In one of our recent blog articles, “Secure Phones, Wiretaps, and Security Techniques,” there was a discussion of the general principles of cell phone attacks. Now let's talk about one of the specific vectors, namely, hacking based on a vulnerability in the protocol: SS7. Is the devil as scary as he is painted?
History of SS7
As is most often the case, the vulnerability has been going on since the days when no one expected that the protocol would be used so massively, but it was made for completely different volumes of telephone capacities and with an approach to encryption - “even those times”. Such problems, when using the "old and time-tested" solution, the authors of which did not think about further scaling, unfortunately, are quite common.
The scoreboard shows January 3, 1900, instead of January 3, 2000. France
The most famous example, the most hysterical and ridiculous - "Problem 2000", inflated by the fact that the data type used for the date of the data stored only two digits, as in the phrase from which Bill Gates is already tired of disowning: "640 KB should be enough for everyone ". Mass paranoia exceeded the modern covid one and continued for more than one year, they predicted the fall of all banking systems and aircraft, a rollback to the Stone Age and other misfortunes. In fact, everything went surprisingly calmly, there were no major failures even in those countries that did not bother with this problem. On the other hand, several hundred olympiards of foreign money were sawn, enriching the darkness of “IT marketers”.
Alas, with the protocol under discussion, everything is not at all so fun and harmless. Its most common name sounds like “SS7”, and this abbreviation stands for “Signaling System №7”. The “signaling system” is required for the transmission of service messages in the telephone network. Initially, they were extremely simple: a signal to establish a connection between subscribers; that the line is busy; for the transmission of a subscriber's digital number and similar data, simple and uncomplicated, which have exhausted themselves when the telephone network began to rapidly expand, and its structure - even more rapidly becoming more complex. From the mid-70s to the early 80s, the telephone companies slowly developed an advanced command system, the seventh in a row, which was named SS7.
Steven Wozniak's BlueBox
The new system has proven itself perfectly, the data transfer rate has grown significantly, up to scanty from a modern point of view - 64 kbps, but significantly higher than the few kilobits in the previous version. And it became safer, because the control signals were allocated to a separate channel, inaccessible to the average user. The talk of the town was the story of how Jobs and Wozniak hacked the telephone network with a cereal box whistle and a Blue Box. It was an attack on a previous version of the protocol called SS6, ridiculously primitive but effective. The seventh version ruled out hacking using such simple methods.
The American company AT&T was the first to introduce this system, after a few years Europe and Great Britain pulled up and by the end of the 80s SS7 had supplanted the entire zoo of previous generations. In addition to the obvious advantages, the widespread adoption of this protocol - provided the unification and compatibility of telephone networks around the world, many familiar services, such as: Caller ID, call hold, blacklists, call forwarding, and even SMS - became possible just thanks to the new version.
General details
The problem came from where it was not expected. Since none of the creators of the protocol assumed that the signal line would be used to transmit something other than service signals, since its channel was separated from the voice and inaccessible to users, the developers decided not to waste computing resources and did not encrypt data transmission... Not at all! In our time, it's scary to think about this. The widespread introduction of SSL on sites, the active popularization of encryption of everything and everyone, VPNs and messengers with end-to-end encryption - the most sophisticated cryptography is available to the modern user, without any difficulty, even easier than PGP. The site operating on the http protocol today causes suspicion and bewilderment, courts around the world are fighting over access to users' correspondence in instant messengers. And in the mid-70s, no one imagined what unprecedented scale the Internet would reach.
But, the Internet began its triumphant march across the planet and in the early 2000s, the SIGTRAN protocol was developed, which supported all the functions of SS7, but could still perform IP addressing and transmit data through SCTP, one of the transport protocols such as TCP and UDP (old-timers with an age similar to SS7), but has its own advantages, such as multithreading, DDoS protection, and some others. All this made it possible to gain access to the SS7 service channel, which was previously unavailable.
Due to the fact that initially there was no encryption in this channel, and the equipment, to speed up and simplify the work, was designed in such a way that the source of the control packet was not checked, because this would very seriously slow down the operation of the entire network - then the attacker gained full control over it , without much difficulty, because his team was indistinguishable from the operator's. It was enough just to have a computer with the necessary software and Internet access. It is especially unpleasant that the hacker absolutely does not need to be close to the hacked subscriber, he can attack from anywhere in the world. The situation is further complicated by the fact that work with the SS7 protocol, for the overwhelming majority of providers, is hard-wired, and changing the firmware is far from being as easy as rolling out updates to a regular program.
What can be done with an attack through this protocol?
