Tech Talk iconTech Talk


Alarming Security Defects in SS7, the Global Cellular Network—and How to Fix Them

The global network that transfers calls between mobile phone carriers has security defects that permit hackers and governments to monitor users’ locations and eavesdrop on conversations. As more reports of these activities surface, carriers are scrambling to protect customers from a few specific types of attacks.

The network, called Signaling System 7, or SS7, is a digital signaling protocol that mobile phone carriers including AT&T, T-Mobile, and Sprint use to send messages to each other about who is a subscriber, where subscribers are located, and how calls should be routed to reach them.

SS7 began as a closed network shared among a few major mobile phone carriers, but grew porous as more carriers joined. Hackers and governments can now gain access by purchasing rights from a carrier (which many are willing to provide for the right price) or infiltrating computers that already have permission.

Once they’re in, hackers and government intelligence agencies have found ways to exploit security defects to monitor users or record calls. Experts who study SS7 have found some individuals are tracked by as many as nine entities at once. While the average citizen isn’t likely to be a target, it’s impossible for consumers to know whether or not they’re being watched.

The problem

The sheer scale of SS7 means that these flaws present a massive cybersecurity problem that could theoretically affect any mobile phone user in the world. “Technically speaking, more people use the SS7 than use the Internet,” says Cathal McDaid, chief intelligence officer at network security firm AdaptiveMobile. “It’s the majority of the world’s population.”

To inspire a solution, Karsten Nohl, a computer scientist at Security Research Labs in Berlin, has exposed several methods through which governments and hackers could conduct surveillance and monitor calls using SS7. He recently appeared on 60 Minutes to show that he could hack a cellphone provided to U.S. congressman Ted Lieu using only Lieu’s phone number (Lieu agreed to participate in the demonstration). It’s a stunt Nohl had executed before, once hacking a German senator’s phone.

In an interview with IEEE Spectrum, Nohl describes a few ways that hackers and governments that have gained access to SS7 can manipulate the network to listen to calls or track users:

1. Impersonate a network

When a customer places a call, the phone company sends digital packets of information along dedicated channels within SS7 to find the recipient. Along the way, the company receives information from other carriers about where the recipient is located and which cell tower the call should be routed through.

To make sure incoming calls can find them, phones periodically send messages to nearby towers identifying a user’s location.

Hackers can hijack this process by flooding the system with their own messages pretending to be a network that contains a specific phone. This can cause some confusion since the original phone will continue to transmit its actual location, but hackers can usually overcome true signals.

“Your phone only says ‘Hi’ once every six hours where we can say ‘Hi’ every minute so we can dominate that ping pong game,” Nohl says. 

In this way, hackers can intercept all calls destined for a certain number and send the calls through their computers first. Then, they can instruct their system to connect the call to the number the caller originally dialed. A hacker can listen in while the caller talks with the recipient, oblivious to the third party on the line.  

2. Intercept a forwarded call

Each mobile phone carrier also operates a Home Location Register, which is the primary database of information about its subscribers. Hackers can use this register to re-route requests or instructions placed by a particular phone.

For example, when a customer sets up call forwarding to send calls directly to voicemail, to a secretary, or to another phone, that transfer is coordinated through the register. The customer’s phone sends out digital packets to their carrier’s register that effectively say, “Mary would like her calls to go to this new number.”

A hacker can divert this message and insert instructions, called supplementary service codes, to again route the call to their own computers. Then, they can connect the call to the number that the caller intended to reach and record the conversation, unbeknownst to anyone else on the call.

3. Fake out CAMEL

Mobile carriers rely on a protocol called CAMEL to make sure the people using their network are real subscribers who have paid their bills. The protocol essentially manages permissions for each registered phone number, but comes with some built-in capabilities that are extremely convenient for hackers.

One such function is that when a user dials a phone number, their phone sends out a request, asking, “Is Mary permitted to call this number?” Normally, a carrier might respond via the CAMEL protocol with a simple “Yes” or “No,” (or perhaps “Yes, but only for three minutes” if a user is running low on prepaid credits).

However, CAMEL also allows carriers to basically say, “Yes, but the number Mary really wants to call is XXX-XXX-XXXX.” Such a function could come in handy if, for example, a caller forgot to dial a country code.

But it also allows hackers to pose as a carrier by sending out their own message that routes every phone call originating from a specific number through their system first. Or, as Nohl says, “We can make it so that every number you dial is us.”

