Call Privacy Virtually Non-Existent Because Of Poor SS7 Security

SS7: Locate Track Manipulate by Tobias Engel - CCC talk

In three recent talks at the Chaos Communication Congress, researchers talked about how SS7, the protocol being used to route calls between switching centers, can allow almost anyone to intercept calls, messages and locations.

The SS7 protocol is over three decades old (made in the 1980s) and it was never built with security in mind. According to the researchers, the protocol was meant to help mobile carriers keep calls connected as they speed down a highway. However, those same features can be repurposed by attackers to track anyone anywhere in the world, remotely.

The German researchers found two ways to snoop on calls using the SS7 protocol. The first one is by taking advantage of a phone's call "forwarding" function, which they can use to redirect calls to themselves so they can intercept them, and then redirect the calls again to the intended recipients.

This flaw is not only dangerous because your calls can be intercepted without you even realizing it, but it's also dangerous for all two-factor authentication systems out there. For instance, if the attackers already have the password to your email account, but you have that account protected by two-factor authentication, then they can use the SS7 flaw to request and intercept the two-factor authentication code, as well.

This is one of the reasons why SMS-based two-factor authentication is not that safe, and at the very least it's easily bypassed by law enforcement and spy agencies, if not ordinary attackers.

The second eavesdropping method using SS7 requires proximity, which means fake cell tower antennas (essentially IMSI-catchers) are necessary to intercept the messages and calls passing through the local airwaves. The advantage of this method is that it can be deployed on a wide scale (using multiple antennas). The attackers can request an encryption key from the carrier through the SS7 protocol to decrypt the recorded data.

One of the researchers working with SS7 vulnerabilities, Karsten Nohl (who happens to be the same one who warned us about BadUSB earlier this year), has already built an application for Android that acts as a firewall against SS7 attacks.

The app is called SnoopSnitch and is available right now, along with the source code. However, it only works on some Qualcomm-based phones, because the app requires certain access to the baseband firmware. The phones also need root privilege to access those Qualcomm libraries.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Achoo22
    This article would be much more interesting if the author tried the software out personally and reported on the results.
  • jalek
    It takes fake cell towers? Weren't those in the news recently as one of the ways the US government has been monitoring the people it supposedly serves?
  • MustSee4KTV
    Jalek, I remember a news story (I think it was 60 Minutes) about 2 farmers that wanted to test the hack. They said that all the equipment they need to build it was $6000. The put it on a model bi-plane/drone (included in their price) and programmed it to fly in circles. They tested it in their fields as not to intercept someone else's calls, but they of course intercepted their own calls and could hear everything that was said. They said that they were surprised more governments don't do that. The plane is now hanging at the International Spy Museum in D.C.
  • Woody87
    A solution to the two factor email authentication vulnerability would be to use a virtual phone number to authenticate the email account that is tied to a different email account and set that virtual number to send you an email instead of an SMS text with the authentication code. The email is encrypted and thus they would need to hack both email accounts simultaneously to obtain access. I wonder how many people change their mobile phone number and forget to reset their email authentication before leaving the store? not a problem with virtual numbers.

    You can further enhance security by limited email access to specific devices if your provider allows it.

    Also...voice and SMS aren't meant to be secure....We used to use party lines...Remember how easy it was to wiretap a landline with a portable radio earbud? Back in the days of early cellular you could listen to other people's phone calls with a scanner you could buy at Radio Shack. Early wireless house phones could be intercepted with a baby monitor. We've actually made it more of a challenge to eavesdrop but the bottom line is don't expect your phone and SMS to be totally secure.
  • toadhammer
    LTE is fairly secure; the phone has to be authenticated by the network, but the phone also authenticates the network. Makes it very hard to fake. Unfortunately, it is still possible for a fake basestation to force the phone to fall back to 3G or 2G, which are vulnerable.