
German researchers discover flaw that could let anyone listen to cell calls - haakon
http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/18/german-researchers-discover-a-flaw-that-could-let-anyone-listen-to-your-cell-calls-and-read-your-texts/
======
Animats
Signaling System 7 (SS7) is a big security problem. It's the packet-switched
control network for the phone system, and it has very little security. It was
designed in 1980 to be run only internally between phone switches.

The main function of SS7 is call setup. All the switches along the route get
their switching commands over SS7, not over the circuit-switched channel.
(That went out with SS5, the old audio-tone based system). Call setup is
preceded by "translation", turning a destination phone number into a route.
That's done with query messages over SS7.

This allows outsourced wiretapping. Verisign offers this as a service for
telcos, so they don't have to deal with law enforcement themselves.

[http://www.verisign.com/static/001927.pdf](http://www.verisign.com/static/001927.pdf)

Verisign, which also runs much of the US SS7 network
([http://www.verisign.com/stellent/groups/public/documents/dat...](http://www.verisign.com/stellent/groups/public/documents/data_sheet/005169.pdf))
is well placed to do this. All they have to do for a wiretap is to have the
translations for a source or destination number reroute to a wiretap point,
which then records while forwarding to the desired destination. As an SS7
provider, they already have all the call metadata.

Vulnerabilities come in because more parties now have SS7 access. Cellular
roaming and VoIP to landline routing are managed over SS7. So a large number
of computers other than dedicated telco switches now have SS7 connections. A
break-in at any of those points has wiretapping potential.

~~~
dchichkov
A bit of a plug. If anyone is interested in playing with (doing research on)
SS7 vulnerabilities, a few years back (five) I've participated in building a
pretty cute test toolkit that allows one to sent/receive/parse/play scenarios
using SS7/C7/3G/CDMA/.../SCTP/SS7 over IP/... packets on any level of the
network. The list of supported protocols is available here:
[http://www.linkbit.com/platforms](http://www.linkbit.com/platforms) It
follows standards and usually implements 100% of the protocol (including
conditional constraints, etc). But also allows one to 'break' stuff and send
custom/unsupported/broken fields.

It is pretty cute, you can do most of the stuff just in the visual packet
editors / flow editors and where necessary revert to python snippets.

To get the feel of it, and see some pics:
[http://docs.linkbit.com/](http://docs.linkbit.com/)

edit: and basically yes. as a protocol engineer and somebody very familiar
with SS7/C7/GSM/.., once you have the access to the network (which can be done
over IP!) I wouldn't be at all surprised, you could misuse it.

~~~
_wmd
As someone that used to be more interested in this stuff, it seems I missed
the part where SS7 access became generally available. The first I saw mention
of it, I think, was on an SMS provider's web site under a "Contact Us" type
banner. Which makes me wonder, what changed to allow more businesses access
and more importantly where do I sign up? :)

SS7 is one of those revered buzzphrases from my teen years, even getting to
play with it for a weekend would really sweeten my Christmas.

~~~
rsync
If I understand correctly, all of the femtocell products that consumers can
purchase and deploy are little SS7 gateways that you can have right in your
home...

------
at-fates-hands
An interesting read on the current state of SS7, circa 2013:

[http://blog.pt.com/vendors-eol-announcement](http://blog.pt.com/vendors-eol-
announcement)

 _The 3G /4G segment of subscribers will have a distribution of 3.4 billion
using 3G (SS7) services and .9 billion using 4G services. The total outcome of
this research indicates that a total of 7.65 billion subscribers, out of a
total of 8.5 billion subscribers, will remain on SS7-based networks in 2017._

 _Verizon went on to further explain that a final 2G /3G (SS7) sunset
timeframe decision has not been made._

The good news is vendors are not happy considering the availability of
hardware is will decrease significantly over the same time period, hopefully
speeding the sunset for this technology.

 _Some service providers are planning on a strategy of consolidating their
network, having no support and cannibalizing existing spare equipment for
hardware support._

------
darkhorn
In Turkish Ministry of Foreign Affairs it is forbidden to bring cell phones in
to meetings. However it is totally okay to bring tablets and laptops into the
meetings. Source: my friend works there.

Edit: phones are forbidden due to the recent spying events.