The solution

The growing number of attacks has captured the attention of mobile carriers and governments around the world. McDaid of AdaptiveMobile estimates that each day, an average-sized carrier that serves 1 to 5 million customers might be subject to thousands of simple attacks, and a few dozen sophisticated ones.

So what can carriers do to protect customers?

Many have already begun to install protections. AdaptiveMobile has developed firewalls and software for 70 or 80 carriers since 2013. Nohl compares this shift in awareness to the early days of the Internet, when companies and consumers first realized they needed to protect computers from viruses. 

McDaid says carriers don’t have any other choice. “The network, it’s really not going to be going anywhere. It’s a multi-billion dollar system that allows mobile carriers to be mobile carriers, basically,” he says. “There really is no alternative to protecting it.”

In some countries, regulators have compelled companies to install certain protections, saying communications is as essential to public infrastructure as water and power. After the 60 Minutes episode, the U.S. Federal Communications Commission said it would study SS7 design flaws and Lieu also asked the House Oversight Committee to examine the network.  

In addition to describing the hacks, Nohl and McDaid spoke to IEEE Spectrum about a couple of the most popular protections implemented by mobile carriers today:

1. Checking the plausibility of requests

One way to fend off would-be hackers is to deny requests that don’t make sense based on what a carrier knows about a particular user. This is similar to automatic denials that many credit card companies have in place. Requests or messages that claim a user is in Europe, for example, can be thrown out if the user was detected just five minutes ago in the U.S. Nohl estimates that about 39 percent of SS7 hacks could be prevented if carriers instituted so-called plausibility checks.

2. Blocking “anytime interrogation”

Carriers can also weed out illicit requests known as “anytime interrogations,” which Nohl admits is a “very creepy name” for a “very creepy functionality.” Carriers send these requests to inquire about a user’s whereabouts, but the requests are also frequently exploited for government surveillance.

Nohl says the ability to conduct an anytime interrogation was only supposed to permit carriers to locate their customers, and never meant to be shared. Therefore, blocking all such requests that originate outside of a carrier’s network is an easy way to prevent outside monitoring. He says installing a firewall that denies anytime interrogations as well as a range of other suspicious messages could prevent another 60 percent of SS7 attacks.


In Privacy Versus Security, End-to-End Encryption Is Definitely Winning

While the U.S. Federal Bureau of Investigation publicly feuds with Apple over access to the iPhones of criminals, a quiet but monumental shift in mobile security could upend the agency’s plans to keep private lines of communication pried open. Mobile messaging companies are embracing end-to-end encryption, which puts conversations permanently out of reach of both law enforcement and the companies themselves.

This month, Viber and WhatsApp announced end-to-end encryption as a default setting, protecting the communications of 1.7 billion combined users worldwide. End-to-end encryption is a security mechanism that fully encrypts a message from the moment it is composed through its final delivery.

With this method, the key required to decrypt messages is only shared between sender and receiver. It is not known or stored by the company that shuttles messages between two parties. That means there’s no way for law enforcement to force a company to decrypt messages, because the company itself does not hold and cannot access the key to decode them.  

The widespread use of this protection on popular messaging apps propels the privacy versus security debate into new terrain. In the United States, the FBI claimed earlier this year that it needed Apple to provide access to an iPhone owned by a man who committed a mass shooting in San Bernardino, Calif., so that the agency could recover information for its investigation.

But iPhone access does not unlock the data held within apps, especially if that data was protected by another passcode or exchanged using end-to-end encryption. Even if law enforcement gains access to iPhones in future investigations, they will likely run up against these barriers. Though WhatsApp and Viber do not have built-in passcode protection, users can download third-party apps to add a password to any app on their phones.

To fight back, several countries including the U.K. and U.S. are weighing legislation and proposals to prohibit companies from using end-to-end encryption. Security experts have argued that these measures are nearsighted, since companies elsewhere could easily build apps that use end-to-end encryption and offer them to users anywhere in the world.

Recent developments reflect a prediction shared with IEEE Spectrum by Matthew Green, a cryptography expert at Johns Hopkins University, in Baltimore: that instant messaging services would be first to roll out end-to-end encryption, even ahead of email providers. Both Google and Yahoo have invested resources into developing end-to-end encryption for email, but the technical challenges are greater than for instant messaging. Implementing this protection would also clash with business priorities such as Google services that automatically schedule flights or meetings by perusing users’ emails.