In short, almost anything, because the attacker organizes a classic interception according to the MitM principle. You can read other people's SMS, fake USSD requests, determine the location of the subscriber and even listen to his telephone conversations or turn off his telephone connection. Moreover, hacking SMS has now become much more dangerous than direct wiretapping, because intercepted messages allow you to access Internet banking, steal passwords for authorization in social networks and instant messengers, even to the “impenetrable” Telegram. Two-factor authentication does not help, because all codes transmitted in messages will be available to the hacker.
Some details
How are these attacks carried out? Let us examine, in general terms, their mechanism, but without delving into the jungle, understandable only to engineers with the appropriate education.
Contrary to popular belief, the telephone number (MSISDN: Mobile Subscriber Integrated Services Digital Number) is no longer the main distinguishing feature of the subscriber, now it is the identifier of the SIM card installed in his phone: IMSI (International Mobile Subscriber Identity). But, in order to carry out an attack through SS7, it is enough to know only the subscriber number.
Having gained access to the provider's equipment, which accepts commands using the SS7 protocol, the hacker, using special software on his computer, organizes a fake telephone network through which he sends SMS to the victim's number. The provider's equipment builds a route to the subscriber's device, comparing the MSISDN with its IMSI, through the HLR (Home Location Register) database, and then obediently provides the cracker with not only the victim's SIM card identifier, but also the address of the switch that serves him at the moment (MSC / VLR: Mobile Switching Center / Visitor Location Register). After that, a request is sent to the switch about the identifier of the base station working with the victim's SIM card. There are many online services on the Internet that allow you to give out its coordinates by the cell ID, and therefore the approximate location of the subscriber,
Geolocation is a nice, but not the most important bonus for an attacker, his next goal is to intercept SMS. To do this, he sends the victim's IMSI to the HLR base and connects it to his MSC / VLR switch. Now all messages will go to the attacker, and so that the attacker does not notice anything, another redefinition is made to the real switch serving the target's phone, and then the message will be received “as usual”.
Last but not least step - wiretapping. The attacker, using the SS7 service commands, replaces the subscriber's address in the billing with his own, intercepts the request to pay for the conversation and connects with the person whom the victim called. And then he arranges a triple conference call. Since modern equipment is no longer as slow as the old stepping automatic telephone exchanges, no mysterious clicks or pauses appear, everything is done in microseconds and completely imperceptibly.
And finally, a good old denial of service. The attacker simply transfers the calls to arbitrary numbers and the victim cannot contact anyone.
Notable examples
The apparent simplicity raises a logical question - how many such attacks have been carried out and how long have hackers been using this vulnerability? It turns out not that much.
The most famous attacks, as expected, were demonstrated at hacker congresses, including the "Chaos Computer Club" discussed in the previous article. Although experts have long known about the problems of this protocol, one of the first public discussions took place at CCC in 2008, German security expert Tobias Engel talked about ways to spy on cellular subscribers based on these vulnerabilities, for which it is enough to know only a person's mobile number.
Tobias Engel speaks at CCC
Another surge of interest in SS7 came after Snowden's revelations in 2013, who spoke about the SkyLock project, in which American intelligence services exploited the described vulnerabilities to spy on people.
Description of SkyLock Capabilities
Karsten Nol, already well-known to readers, in 2016 set up a public experiment on the air of the 60 Minutes TV program of the CBS channel. Through a vulnerability in SS7, he hacked into the phone of the specially invited US Congressman Ted Lie. The latter was so impressed that he formally demanded an investigation into the problem.
Karsten Nohl and Ted Lie
Especially trying to popularize this vulnerability of companies selling security software, almost every article on this topic lists certain software products designed to save the world from this scourge.
Is it really that bad?
The reader, impressed by all this information, might decide that hacking a phone over SS7 is so easy that any script kiddie can intercept a classmate's correspondence.
In fact, everything is much more complicated and resembles the paranoia that periodically arises after the next photo of a courier in the metro, who is holding a mobile terminal for payment by bank cards. The hysteria “AAA! He will withdraw money from everyone to the metro, using contactless payment and do not go beyond the limit that does not require a pin code !!! ”. In fact, this attack, although possible, will never be carried out. Because, firstly, the money from the cards will not go to the courier, but to the store owner, whose details are checked by the bank's security officers up to the seventh generation. Secondly, any licenses and fees for acquiring connection cost a lot more than it will be possible to steal quickly in this way. Thirdly, no such transactions are carried out instantly, and the money is first frozen in accounts and the debt is waiting for the final confirmation of the legality of the transaction, and will be pumped back as soon as the fraud is revealed. But the population is in a gambling panic, no matter what.
Horror stories about SS7 look about the same, because the attacker faces several serious problems.
