Switching System 7 (SS7) Security flaws

A serious flaw in the Global Cellular System
© 2016 - by John T. Draper

Over the last 15 years, I have been traveling back and forth regularly to Germany to give talks at various conferences. Many of the connections I’ve made over this time have had something to do with computer security.

In the last few years, the big subject on everyone’s lips is the overlooked vulnerability of SS7 (Signaling System 7).

For those who have no idea what SS7 is… it’s basically a set of signalling protocols used by Telecommunication Companies, to communicate information over a dedicated channel. A dedicated channel being outside the ‘normal’ channel used for voice or data. SS7 is not communicated between phones, but between mobile networks.

The SS7 network replaced the older ‘in-band’ system, but of course was not designed to be used by the newer Cellular technology like SMS, caller ID, and other cell phone features.

So this outdated 40-year-old system is still being used by almost every phone in the world when connecting to a long distance network, including when sending SMS messages.

It was originally a closed system, used only by the ‘Telcos’ (Telecommunication Companies) within their internal network. In the early 90’s, it became necessary to open up SS7 to 3rd party developers and cellular phone companies, and since then there have been increasing concerns over its flaws. Although it will be a long process, there is no doubt that it should be upgraded to meet the security demands of any participating Telcos in the future. I believe that what we need are SS7 Firewalls at each Telco.

Why am I involved in advocating for this upgrade? Well, as many of you will probably know, I was one of the first to literally ‘blow the whistle’ on AT&T’s bright idea of passing the signalling information to the distant switch, by using nothing more than a toy whistle found in Cap’n Crunch cereal.

I was also involved in building Blue Boxes - a device which emitted specific preset tones emulating the phone company’s internal signalling equipment, where one could easily pass commands from one exchange to another. A Blue Box was easy to make. Any hobbyist knowledgeable in electronics could build one. The specific frequencies were even published in the Bell System Technical Journal, found in most College Libraries.

That was back when the Telcos were in the decade-long process of gradually switching over from SS6. When it was complete, in 1975, AT&T ‘long lines’ began deploying the first ‘out of band’ link using what was then called (CC)SS7 or CCIS (Common Channel Interoffice Signalling). This got rid of the Grand Canyon sized hole, but left many other unscrupulous activities possible, especially with increasing mobile phone users 15 years later.

In the early 90s, with the growing popularity of cellular phones, more and more third party Telcos were using SS7 protocols. In developing countries like India, building up the mobile infrastructure was a lot easier than trying to fix the country’s outdated hard wired system, but connecting to the SS7 network was still essential. Thus the decision to interface SS7 to the Internet via SIGTRAN (basically SS7 with Internet Protocols added) was the only way to go.

Now to the present day. We have record numbers of cellular users worldwide, all connected through a system with huge vulnerabilities, written 40 years ago. It’s staggering.

What about Signal and WhatsApp you say? Well guess what, if an attacker knows your phone number, they can hijack your Signal or WhatsApp application by sending a forged SMS message. They just hack the SMS messages through SS7, and snatch away the target’s Signal account. The only way you would know about it is when you no longer get any Signal calls or text messages.

This also would work for WhatsApp, or any other mechanism that uses SMS for 2 factor authentications. The actual content of voice communication is encrypted however by using the Open Whisper Systems protocol (developed by Phil Zimmerman of PGP fame).

The SS7 vulnerability today is like the early 90’s pre-firewall era of the Internet… before programs like ISS (Internet Security System Inc) and SATAN (Security Administrator Tool for Analyzing Networks). Now the Telco’s are realizing that it’s important to see who’s knocking at the door instead of just letting everyone just walk in.

How the SS7 flaw has been already been used against you

A Washington Post article released in August of 2014 showed a long standing and cosy relationship between Law Enforcement and the Telcos. There have been numerous ‘closed’ trade shows in recent years, catering to the justice department, and pushing products like SkyLock. This system was built and designed for legal use by Law Enforcement, and the product description clearly defines its use of SS7 to extract info from any cell phone user, anywhere in the world,

Process this, and it becomes pretty clear why information on the SS7 flaw has been suppressed. The NSA wanted to keep it to themselves as much as possible. Everything that SkyLock can do is made possible by hacking into SS7 or using an IMSI catcher (cell tower impersonator).