Ultrasonic Signals Transmit Data Through Meat at HD Video Quality

Modern medical implants are hobbled by slow download speeds. Most medical devices transmit data over radio frequencies at the relatively glacial pace of fewer than 50 kilobytes per second. At that rate, it can take ages for physicians to transfer data or reprogram devices.

New evidence suggests ultrasonic signals could speed up that process. Researchers who achieved higher data rates in one early test say that these signals may eventually enable doctors to live stream high-quality video from inside of a patient. 

A team led by Andrew Singer, an electrical engineer at the University of Illinois at Urbana Champaign, found that they could use ultrasonic signals to transfer data through meat at speeds up to 30 megabits per second. That’s the highest ever recorded data rate for signals transmitted through animal tissue, Singer says. For comparison, streaming Netflix in Ultra HD requires 25 megabits per second.

Most implants installed today broadcast on radio frequencies. But those signals must remain below a maximum bandwidth of 300 kilohertz. More powerful signals might cause the resulting electromagnetic waves to interfere with nearby devices. They could also harm patients, since the body absorbs some waves as the signals pass through. Or as Singer puts it, “We are a bag of salt water, and electromagnetic waves heat up salt water.”  

In addition to being dangerous, this absorption also makes data transfer quite inefficient. Singer wanted to use ultrasonic signals to transmit data at higher rates and keep more of it intact along the way.

Before he could begin his experiment, Singer had to pick up some pork loin and beef liver from County Market in Champaign, Ill. He threw some pig knuckles in the shopping bag, too because he thought it might be neat to try to transmit wireless signals through bone and gristle.  

Back at his lab, colleagues rejected the pig knuckles. But the remaining slabs were carefully strung, one at a time, between two 5-megahertz transducers in a tank filled with water. One transducer converted binary digital data to ultrasonic signals that were transmitted through the meat. Its twin measured the resulting data rates.

Singer was happy to see that, in addition to the signal traveling fast, most of the original data arrived intact, with little lost during its journey through the meat.  “We were a little bit surprised that the meat really did not provide much in terms of additional dispersion or attenuation,” Singer says. “The signals coupled extremely well and we had almost the entire bandwidth available to us for data transmission.”

Jeremy Dahl, a radiologist at Stanford University who focuses on ultrasonic devices, points out that the transducers in Singer’s study were positioned only 5.86 centimeters apart, with the meat in the middle. Therefore, it’s not clear that medical devices embedded deep in the body could achieve similar rates while transmitting to, for example, a physician’s kiosk across the room.

And since they didn’t test the pig knuckles, Singer’s group still doesn’t know how ultrasonic signals will stack up as a method of data transmission when when signals have to travel through bone or skin.

Another potential issue is that ultrasonic signals travel in a beam instead of broadcasting in all directions at once. A physician would have to know how a device is oriented within a patient’s body in order to catch the signal it emits.

“If you’re trying to receive from a different location from where that beam is directed, you’re not going to receive any signal,” Dahl says. Radio frequency is omnidirectional, so an external device can capture it from any direction.

Next, Singer hopes to pursue animal studies. In the future, he thinks higher data rates achieved through ultrasonic signals could allow physicians to ask a patient to swallow a camera and watch a live stream as it passes through the digestive tract.

Or, it might enable practical functions that have so far eluded the medical device industry, such as making software upgrades to devices that are already in place. “At today's rates for communicating with implantable devices, you'd never even consider the possibility to change the software on these things,” Singer says.  

They’re Alive! Vintage Computer Fans Keep the Great Machines of the Past Running

A monochrome glow spilled out into the room, produced in the old fashioned way: by hurling electrons at a phosphorescent screen. The high-pitched rasp of a dot-matrix printer pierced the air. For a second I was back in the 1980s, the 8-bit age when computers stopped being things that people only saw in movies and magazines and started cluttering up their homes. Then someone jostled against me and I returned to the present and the crowded exhibition hall of the Vintage Computer Festival East (VCF East).

The festival took place 15-17 April at the InfoAge Science Center in Wall, New Jersey. The center itself has an interesting place in technological history, stretching back to its origins as part of Marconi’s radio empire and including decades as a top secret communications research facility for the military. An 18-meter radio dish that was used as the ground station for the pioneering Tiros weather satellite, launched in 1960, is being restored to full operation at the site. 

The InfoAge center is home to a permanent collection of vintage computers, covering the years from 1945 to 1986, but it’s also home to the annual festival where enthusiasts gather to exhibit their personal collections of vintage computers and related items. Most of the machines still function, sometimes only thanks to heroic restoration efforts.

