<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=805153362943600&amp;ev=PageView&amp;noscript=1">

How vulnerabilities in SS7 protocol expose all mobile networks to attacks

[fa icon="calendar"] Jun 12, 2017 7:27:24 PM

If you were an intelligence agency, your dream would be to monitor anyone, anywhere in the world, right? The inherent vulnerabilities of SS7, a protocol used by network operators around the globe, make this dream a reality. Cybercriminals have also exploited these flaws to drain bank accounts. Here is what you need to know about SS7 and how to keep your data safe.

The vulnerabilities in the SS7 protocol allow attackers to track people and intercept communications around the globe.

SS7 stands for Signaling System 7. It is a standard that dates back to the 1970s and manages the communication between the networks of different operators. Thanks to this system, you can still receive calls even when you are not near a cell tower of your provider – when traveling, or abroad. It lets your operator transmit your communications over the newtorks of competitors or other countries.

Why SS7 vulnerabilities are such a big deal

The tricky thing is that network operators have elevated access to user communications. Just by seeing which cell tower was used to deliver a particular message, your carrier can verify your location. In fact, SS7 makes this kind of information available to all operators worldwide. To access it, you had to be an operator. This is why, when police want to track a suspect or read their messages, they go to their carrier with the respective warrant and request the data.

Recent breakthroughs into exploiting SS7’s dated security features have made this step redundant. The system is designed to handle requests by multiple parties, which are sometimes direct competitors. Because of that, it doesn’t discriminate and accepts every request as legitimate. Current state of the art surveillance systems can tap into SS7 directly – either by posing as operators or by using their own infrastructure – and access these same communications directly. Once in, it is not very hard to get any information.

Early this year, however, it became clear that such capabilities are no longer exclusive to intelligence agencies and law enforcement only. The customers of a German telecom reportedly had their accounts drained after hackers exploited SS7 vulnerabilities to get the verification codes that their bank sends them via SMS to perform two-factor-authentication before transactions. Using the codes together with banking credentials, which the attackers stole separately via a phishing attack, they managed to transfer the money into dummy funds.

How can these vulnerabilities be countered?

These exploits are possible mostly because regular calls and text messages travel over mobile networks virtually unencrypted. The GSM protocol encrypts calls while they are in transit – on their way between the user handset and the nearest cell tower. However, they get unencrypted when they reach the cell tower so it could transfer them to the next node in the network. If you have infiltrated the network (as would be the case if you are using an IMSI-catcher, or an SS7 exploit), this in-transit encryption doesn’t bother you.

It is up to network operators to ultimately patch up the vulnerabilities in SS7 and make their infrastructure more secure. The news about bank accounts getting drained via such an exploit is certainly going to push carriers to address the issue. Until operators complete the overhaul their networks, such incidents will likely grow more common. This is why users have to take measures now. Here is what you can do.

  • Use strong end-to-end encryption. This is the type of encryption, in which the messages get scrambled on the sender’s end and decrypted only once they reach the recipient's Even if someone takes hold of a network and intercepts such a message, they wouldn’t be able to read it without the encryption key – which only the two communicating parties share.
  • Detect and avoid IMSI-catchers. It is a bit trickier when it comes to location tracking. To locate you via SS7, attackers must have your device’s IMSI – a unique identifier for every cellular user. To get this number, they must first use a Stingray device near your phone (more on how this works here). However, with the help of an IMSI-catcher detector app – such as the one featured on our Secure Phone device – you can avoid such attacks.
  • Use a multi-IMSI SIM. Steering clear of IMSI-catchers is not easy. In case your device gets compromised in such an attack, from that moment on, the IMSI associated with it can always be used to track you. Unless you use a technology that lets you swap that identifier for another one. Secure Group’s Secure SIM is one such offering – a SIM card that contains up to 16 IMSI numbers.

 

 

 

[fa icon="twitter-square"]

Topics: Attacks, IMSI-catchers, SS7

Stefan Topuzov

Written by
Stefan Topuzov

Security Expert

Subscribe for updates

Recent Posts