But this is not new. Back in 2006, the Electronic Frontier Foundation (EFF) filed a class action lawsuit against AT&T, for violating the law and the privacy of its customers by collaborating with the National Security Agency (NSA) in a massive illegal program to wiretap and data-mine US citizens communications. Whistleblower Mike Klein reported that their ‘special equipment’ was located at the Folsom St. A.T.T. network office in San francisco, in the famous Room 641A.

What needs to change, and how we are still vulnerable

The more blatant holes in SS7 have been patched up, thanks to the work of SR Labs in Berlin. I’m told that all four German providers can now stop the ‘InsertSubscriberData’ SS7 command from entering at their ‘borders’. Unfortunately, this is not the only SS7 command used by hackers (and Law Enforcement).

Coupled with IMSI Catchers like Stingray, which is shrouded in secrecy, and known only to those who sign a strict NDA, its real capacity for privacy violations is totally unknown to ‘John Q Public’. The current laws regarding the use of IMSI Catchers is currently being argued by the lawmakers, and the FCC is looking into the illegal use of these devices, but I’m sure the AUP (Acceptable Use Policy) is chock full of legalese to protect the perpetrators of this questionable use of technology. A surveillance tool like SkyLock combined with IMSI Catchers like Stingray, provide maximum ‘droolage’ for Law Enforcement organizations, so don’t expect a good ruling anytime soon.

What can we do? Well, we can actively connect with the FCC, as Alan Grayson did. I have chosen to work on the problem in a more personal way. I watched presentations from the archived CCC (Chaos Computer Club) Congress sessions, then started sleuthing around the net, informing myself in detail on the SS7 network. In September this year, about a week or so before I flew to Berlin to host the second Geek Fest, I started reaching out to more people in Germany, including Benjamin from SecurityResearch in Germany. Below is a link to a portion of the GeekFest featuring Karsten Nohl, one of our Panelists.

I bookmarked a load of articles from the web, and read them on the long 12 hour flight to Berlin. I travelled days ahead of time, giving myself enough time to work with Benjamin, and also Oliver Soehlke, my Geek Fest ‘partner in crime’. Through Oliver I was able to locate Karsten Nohl, the security researcher, and authority on the SS7 flaw. We met just before the second day of the GeekFest, and Karsten agreed to be on the second panel. Prior to the event, I had a few hours with him to get any gory details of the SS7 flaws I didn’t know about. I also interviewed him for about 20 minutes, and posted the video to my YouTube.

As I write this article, there are a number of tools to help penetration testers find the SS7 flaws. Groups who have vested interests now have specialised teams working to help combat the problems. For instance The Internet Engineering Task Force (IETF), a working group involved in developing standards, have defined level 2, 3, and 4 protocols compatible with SS7 which use the Stream Control Transmission Protocol (SCTP) transport mechanism, the link between the internet and SS7. This suite of protocols is called SIGTRAN. There are also tools available for scanning and discovery of SIGTRAN servers, like the Network and Port Scanner by P1 Security. This scanning tool scans a range of IP addresses, looking for the ‘entry port’ into SS7, much like the scanners used to hunt down specific servers or computers on a network.

People using programs like Wickr Me, an encrypted text chat system that uses a chosen user-name and password instead of a phone number, can remain impervious to the flaw, but no matter what, the SS7 hacker can geo-track a target in real time, listen to their calls, and read their SMS messages, as well as gather a lot of other sensitive private information, just by knowing their phone number. Someone using Signal or WhatsApp, can take comfort in knowing that a hacker will not know who you’re talking to or what you’re saying, so at least this part can remain private.

I can assure you, that most Telcos are fully aware of this attack vector, and most are building up better defenses by deploying firewalls and filters. Since it is difficult to distinguish legitimate traffic, these flaws may remain in effect for a very long time as Telcos scramble to deal with it. The newer DIAMETER protocol might offer better security controls, but will no doubt have their own security issues. DIAMETER systems are being tested and deployed in the newer LTE Cellular networks, which offers faster data speeds than 4G.