On display at this year’s festival was a working Apple 1, a rarity easily worth hundreds of thousands of dollars. It had been painstakingly restored for the owner by exhibitor Corey Cohen, who is now often employed by auction houses looking to verify the authenticity of such machines. My favorite moment was when he loaded a computer program into the Apple via the original cassette tape interface—with a sound file on his iPhone standing in for the cassette player.

Going back further in time, Brian Stuart demoed his emulator of the fabled and immensely influential World War II–era ENIAC computer. Stuart’s emulator not only reproduces most of the internal workings of the behemoth machines on a PC, but he’s taken the time to recreate the panel displays from old photographs so that they light up exactly as they would have done when the real machine was running. When I arrived, Bill Mauchly, son of ENIAC co-creator John Mauchly, was looking over the emulator with obvious delight. Mauchly pointed out that one of the original programmers seen tending to the giant machine in a photograph was his mother, Kathleen Kay McNulty, whom Mauchly senior had married in 1948. “ENIAC is sort of like my step-brother,” he joked.

Other displays included things like a collection of Apple II clones from around the world, including a fascinating Bulgarian machine that also housed a Z80 processor in addition to the Apple’s standard 6502 CPU. The user can switch between processors, allowing them to run a much wider range of software than either CPU alone. Another switch lets the machine’s display alternate between the Roman and Cyrillic alphabets (all programming had to be done using the Roman alphabet).

Speakers at the conference included John Blankenbaker, creator of the Kenbak-1, a little known non-microprocessor-based educational machine that has a good claim to being the first commercial personal computer. Ted Nelson, the man who coined the words hypertext and hypermedia (among other contributions to our modern digital lexicon), walked attendees through some of his alternative vision for what computing could be. Nelson’s original system design for hypertext, called Xanadu, included both “jump links”—now known as the hyperlinks that glue the Web together—and a system for visually presenting relationships between documents. Said Nelson:  “The World Wide Web is a fork of Xanadu,” one that kept the jump links but left out what Nelson considers the most important part: being able to visualize the connections between documents. He’s still working on a prototype of the full system, but as he nears his 80th birthday he ruefully admits, “all my plans involve being younger.” (Look out for the video of IEEE Spectrum’s interview with Nelson soon).

Evan Koblentz, the author of Abacus to Smartphone: The Evolution of Mobile Computers and president of the Vintage Computer Federation, a non-profit umbrella organization to a number of festivals, explains that one of his goals is to build bridges between historians of computer science and the enthusiasts and collectors who keep and tend early machines. “I think that [academic] researchers need to get their hands dirty, and hobbysists need to understand that research isn’t just looking things up on Wikipedia.”

If you missed this year’s show in New Jersey, you still have several chances to revisit the vintage world of computing. VCF Europa takes place in Munich from 30 April to 1 May, and VCF West will take place at the Computer History Museum in Silicon Valley from 6-7 August.  

Video produced by Kristen Clark.


Mobile Forensics CEO Proposes Controversial Access Tech for Smartphones

The FBI may have unlocked the iPhone 5C held by a San Bernardino shooter without Apple’s help, but the agency and the world’s largest tech company are still at odds over whether law enforcement should be granted access into the smartphones of suspects and criminals.

On Tuesday, a U.S. House of Representatives subcommittee will hear arguments from Apple and the FBI on how best to weigh the privacy and security of citizens in such cases. Amid the dispute, the CEO of a mobile forensics company has proposed a controversial “backdoor” solution based in public key cryptography that he says represents the best possible compromise between the two.

However, several cybersecurity and computer science experts interviewed by IEEE Spectrum disagree, saying that this type of access creates vulnerabilities and is of limited value to law enforcement.

Read More

Watch Heat Surge Across Semiconductors at the Speed of Sound

Using ultrafast electron microscopy, researchers at the University of Minnesota in Minneapolis have made the first videos of acoustic phonons—quantized mechanical waves that carry energy through materials—moving heat through semiconductor crystals. The  images show how defects in crystals of tungsten diselenide (WSe2) and germanium change the way enegy propagates through the material.

In the video, one of several published with their paper in Nature Communications, phonons arise and flow through the “macroscopically ordered but microscopically disordered” crystals as water flows through a rocky stream. Phonons typically traverse defects in 100 femtoseconds (100 x 10-15 s), making them challenging to catch in the act.

