Hackers spied on a US Congressman’s communication abusing the SS7 protocol

Security experts eavesdropped and geographic tracked a US Congressman only using his phone number by abusing the SS7 protocol.

Hackers eavesdropped and geographic tracked a US Congressman only using his phone number. Security experts will be no surprised, I wrote many articles on the topic explaining that security flaws in the SS7 protocol could be exploited by an attacker to spy on private phone calls, record them and monitor target’s movements.

In this case, the activity was authorized by the US Representative Ted Lieu in order to demonstrate how much we are vulnerable. The findings were shared by a broadcast Sunday night by 60 Minutes.

Once again the name of the German security expert Karsten Nohl is in the headlines, he is the hacker that was able to record any call made to or from the mobile device used by the US Representative and to track his location in real-time.

“First it’s really creepy,” the US Representative said. “And second it makes me angry. They could hear any call. Pretty much anyone has a cell phone. It could be stock trades you want someone to execute. It could be a call with a bank.”

While SR Labs had permission to carry out the surveillance, there’s nothing stopping malicious hackers from doing the same thing.

Also in this case, the hackers exploited the SS7 protocol, aka Signalling System No. 7.

SS7 is a set of protocols used in telecommunications ever since the late 1970s, enabling smooth transportation of data without any breaches.

Exactly one year ago, Channel Nine’s 60 Minutes has revealed the existence of a security hole in modern telecommunication systems that could be exploited by cyber criminals to listen in on phone conversations and read text messages.

The program explained that Nohl’s team, who is based in Berlin, were able to intercept data and geo-track every mobile user by exploiting a flaw in the SS7 signalling system.

The security issue in the SS7 signaling system could be exploited by criminals, terrorists and intelligence agencies to spy on communications. The SS7 protocol allows cell phone carriers to collect location data related to the user’s device from cell phone towers and share it with other carriers, this means that exploiting the SS7 a carrier is able to discover the position of its customer everywhere he is.

Besides allowing telecommunication companies to query the location of phones on other carriers’ networks, the SS7 protocol allows them to route calls and text messages through a proxy before reaching the legitimate destination. But you know very well that a proxy could allow an attacker to spoof the identity of the victims.

“The flaws, to be reported at a hacker conference in Hamburg this month, are the latest evidence of widespread insecurity on SS7, the global network that allows the world’s cellular carriers to route calls, texts and other services to each other. Experts say it’s increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world’s billions of cellular customers.

The flaws discovered by the German researchers are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network.” reports The Washington Post.

The SS7 is widely adopted, it is currently used by more than 800 telecommunication companies around the world. The security experts know very well that the SS7 protocol allows sharing individuals’ subscriber data with any other entity implementing the same protocol.

This means that if a hacker is able to access the network is able to access a wealth of subscriber’s information.

The SS7 protocol is also used by telecommunication companies to offer a number of services to various industries. For example, telecommunication companies use the SS7 to offer banks a service that allows them to confirm the presence of a customer’s phone in a specific country to authorize its transaction avoiding fraudulent activities.

“As long as you have SS7 access, it’s extremely easy,” Les Goldsmith, a researcher from security firm ESD explained to Ars. “Any one of the telcos that has a roaming agreement with the target network can access the phone.” Goldsmith presented his study on the SS7 security at the last RSA conference in San Francisco.

The majority of the telecommunication companies intends to replace the SS7 protocol for more secure one, the Diameter, but they will maintain the backward-compatibility with the SS7 continuing to expose mobile users to the risk of hack.

According to 60 Minutes, intelligence agencies like the NSA exploit the SS7 protocol for their surveillance activities.

Lieu sharply criticized US agencies that may have turned a blind eye to such vulnerabilities.

“The people who knew about this flaw should be fired,” he said. “You cannot have 300 and some million Americans, and really the global citizenry, be at risk of having their phone conversations intercepted with a known flaw simply because some intelligence agencies might get some data. That is not acceptable.” said Lieu.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – SS7 protocol, surveillance)

[adrotate banner=”5″] [adrotate banner=”13″]