First, you need to have highly specialized software for working with this protocol, which has not yet been seen in the public domain. Numerous “sales” of such programs on the Darknet were fake, to lure money out of school, with lures like “Do you want to know what your girlfriend writes in the Cart?”.
Secondly, you need to find a highly specialized professional who will agree to participate in such an event.
Thirdly, you need to get access to the provider's equipment, which is also not so easy. You need to either hack it remotely, or bribe a company employee, or find an operator who, officially, for a fee, will connect hackers to their SS7 network. African companies are rumored to be providing such services for several thousand dollars, but these are only rumors.
Moreover, even if it is possible to negotiate with a provider who will give you access to their SS7 network and allocate GT (Global Title, a header for routing signaling messages), it is necessary that he officially registered the attacker as his new NE (Network Element) and updated this information from their roaming partners, who will have to add it to the White List. If you just hack the operator's servers, then the maximum that can be done is to organize a local DDoS attack, without intercepting information.
All this looks much more complicated than in the hot articles of the level “Everything is lost!”. Moreover, as soon as information becomes known that someone has intercepted the authorization code in this way, then his GT will be instantly banned by all operators, and cooperation with the “African assistant” may be terminated. Therefore, not every provider will agree to risk their reputation by giving hackers access to their network for such fraud, at least not for thousands of dollars.
In fact, this method of hacking is available only to special services, or it can be done in laboratory conditions, by prior agreement with the victim and maybe even with mobile operators. Moreover, while cellular companies are in no hurry to upgrade their equipment, they are still trying to protect their networks and users. For example, in response to a hacker's request, they may issue not the real IMSI of the subscriber, but with several modified digits or a temporary one taken from a special pool of identifiers created to protect against such interception. Because the operators usually wrap such requests on themselves and themselves are engaged in the delivery of SMS, without giving out critical data to the side. And this is just one of the ways to counteract.
In addition, the developers of two-factor identification also do not stand still and increasingly use not SMS, but transmit the code through their own authenticator program.
New algorithms are being developed and used, for example TOTP, in which the password is generated based on the current time. Moreover, with DFA, not only the server checks the subscriber's SIM card, but also vice versa.
I hope that this information will reassure you a little about the real danger of such an attack, and you will try to use two-factor authorization services that do not use SMS to confirm critical actions, especially since NIST (National Institute of Standards and Technology) strongly discourages doing this. precisely because of problems in SS7.
habrastorage.org
History of SS7
As is most often the case, the vulnerability has been going on since the days when no one expected that the protocol would be used so massively, but it was made for completely different volumes of telephone capacities and with an approach to encryption - “even those times”. Such problems, when using the "old and time-tested" solution, the authors of which did not think about further scaling, unfortunately, are quite common.
The scoreboard shows January 3, 1900, instead of January 3, 2000. France
The most famous example, the most hysterical and ridiculous - "Problem 2000", inflated by the fact that the data type used for the date of the data stored only two digits, as in the phrase from which Bill Gates is already tired of disowning: "640 KB should be enough for everyone ". Mass paranoia exceeded the modern covid one and continued for more than one year, they predicted the fall of all banking systems and aircraft, a rollback to the Stone Age and other misfortunes. In fact, everything went surprisingly calmly, there were no major failures even in those countries that did not bother with this problem. On the other hand, several hundred olympiards of foreign money were sawn, enriching the darkness of “IT marketers”.
Alas, with the protocol under discussion, everything is not at all so fun and harmless. Its most common name sounds like “SS7”, and this abbreviation stands for “Signaling System №7”. The “signaling system” is required for the transmission of service messages in the telephone network. Initially, they were extremely simple: a signal to establish a connection between subscribers; that the line is busy; for the transmission of a subscriber's digital number and similar data, simple and uncomplicated, which have exhausted themselves when the telephone network began to rapidly expand, and its structure - even more rapidly becoming more complex. From the mid-70s to the early 80s, the telephone companies slowly developed an advanced command system, the seventh in a row, which was named SS7.
Steven Wozniak's BlueBox
The new system has proven itself perfectly, the data transfer rate has grown significantly, up to scanty from a modern point of view - 64 kbps, but significantly higher than the few kilobits in the previous version. And it became safer, because the control signals were allocated to a separate channel, inaccessible to the average user. The talk of the town was the story of how Jobs and Wozniak hacked the telephone network with a cereal box whistle and a Blue Box. It was an attack on a previous version of the protocol called SS6, ridiculously primitive but effective. The seventh version ruled out hacking using such simple methods.
