The SS7 flaw: all a hacker needs is your phone number
20 Apr 2016
Unless you are a security-minded technology buff, you probably don't know that armed with nothing more than your phone number, a hacker can listen into and record your calls, read your texts, or track your location. Which is why a segment on phone hacking on the American show 60 Minutes has created widespread interest among audiences who may have thought such a hack could only happen in movies.
If you use a mobile phone, then you use Signaling System Seven, or SS7. ''Every person with a cellphone needs SS7 to call or text each other,'' 60 Minutes explained. ''The SS7 network is the heart of the worldwide mobile phone system. Phone companies use SS7 to exchange billing information. Billions of calls and text messages travel through its arteries daily. It is also the network that allows phones to roam.''
Security researchers have been warning about SS7 protocol flaws for years. Granted, most people would not be targeted by this type of attack. Then again, some companies sell ''the ability to track your phone number wherever you go with a precision of up to 50 metres'', as researcher Tobias Engel pointed out during the 2014 Chaos Communication Congress presentation ''SS7: Locate. Track. Manipulate.''
Karsten Nohl of SRLabs, who hosted the '60 Minutes' presentation, also presented that year before releasing ''SnoopSnitch.'' You may remember other times when Nohl revealed vulnerabilities which affected millions of phones.
Some people believe the SS7 flaw has never been fixed ''because the location tracking and call bugging capacity has been widely exploited by intelligence services for espionage''. Yet if intelligence agencies don't want the flaw fixed because they can abuse it for spying, to glean valuable intel from targets, then Congressman Ted Lieu said those people should absolutely ''be fired''.
Congressman Lieu agreed to use an iPhone supplied by 60 Minutes even though he knew it would be hacked. He's no technical illiterate either; he has a computer science degree from Stanford and serves on the House Oversight and Reform Subcommittee on Information Technology. The congressman didn't have to fall for social engineering or accept a text with an attachment; all Nohl and his team needed was the phone number of the iPhone Lieu was using.
Although ''some US carriers are easier to access through SS7 than others'', and the cellular phone trade association told 60 Minutes that ''all US cellphone networks were secure'', the hackers were able to intercept and record the congressman's calls, read his texts, view his contacts and track his location even if GPS location services were turned off.
Nohl explained, ''Any choices that a Congressman could've made - choosing a phone, choosing a PIN number, installing or not installing certain apps, have no influence over what we are showing because this is targeting the mobile network.''
When 60 Minutes played a sample of Congressman Lieu's recorded conversation back for him, it included his colleague saying, ''I sent you some revisions on the letter to the NSA, regarding the data collection.'' Lieu was both angered and creeped out. He said attackers abusing the SS7 vulnerability ''could hear any call of pretty much anyone who has a smartphone. It could be stock trades you want someone to execute. It could be calls with a bank.''
He has received a call from President Obama before when he was using a cellphone and if hackers were using SS7 to listen in, then they would know what was said.
If the SS7 vulnerability has not been fixed because it is a favourite spying tool for intelligence agencies, then the people aware of the flaw should be fired, Lieu said. He added, ''You cannot have 300-some million Americans – and really, right, the global citizenry be at risk of having their phone conversations intercepted with a known flaw, simply because some intelligence agencies might get some data. That is not acceptable.''
Ironically, Australia's 60 Minutes aired a similar phone hacking segment last year detailing how the SS7 flaw could allow ''remote bugging of any mobile phone user's calls'' and included examples of firms which sell such an ability; one example was the US company Verint, which sells SkyLock to ''Locate. Track. Manipulate.'' The US version did not include a similar list of companies or get the congressman's opinion on those companies.
Nohl explained that there is ''no global policing of SS7'' and it's up to each mobile network to protect their customers. ''And that is hard.''
John Hering, cofounder of mobile security firm Lookout, told 60 Minutes there are only two types of people - those who know they've been hacked and those who are unaware they were hacked. ''We live in a world where we cannot trust the technology that we use.''
So when will the vulnerability in SS7 be fixed? It's a question that has been asked for years; beyond false assurances that US networks are secure, all we get in reply are crickets chirping in otherwise silence. If that is because intelligence agencies don't want it fixed, then let the firing begin.