Call Privacy Virtually Non-Existent Because Of Poor SS7 Security

In three recent talks at the Chaos Communication Congress, researchers talked about how SS7, the protocol being used to route calls between switching centers, can allow almost anyone to intercept calls, messages and locations.

The SS7 protocol is over three decades old (made in the 1980s) and it was never built with security in mind. According to the researchers,the protocol was meant to help mobile carriers keep calls connected as they speed down a highway. However, those same features can be repurposed by attackers to track anyone anywhere in the world, remotely.

The German researchers found two ways to snoop on calls using the SS7 protocol. The first one is by taking advantage of a phone’s call “forwarding” function, which they can use to redirect calls to themselves so they can intercept them, and then redirect the calls again to the intended recipients.

This flaw is not only dangerous because your calls can be intercepted without you even realizing it, but it’s also dangerous for all two-factor authentication systems out there. For instance, if the attackers already have the password to your email account, but you have that account protected by two-factor authentication, then they can use the SS7 flaw to request and intercept the two-factor authentication code, as well.

This is one of the reasons why SMS-based two-factor authentication is not that safe, and at the very least it’s easily bypassed by law enforcement and spy agencies, if not ordinary attackers.

The second eavesdropping method using SS7 requires proximity, which means fake cell tower antennas (essentially IMSI-catchers) are necessary to intercept the messages and calls passing through the local airwaves. The advantage of this method is that it can be deployed on a wide scale (using multiple antennas). The attackers can request an encryption key from the carrier through the SS7 protocol to decrypt the recorded data.

One of the researchers working with SS7 vulnerabilities, Karsten Nohl (who happens to be the same one who warned us about BadUSB earlier this year), has already built an application for Android that acts as a firewall against SS7 attacks.

The app is called SnoopSnitch and is available right now, along with the source code. However, it only works on some Qualcomm-based phones, because the app requires certain access to the baseband firmware. The phones also need root privilege to access those Qualcomm libraries.

Follow us @tomshardware, on Facebook and on Google+.

This thread is closed for comments
5 comments
    Your comment
  • Achoo22
    This article would be much more interesting if the author tried the software out personally and reported on the results.
  • jalek
    It takes fake cell towers? Weren't those in the news recently as one of the ways the US government has been monitoring the people it supposedly serves?
  • MustSee4KTV
    Jalek, I remember a news story (I think it was 60 Minutes) about 2 farmers that wanted to test the hack. They said that all the equipment they need to build it was $6000. The put it on a model bi-plane/drone (included in their price) and programmed it to fly in circles. They tested it in their fields as not to intercept someone else's calls, but they of course intercepted their own calls and could hear everything that was said. They said that they were surprised more governments don't do that. The plane is now hanging at the International Spy Museum in D.C.