In a recent video, Derek Muller of the science YouTube channel “Veritasium” drew attention to serious shortcomings in the mobile phone system that have been around for years. Together with YouTuber Linus Sebastian (Linus Tech Tips), he demonstrates how his cell phone can be tapped and one-time passwords for 2-factor authentication can be stolen via SMS. Within a day, the video received more than three million views and nearly 10,000 comments.
Advertisement
The cause of the problem has been known for over a decade: SS7, the number 7 signaling system used in 2G and 3G networks. It is used for authorization and billing during transitions between mobile networks, and in particular enables roaming. Müller does not intrude into communications from his friend’s smartphone himself, but with the help of Berlin security researcher Karsten Nohl and his team.
Matrix Conference: on current developments, the state of open source and moreExperts from the Chaos Computer Club (CCC) reported in 2014 that SS7 Like a barn door open to attack. Since it has no authentication function, Anyone with access to the internet can basically do whatever they want with it. For example, conversations and text messages can be redirected, decrypted and listened to. Location and tracking often become child’s play. However, tracking attempts by Sebastian’s provider failed due to the built-in firewall.
Telephone companies developed SS7 in the 1980s because of vulnerabilities in older signaling systems, which were susceptible to phreaking. This meant that they at least ruled out the possibility that someone could control the network by sending tones over a voice line.
Thousands of ways to penetrate SS7
“SS7 is a global network just like the Internet”, Nohal explains in the video. Such an infrastructure requires an addressing scheme that says, “This is me and this is you.” With SS7, Global Titles (GT) are used instead of IP addresses. To ensure global roaming coverage, network operators enter into agreements with two providers in each country. Both parties generally only accept messages or commands in the form of GTs with whom they have such an association. But where in the 80s there were only a few large, reputable operators who could largely trust each other, there are now more than 1200 operators and 4500 networks, many of which require SS7 access.
“Some of them sell their services to third parties, some can be bribed, some can be hacked,” reports Nohl. SS7 access can be obtained for a few thousand dollars a month. In addition to the phone number, attackers need the victim’s IMSI (International Mobile Subscriber Identity) to appear trustworthy in the SS7 network. This is not hard to get hold of; it can be obtained from routing information, for example. Müller explains: “By tricking the network into thinking that their phone is in roaming, we can rewrite the number” to which a person calls “into a number that we control.” As a middleman, it is also possible to “sit on the line and record the conversation.” This is similar to SMS, so Müller was able to obtain a passcode for Sebastian’s YouTube account and thus gain access to it.
Why hasn’t the SS7 successor been installed yet?
There are still 2.5 million tracking attempts and millions more malicious SS7 requests every year, says Müller. After the first SS7 vulnerability report in 2014, many providers started rejecting particularly dangerous GTs such as query requests at any time. According to Nohl, there are more than 150 other comparable titles that need to be prevented for complete SS7 security. The new signaling system for 5G appears to be quite secure, but is still used by few operators. “There is no global pressure to replace SS7 with either of the two new versions of the technology.”
Without surprise events, the expert fears that it could take up to 20 years for SS7 networks, which deeply interfere with privacy, to be “finally shut down”. The protocol is still “the backbone of 2G and 3G communications”, says Müller. The EU emergency call eCall, for example, is based on these mobile phone generations. Last year, researchers at Citizen Lab also warned that SS7 security flaws remain a major threat in 5G despite technological advances.
(Mac)
Telecom joins Buglas and receives criticism
