ile services) $heck %or possi(le outgoing calls redirection) *his attack is a continuation o% the attack num(er R) 6n case o% a success%ul attack, the attacker is a(le to redirect outgoing calls %rom the victim su(scri(er) :dditionally, this attack allows an attacker to make an unauthoriCed con%erence call, cutting in the conversation) $heck %or possi(le incoming calls redirection) 6n case o% a success%ul attack, the attacker is a(le to redirect incoming calls to the victim su(scri(er) Moreover, calls to high-tari/ regions may (e not tari/ed or call charges will (e (illed to the victim su(scri(er) $hecking the switch sta(ility and resistance to AoS attacks) 6n case o% a success%ul attack, the switch no longer handles incoming calls to su(scri(ers located in its service area) $heck %or possi(le direct direct manipulations in (illing) 6n case o% a success%ul attack, the attacker is a(le to empty the su(scri(erVs personal account, so that the su(scri(er (ecomes deprived o% the opportunity to make calls) How to rotect +sers Lur research revealed that the overwhelming ma.ority o% attacks against SS networks (egin with o(taining technical data a(out the su(scri(er 6MS6, MS$ and H78 data(ase addresses) *hese parameters can (e o(tained %rom the response to the S86SM message mentioned in the (eginning o% this article) Lne o% security solutions is SMS Home 8outing procedure provided (y #' in 200) 6t is sometimes called the SMS @irewall or SMS @ilter) :n additional host, providing ltering o% malware S86SM messages, is implemented to the operatorVs network) 6t works is as %ollows) "hen a S86SM message is received to the operatorVs network %rom another network, it is rerouted to the new ltering host) *his host sends a correct response replacing MS$ and H78 data(ase addresses with its own address and 6MS6 with %alse
data) 6% the S86SM message was generated (y the attacker, he will not receive any use%ul data in the response and his attack will (e interrupted in the very (eginning) 6% the S86SM message was used %or the authoriCed transaction, to send an SMS, the originatorVs network will send this message to the ltering host, which will deliver the message to the recipient within the home network) 6tVs (een years since this recommendation was issued, (ut, so %ar as we can see, %ew operators had launched this solution) ?y the way, S86SM message is not the only way to o(tain the sunscri(erVs 6MS6) Mo(ile operatorVs network is potentially vulnera(le, .ust like any other network) Aue to the specicity o% mo(ile networks, these attacks can (e more sophisticated than the 6nternet attacks) "e recommend that operators take measures to protect such networks using the traditional scenarioI penetration tests to discover potential vulnera(ilities, security audit with the recommended settings and cyclic check o% security settings against a template) *his minimum amount o% work helps you to improve the level o% your network security .ust a(ove the average, still it is enough %or the rst step) So su(scri(ers got nothing to worry a(out) ) S) 6n the course o% the ositive Hack Aays 6P, we made a report a(out possi(le attacks in mo(ile operatorsV network, where tapping into phone conversations %rom almost any place on earth was discussed)
:uthorsI Sergey uCankov, Amitry Fur(atov \I ositive 8esearch ]Y 11I0 M !mail *his ?log*his Share to *witter Share to @ace(ook Share to interest ^x`I in%ormation security, mo(ile data (ypass, telecom 1 commentI 6rwin "illiamsJanuary 1, 2015 at 5I54 :M $ellphone tracking is now very much simple most o% the promote su(mission %or the emissary so%tware are prohi(ited, and the su(sistence o% the so%tware angers $*6:-*he "ireless :ssociation, an industry organiCation representing the nationVs chie% cell phone company) 8eply 7ocation, Monitor Bour $ommunication +se your key %or the net article DetI @lash Storage vs) SSA E "hatVs the Ai/erence Aecem(er #0, 201 I55 :M MS* @ace(ook *witter interest 7inkedin 'oogle lus $omment "ith %ew lines o% code, a savvy hacker can determine your location, intercept calls and SMS)
:ccording to renowned researcher *o(ias !nget Hacker, who presented SSI 7ocate) *rack) Manipulate at $haos $ommunication $ongress #1c# last week, N$ompanies are now selling the a(ility to track your phone num(er wherever you go) "ith a precision o% up to 50 meters, detailed movement proles can (e compiled (y some(ody %rom the other side o% the world without you ever knowing a(out it) ?ut that is .ust the tip o% the ice(erg)N :nd it is not only DS: or other intelligence agencies that can monitor your movement and intercept communication) :ny (usiness or individual can eploite SS network vulnera(ilities to gain access to su(scri(ers mo(ile devices) SS protocol is used (y mo(ile operators to direct calls and SMS to their customers, even when they are in another country) 6n theory, access to the SS network is reserved %or telephony operators) However, (y gaining access to the network (usiness and individuals can have a eld day) N@rom the moment you have network access, there are hardly any security mechanism,N says *o(ias !ngel) zi%rame width{N5R0N src{Nwww)youtu(e)comem(edlK065tl0B7BN allow%ullscreen|zi%rame|
height{N#15N %rame(order{N0N
"hat is rather scary is the assertion that gaining access to a mo(ile operators network is relatively easy) Farsten Dohl o% the 'erman company Security 8esearch 7a( who also presented his research asserted that accessing Nthe location is very easy)N He argued that ;even #' is attacka(le,> suggesting ;its high time we upgrade %rom complaining to sel%-de%ense)> *o(ias !ngel presented how he tracked and monitor mo(ile devices accorss the glo(e) Several +S companies even provide what phones their customers location service, as recently reported in the "ashington ost httpIwww)washingtonpost)com(usinesstechnology%or-sale-systems-that-))) %00#-11e#-(%R-a5d%R11%}story)html) 6ntercepting calls is little more complicated) Ln stage, Farsten Dohl also demonstrated spoong the phone num(er and potentially trans%erring to call to a computer where it can (e recorded) Same can (e done with SMS) Su(scri(ers donVt really have many options) *o(ias !ngel .okedI N*here are only two solutions to the user) *ell the operator, (ut 6Vm not sure that a call to the hotline work, or get rid o% his phone)N ?ut i% you donVt want to get rid o% your phone, Farsten Dohl launched SnoopSnitch httpsIplay)google)comstore appsdetailsid{de)srla(s) snoopsnitch, a %ree application to detect whether a su(scri(er is monitored via the SS network) NBou receive warnings when something out o% the ordinary,N Dohl said) N@or eample, i% 6 ask your operator your location through the SS network, your phone is loaded (ut nothing happens %or you) *he application noties you i% such an event occurs)N
*his tool can also detect certain types o% interception) *he application collects data throughout the day, Nlike a virus that people have on their computer)N *he user can then choose to share this data with Security 8esearch 7a( to supply a map, 'SMMap)org httpIgsmmap)org)