~~~
yourad_io
Do they allow 3G tablets or anything that falls in the not-a-phone-but-has-a-
SIM/baseband proc?

I'm assuming a GSM (or equivalent) baseband is the only thing separating
smartphone from smartablet and smartlaptop nowadays, correct? If they allow 3G
tablets, then this is a security-theater kind decision, aimed to appease
"management", and we must make fun of them.

If they ban all baseband-carrying devices, then this is a consistent policy
that is paranoid about a very specific thing that, quite frankly, invites a
lot of healthy paranoia.

I wonder what it'll take to open up those baseband processors.

~~~
darkhorn
As far as I remember nobady checks wheter you carry a phone into a meeting. It
is just forbidden. If they say that phone is forbidden it means literally that
phone is forbidden, no matter smart phone or dump phone, tablet with 3G is
okay because it is not a phone overall. You may show some slides ets you
know... or you might want to connect to the internet...

------
spacefight
Of course we can be sure, that those fellows were not the first to learn about
that.

The hack of belgium telco Belgacom sees more light day by day.

This system is broken beyond repair. We need to build it up from the ground,
safe.

~~~
MichaelCrawford
Someone is making encrypted Android phones in Switzerland, they said they
would cost about $600.00, and should be shipping by now.

They can interoperate with regular Android phones if those phones have their
app installed. I don't know what happens, if one calls a phone that does not
support encryption.

Boeing is, or will soon be making such a phone, specifically intended for
classified communication. I don't know whether they will be sold to the
public.

~~~
moe
There's also a few Apps for encrypted calls.

The good ones are open source, such as RedPhone:
[https://github.com/WhisperSystems/RedPhone](https://github.com/WhisperSystems/RedPhone)

------
eyeareque
One more reason to encrypt every bit we send and to use voip instead of the
PSTN/Cellular voice.

------
lazyjones
German state-controlled media and the Deutsche Telekom immediately reported
that big carriers have already fixed the problem and are no longer allowing
"unauthorized" requests for encryption parameters via SS7. ;-)

(source: [http://heise.de/-2503376](http://heise.de/-2503376) \- sorry,
German)

------
upofadown
The only interesting thing here is the new attack at the radio level that
allows call monitoring. It sounds like it might be easier than setting up a
fake tower. It still sounds like it required an active attack though so in
practice the difference might be all that important.

------
guelo
"anyone" can not listen to your cell calls. Only people that have access to
inject commands into the SS7 network that your call is routed through can do
that.

~~~
pbhjpbhj
Or those that can create a pico cell that your phone connects to and then MITM
your call. I gather the equipment is pretty accessibly priced now.

~~~
frozenport
The expertise to do these things is the domain of well outfitted
organizations, who have other simpler methods of making you talk. Indeed,
electronic surveillance of is often used to protect agents from dangerous
work.

~~~
uaygsfdbzf
The technology to do these things is open source and available here:

[http://osmocom.org/](http://osmocom.org/)

~~~
frozenport
I'm not sure how to hack a mobile phone using this software? The expertise to
find these kinds of exploits is hard to develop individually.

~~~
eric_bullington
>The expertise to find these kinds of exploits is hard to develop
individually.

Yes, but numerous people participating in the Osmocom projects have that
expertise. Fortunately, they're interested in building an open-source baseband
processor (among other cool things), and not in hacking into anyone's private
communications.

~~~
frozenport
It is well know that GNURadio is used by the US navy. I could easily see
Osmocom, being used for good or bad - the most important thing being human
resources. Although in the case of Osmocom, I'm still not sure how it is
related to this kind of hacking.

~~~
eric_bullington
Did you even look at the OsmocomBB project? It's pretty well-known that the
their software (with some alterations) can be used as a poor man's BTS, and so
can passively sniff other phones. They're pretty cagey about it, and
understandably so since they're pretty conscientious about complying with laws
and regs and yet they apparently draw a lot of script kiddies looking to "hack
peoples phones signals".