The American company AT&T was the first to introduce this system, after a few years Europe and Great Britain pulled up and by the end of the 80s SS7 had supplanted the entire zoo of previous generations. In addition to the obvious advantages, the widespread adoption of this protocol - provided the unification and compatibility of telephone networks around the world, many familiar services, such as: Caller ID, call hold, blacklists, call forwarding, and even SMS - became possible just thanks to the new version.
General details
The problem came from where it was not expected. Since none of the creators of the protocol assumed that the signal line would be used to transmit something other than service signals, since its channel was separated from the voice and inaccessible to users, the developers decided not to waste computing resources and did not encrypt data transmission... Not at all! In our time, it's scary to think about this. The widespread introduction of SSL on sites, the active popularization of encryption of everything and everyone, VPNs and messengers with end-to-end encryption - the most sophisticated cryptography is available to the modern user, without any difficulty, even easier than PGP. The site operating on the http protocol today causes suspicion and bewilderment, courts around the world are fighting over access to users' correspondence in instant messengers. And in the mid-70s, no one imagined what unprecedented scale the Internet would reach.
But, the Internet began its triumphant march across the planet and in the early 2000s, the SIGTRAN protocol was developed, which supported all the functions of SS7, but could still perform IP addressing and transmit data through SCTP, one of the transport protocols such as TCP and UDP (old-timers with an age similar to SS7), but has its own advantages, such as multithreading, DDoS protection, and some others. All this made it possible to gain access to the SS7 service channel, which was previously unavailable.
Due to the fact that initially there was no encryption in this channel, and the equipment, to speed up and simplify the work, was designed in such a way that the source of the control packet was not checked, because this would very seriously slow down the operation of the entire network - then the attacker gained full control over it , without much difficulty, because his team was indistinguishable from the operator's. It was enough just to have a computer with the necessary software and Internet access. It is especially unpleasant that the hacker absolutely does not need to be close to the hacked subscriber, he can attack from anywhere in the world. The situation is further complicated by the fact that work with the SS7 protocol, for the overwhelming majority of providers, is hard-wired, and changing the firmware is far from being as easy as rolling out updates to a regular program.
What can be done with an attack through this protocol?
In short, almost anything, because the attacker organizes a classic interception according to the MitM principle. You can read other people's SMS, fake USSD requests, determine the location of the subscriber and even listen to his telephone conversations or turn off his telephone connection. Moreover, hacking SMS has now become much more dangerous than direct wiretapping, because intercepted messages allow you to access Internet banking, steal passwords for authorization in social networks and instant messengers, even to the “impenetrable” Telegram. Two-factor authentication does not help, because all codes transmitted in messages will be available to the hacker.
Some details
How are these attacks carried out? Let us examine, in general terms, their mechanism, but without delving into the jungle, understandable only to engineers with the appropriate education.
Contrary to popular belief, the telephone number (MSISDN: Mobile Subscriber Integrated Services Digital Number) is no longer the main distinguishing feature of the subscriber, now it is the identifier of the SIM card installed in his phone: IMSI (International Mobile Subscriber Identity). But, in order to carry out an attack through SS7, it is enough to know only the subscriber number.
Having gained access to the provider's equipment, which accepts commands using the SS7 protocol, the hacker, using special software on his computer, organizes a fake telephone network through which he sends SMS to the victim's number. The provider's equipment builds a route to the subscriber's device, comparing the MSISDN with its IMSI, through the HLR (Home Location Register) database, and then obediently provides the cracker with not only the victim's SIM card identifier, but also the address of the switch that serves him at the moment (MSC / VLR: Mobile Switching Center / Visitor Location Register). After that, a request is sent to the switch about the identifier of the base station working with the victim's SIM card. There are many online services on the Internet that allow you to give out its coordinates by the cell ID, and therefore the approximate location of the subscriber,
Geolocation is a nice, but not the most important bonus for an attacker, his next goal is to intercept SMS. To do this, he sends the victim's IMSI to the HLR base and connects it to his MSC / VLR switch. Now all messages will go to the attacker, and so that the attacker does not notice anything, another redefinition is made to the real switch serving the target's phone, and then the message will be received “as usual”.
Last but not least step - wiretapping. The attacker, using the SS7 service commands, replaces the subscriber's address in the billing with his own, intercepts the request to pay for the conversation and connects with the person whom the victim called. And then he arranges a triple conference call. Since modern equipment is no longer as slow as the old stepping automatic telephone exchanges, no mysterious clicks or pauses appear, everything is done in microseconds and completely imperceptibly.
And finally, a good old denial of service. The attacker simply transfers the calls to arbitrary numbers and the victim cannot contact anyone.