All along its path, the wave causes momentary elastic changes in the crystal structure. This, in turn, changes the way the material diffracts the stroboscopic bright-field electron stream, revealing the phonon’s progress. (Bright-field microscopy is the simplest technique, familiar from high-school biology: light shines up from below and passes through the specimen and up to the objective.)

"As soon as we saw the waves, we knew it was an extremely exciting observation," said lead researcher David Flannigan, an assistant professor of chemical engineering and materials science, in a university statement. "Actually watching this process happen at the nanoscale is a dream come true."

"In many applications, scientists and engineers want to understand thermal-energy motion, control it, collect it, and precisely guide it to do useful work or very quickly move it away from sensitive components," Flannigan said. "Because the lengths and times are so small and so fast, it has been very difficult to understand in detail how this occurs in materials that have imperfections, as essentially all materials do. Literally watching this process happen would go a very long way in building our understanding, and now we can do just that."

The researchers found that the phonons don’t start uniformly along the crystal’s edge, but rather begin at a smaller nucleating spot. The appearance of “coherent, propagating wavefronts” is “extremely sensitive to the shape of local strain fields…and vacuum-crystal interfaces”—in short, the behavior of the phonon reflects the crystal structure and directly reveals local thermal and electronic characteristics.

The University of Minnesota research is the latest showing in increasing detail how phonons carry heat and sound through condensed matter, suggesting how developers can induce, fine-tune, and test materials designed to order to transport heat and current.

Stretching a self-healing artificial muscle made by Zhenan Bao's team at Stanford.

A Super-Stretchy Self-Healing Artificial Muscle

When you pull a muscle, it may hurt like heck for a while, but the human body can heal. The same is not true of the electrically-responsive polymers used to make artificial muscles for haptic systems and experimental robots. When they get cut or punctured, it’s game over.

A new polymer that’s super stretchy and self-healing can act as a more resilient artificial muscle material. Created by a team led by Stanford University materials scientist Zhenan Bao, the polymer has an unusual combination of properties. A 2.5-centimeter sheet of the stuff can be stretched out to a length of 2.5 meters. When it’s punctured it fuses back together, something other self-healing materials don’t do well in ambient conditions.

Read More

New Full Duplex Radio Chip Transmits and Receives Wireless Signals at Once

A new wireless chip can perform a feat that could prove quite useful for the next generation of wireless technology: transmitting and receiving signals on the same frequency, at the same time with the help of a single antenna. This approach instantly doubles the data capacity of existing technology though is not yet capable of power levels necessary to operate on traditional mobile networks.

Last year, Harish Krishnaswamy, an electrical engineer at Columbia University demonstrated the ability to transmit and receive signals on the same frequency using two antennas in a full duplex radio that he built. Now, Negar Reiskarimian, a PhD student under Krishnaswamy, has embedded this technology on a chip that could eventually be used in smartphones and tablets. This time, the transmitter and receiver share a single antenna.

Read More

U.S. Leads Global Effort to Bring 1.5 Billion People Online by 2020

A global push to create more than a billion new Internet users over the next four years is underway, and leaders this week announced dozens of country-specific projects devoted to improving connectivity. India also officially signed on, joining more than 35 nations committed to expanding public Internet access and working with industry to build connections for rural users.

U.S. Secretary of State John Kerry led a meeting of global finance ministers, company executives and government representatives on Thursday in Washington D.C. to promote the U.S. State Department’s Global Connect Initiative, first announced last fall. The initiative has a stated goal of bringing 1.5 billion people online by 2020.

Kerry underscored the program’s ambition and mission by calling it “sort of the international equivalent of Franklin Roosevelt’s electrification program 80 years ago.”

Read More

SkinHaptics Uses Ultrasound to Generate Haptic Feedback Through Your Body

In the future that I'm planning on living in, nobody will carry around laptops or cell phones anymore. Instead, electronics will be embedded in wearables: in wristbands, in watches, in rings, in clothing, and eventually, in things like electronic temporary tattoos that you apply directly to your skin. The more embedded the technology gets, the tricker interaction with it can be, since you're no longer physically holding objects. At the University of Sussex, in England, researchers have developed a system called SkinHaptics that transmits ultrasound straight through your body to generate focused haptic feedback on the surface of your skin.

Read More

Tech Talk

IEEE Spectrum’s general technology blog, featuring news, analysis, and opinions about engineering, consumer electronics, and technology and society, from the editorial staff and freelance contributors.

Newsletter Sign Up

Sign up for the Tech Alert newsletter and receive ground-breaking technology and science news from IEEE Spectrum every Thursday.

Load More