Besides, base stations are available openly on the market now at pretty
reasonable prices. It's why I never talk about anything truly private on a
mobile phone.

------
charlieok
I just tried searching this entire comments page for the string “batman”.
Incredibly, there were 0 occurrences. So I'll just add: this sounds kinda like
that batman movie where they turned every cellphone in the city into a remote
listening device (and then declared that nobody should have that kind of
power).

------
tiler
A couple of random thoughts on potential applications/uses:

1\. Alexandria needs to communicate with Bilbo. Alexandria has the privilege
of being trusted by whatever organization she belongs to (be that her country,
company, etc) and as such is unmonitored AFAsheKs. Biblo on the other hand is
some fugitive-type and is unable, or perhaps unwilling, to enter direct
communication with Alexandria for fear of compromising himself or his beloved
Alexandria. Bilbo could then monitor Alexandria's calls for an encoded message
via a protocol they predetermine. This protocol could take the form of
linguistic or audio steganography. One could image all sorts of information
being leaked by Alexandria.

2\. More realistically this could be tool for bribery. Monitor a set of
vulnerable targets, wait until they reveal something, take a bribe to stay
quite.

3\. Or, for the Machiavellian-minded leak information that was supposedly
confidential between two parties.

~~~
jmnicolas
I didn't understand anything. Could you explain it with Alice and Bob instead
?

------
skidoo
Of course there are insecurities, but this sounds like an opening shot calling
for a "new" system to allow better security, or rather, a system even more
easily controlled.

------
peterwwillis
Really, none of this is surprising or new. If you're bored/curious, here's
some fun reading on exploring/exploiting telecom networks. Spoiler alert: it's
really easy and it has been forever. Big ups to Philippe Langlois for all his
great research over the years.

Interview: Telecom Security Expert Philippe Langlois on GCHQ Spying
([http://www.spiegel.de/international/europe/interview-
telecom...](http://www.spiegel.de/international/europe/interview-telecom-
security-expert-philippe-langlois-on-gchq-spying-a-933870.html))

Vulnerabilities and Possible Attacks against the GPRS Backbone Network
([http://critis06.lcc.uma.es/files/Vulnerabilities%20and%20Pos...](http://critis06.lcc.uma.es/files/Vulnerabilities%20and%20Possible%20Attacks%20against%20the%20GPRS%20Backbone%20Network.pdf))

Getting in the SS7 kingdom: hard technology and disturbingly easy hacks to get
entry points in the walled garden
([http://www.hackitoergosum.org/2010/HES2010-planglois-
Attacki...](http://www.hackitoergosum.org/2010/HES2010-planglois-Attacking-
SS7.pdf))

Telecom Signaling Attacks on 3G and LTE networks
([http://www.slideshare.net/p1sec/telecom-security-from-
ss7-to...](http://www.slideshare.net/p1sec/telecom-security-from-ss7-to-all-
ip-allopenv3zeronights))

GSM and 3G Security
([https://webcache.googleusercontent.com/search?q=cache:WlEd4H...](https://webcache.googleusercontent.com/search?q=cache:WlEd4HCpl48J:www.blackhat.com/presentations/bh-
asia-01/gadiax.ppt+&cd=16&hl=en&ct=clnk&gl=us&client=firefox-a))

Locating Mobile Phones using Signalling System #7
([http://events.ccc.de/congress/2008/Fahrplan/attachments/1262...](http://events.ccc.de/congress/2008/Fahrplan/attachments/1262_25c3-locating-
mobile-phones.pdf))

SCTPscan - Finding entry points to SS7 Networks & Telecommunication Backbones
([https://www.blackhat.com/presentations/bh-
europe-07/Langlois...](https://www.blackhat.com/presentations/bh-
europe-07/Langlois/Presentation/bh-eu-07-langlois-ppt-apr19.pdf))

LTE Pwnage: Hacking HLR/HSS and MME Core Network Elements
([http://www.slideshare.net/p1sec/p1security-lte-
pwnage-v21](http://www.slideshare.net/p1sec/p1security-lte-pwnage-v21))

Map of mobile network security
([https://srlabs.de/gsmmap/](https://srlabs.de/gsmmap/))

Rooting The HLRs Mobile And Critical Infrastructure Insecurity
([https://archive.org/details/D3T202201308021200RootingTheHlrs...](https://archive.org/details/D3T202201308021200RootingTheHlrsMobileAndCriticalInfrastructureInsecurityPhilippeLanglois))

AURORAGOLD Working Group - Shaping understanding of the global GSM/UMTS/LTE
landscape - from the Snowden leaks (government employees should probably not
click this)
([https://s3.amazonaws.com/s3.documentcloud.org/documents/1374...](https://s3.amazonaws.com/s3.documentcloud.org/documents/1374178/auroragold-
working-group.pdf)) ([https://firstlook.org/theintercept/2014/12/04/nsa-
auroragold...](https://firstlook.org/theintercept/2014/12/04/nsa-auroragold-
hack-cellphones/))

------
MichaelCrawford
There is a maintenance mode in every cell phone that allows it to be remotely
turned on, that is, used as a listening device, without your knowledge.

I don't know what authentication is required. I expect that it was designed so
that only your cell carrier could enable it, however whatever may have been
secret about it, quite likely has leaked out by now.

If you don't want to be listened-to, don't have _any_ cell phones anywhere
near you. Not just your own - say you want a private conversation in a public
place; the phones of other people in your general vicinity could be switched
on to listen to you.

I learned this from a well-known left-wing radical organization known as the
United States Air Force, when I applied for the USAF Cyber Command. Their site
had a recruiting video, that depicted a couple officers locking their phones
into a grounded metal box - a faraday cage - before entering a secure area,
that is, a room where secrets were openly discussed.

