Skip to main content

Call Privacy Virtually Non-Existent Because Of Poor SS7 Security

SS7: Locate Track Manipulate by Tobias Engel - CCC talk

In three recent talks at the Chaos Communication Congress, researchers talked about how SS7, the protocol being used to route calls between switching centers, can allow almost anyone to intercept calls, messages and locations.

The SS7 protocol is over three decades old (made in the 1980s) and it was never built with security in mind. According to the researchers, the protocol was meant to help mobile carriers keep calls connected as they speed down a highway. However, those same features can be repurposed by attackers to track anyone anywhere in the world, remotely.

The German researchers found two ways to snoop on calls using the SS7 protocol. The first one is by taking advantage of a phone's call "forwarding" function, which they can use to redirect calls to themselves so they can intercept them, and then redirect the calls again to the intended recipients.

This flaw is not only dangerous because your calls can be intercepted without you even realizing it, but it's also dangerous for all two-factor authentication systems out there. For instance, if the attackers already have the password to your email account, but you have that account protected by two-factor authentication, then they can use the SS7 flaw to request and intercept the two-factor authentication code, as well.

This is one of the reasons why SMS-based two-factor authentication is not that safe, and at the very least it's easily bypassed by law enforcement and spy agencies, if not ordinary attackers.

The second eavesdropping method using SS7 requires proximity, which means fake cell tower antennas (essentially IMSI-catchers) are necessary to intercept the messages and calls passing through the local airwaves. The advantage of this method is that it can be deployed on a wide scale (using multiple antennas). The attackers can request an encryption key from the carrier through the SS7 protocol to decrypt the recorded data.

One of the researchers working with SS7 vulnerabilities, Karsten Nohl (who happens to be the same one who warned us about BadUSB earlier this year), has already built an application for Android that acts as a firewall against SS7 attacks.

The app is called SnoopSnitch and is available right now, along with the source code. However, it only works on some Qualcomm-based phones, because the app requires certain access to the baseband firmware. The phones also need root privilege to access those Qualcomm libraries.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.