Notable examples
The apparent simplicity raises a logical question - how many such attacks have been carried out and how long have hackers been using this vulnerability? It turns out not that much.
The most famous attacks, as expected, were demonstrated at hacker congresses, including the "Chaos Computer Club" discussed in the previous article. Although experts have long known about the problems of this protocol, one of the first public discussions took place at CCC in 2008, German security expert Tobias Engel talked about ways to spy on cellular subscribers based on these vulnerabilities, for which it is enough to know only a person's mobile number.
Tobias Engel speaks at CCC
Another surge of interest in SS7 came after Snowden's revelations in 2013, who spoke about the SkyLock project, in which American intelligence services exploited the described vulnerabilities to spy on people.
Description of SkyLock Capabilities
Karsten Nol, already well-known to readers, in 2016 set up a public experiment on the air of the 60 Minutes TV program of the CBS channel. Through a vulnerability in SS7, he hacked into the phone of the specially invited US Congressman Ted Lie. The latter was so impressed that he formally demanded an investigation into the problem.
Karsten Nohl and Ted Lie
Especially trying to popularize this vulnerability of companies selling security software, almost every article on this topic lists certain software products designed to save the world from this scourge.
Is it really that bad?
The reader, impressed by all this information, might decide that hacking a phone over SS7 is so easy that any script kiddie can intercept a classmate's correspondence.
In fact, everything is much more complicated and resembles the paranoia that periodically arises after the next photo of a courier in the metro, who is holding a mobile terminal for payment by bank cards. The hysteria “AAA! He will withdraw money from everyone to the metro, using contactless payment and do not go beyond the limit that does not require a pin code !!! ”. In fact, this attack, although possible, will never be carried out. Because, firstly, the money from the cards will not go to the courier, but to the store owner, whose details are checked by the bank's security officers up to the seventh generation. Secondly, any licenses and fees for acquiring connection cost a lot more than it will be possible to steal quickly in this way. Thirdly, no such transactions are carried out instantly, and the money is first frozen in accounts and the debt is waiting for the final confirmation of the legality of the transaction, and will be pumped back as soon as the fraud is revealed. But the population is in a gambling panic, no matter what.
Horror stories about SS7 look about the same, because the attacker faces several serious problems.
First, you need to have highly specialized software for working with this protocol, which has not yet been seen in the public domain. Numerous “sales” of such programs on the Darknet were fake, to lure money out of school, with lures like “Do you want to know what your girlfriend writes in the Cart?”.
Secondly, you need to find a highly specialized professional who will agree to participate in such an event.
Thirdly, you need to get access to the provider's equipment, which is also not so easy. You need to either hack it remotely, or bribe a company employee, or find an operator who, officially, for a fee, will connect hackers to their SS7 network. African companies are rumored to be providing such services for several thousand dollars, but these are only rumors.
Moreover, even if it is possible to negotiate with a provider who will give you access to their SS7 network and allocate GT (Global Title, a header for routing signaling messages), it is necessary that he officially registered the attacker as his new NE (Network Element) and updated this information from their roaming partners, who will have to add it to the White List. If you just hack the operator's servers, then the maximum that can be done is to organize a local DDoS attack, without intercepting information.
All this looks much more complicated than in the hot articles of the level “Everything is lost!”. Moreover, as soon as information becomes known that someone has intercepted the authorization code in this way, then his GT will be instantly banned by all operators, and cooperation with the “African assistant” may be terminated. Therefore, not every provider will agree to risk their reputation by giving hackers access to their network for such fraud, at least not for thousands of dollars.
In fact, this method of hacking is available only to special services, or it can be done in laboratory conditions, by prior agreement with the victim and maybe even with mobile operators. Moreover, while cellular companies are in no hurry to upgrade their equipment, they are still trying to protect their networks and users. For example, in response to a hacker's request, they may issue not the real IMSI of the subscriber, but with several modified digits or a temporary one taken from a special pool of identifiers created to protect against such interception. Because the operators usually wrap such requests on themselves and themselves are engaged in the delivery of SMS, without giving out critical data to the side. And this is just one of the ways to counteract.
In addition, the developers of two-factor identification also do not stand still and increasingly use not SMS, but transmit the code through their own authenticator program.
New algorithms are being developed and used, for example TOTP, in which the password is generated based on the current time. Moreover, with DFA, not only the server checks the subscriber's SIM card, but also vice versa.
I hope that this information will reassure you a little about the real danger of such an attack, and you will try to use two-factor authorization services that do not use SMS to confirm critical actions, especially since NIST (National Institute of Standards and Technology) strongly discourages doing this. precisely because of problems in SS7.
habrastorage.org