~~~
cryptoz
I've been asking everyone I know questions about this to make them realize how
intense the total surveillance possibilities are.

"How many internet-connected microphones are in the same room as you?"

It's astonishing how big that number gets. For me right now, it's ~50. And so
many of them are made by different companies, assembled in different
countries, etc. The chance that someone, somewhere, can listen to you is
nearly 100% if you're in a semi-public space. We're living in a dramatically
_more_ invasive surveillance society than 1984 ever predicted (that was just
street cameras & one 'telescreen' in your home).

And then, add into this mix that we have new market acceptance for devices
that intentionally open this behaviour: XBox One, Moto X,
Amazon's...whatevertheycallit. There's not only technical capability, but also
increasing consumer _desire_. It's crazy.

Further edits: There's a lot more at stake here, too, if you extrapolate from
their[1] known capabilities and combine with actors who may also have motives
at large scale. Take Facebook's mood-altering study, for example. We know that
someone/Facebook has the ability to alter the moods and opinions of large
groups of populations. The same actors can also listen/watch those people in
real time. Dystopian scenarios of totalitarian governments exercising total
population thought-control is more and more plausible as we all trade our
privacy and security to giant corporations in exchange for mere convenience in
our daily lives.

[1]: Who is 'they'? I don't know, but there are many possible 'they's and it
might be many of them.

~~~
MichaelCrawford
Most notebook computers have video cameras built into the display's frame, at
the top. These cameras typically have a light that powers on when the camera
is in use.

However there is nothing at all to indicate that the computer has its audio
microphone in use.

~~~
0942v8653
I'm pretty sure that (on my MacBook Air, anyway) you only need to get a kext
installed for the camera to not light up.

~~~
MichaelCrawford
I know some ways around that.

~~~
fru2013
Please share.

~~~
MichaelCrawford
I could tell you but then I'd have to kill you.

Well OK...

More or less like writing any kind of virus.

Apple likes to claim that OS X is more secure. In reality, most of those who
write malware own Windows boxen.

~~~
arm
I don’t think you fully understood what _0942v8653_ said; why would you write
malware to perform the default behaviour (the LED turning on when the camera
is on)?

