Alarming Security Defects in SS7, the Global Cellular Network—and How to Fix Them
The global network that transfers calls between mobile phone carriers has security defects that permit hackers and governments to monitor users’ locations and eavesdrop on conversations. As more reports of these activities surface, carriers are scrambling to protect customers from a few specific types of attacks.
The network, called Signaling System 7, or SS7, is a digital signaling protocol that mobile phone carriers including AT&T, T-Mobile, and Sprint use to send messages to each other about who is a subscriber, where subscribers are located, and how calls should be routed to reach them.
SS7 began as a closed network shared among a few major mobile phone carriers, but grew porous as more carriers joined. Hackers and governments can now gain access by purchasing rights from a carrier (which many are willing to provide for the right price) or infiltrating computers that already have permission.
Once they’re in, hackers and government intelligence agencies have found ways to exploit security defects to monitor users or record calls. Experts who study SS7 have found some individuals are tracked by as many as nine entities at once. While the average citizen isn’t likely to be a target, it’s impossible for consumers to know whether or not they’re being watched.
The sheer scale of SS7 means that these flaws present a massive cybersecurity problem that could theoretically affect any mobile phone user in the world. “Technically speaking, more people use the SS7 than use the Internet,” says Cathal McDaid, chief intelligence officer at network security firm AdaptiveMobile. “It’s the majority of the world’s population.”
To inspire a solution, Karsten Nohl, a computer scientist at Security Research Labs in Berlin, has exposed several methods through which governments and hackers could conduct surveillance and monitor calls using SS7. He recently appeared on 60 Minutes to show that he could hack a cellphone provided to U.S. congressman Ted Lieu using only Lieu’s phone number (Lieu agreed to participate in the demonstration). It’s a stunt Nohl had executed before, once hacking a German senator’s phone.
In an interview with IEEE Spectrum, Nohl describes a few ways that hackers and governments that have gained access to SS7 can manipulate the network to listen to calls or track users:
1. Impersonate a network
When a customer places a call, the phone company sends digital packets of information along dedicated channels within SS7 to find the recipient. Along the way, the company receives information from other carriers about where the recipient is located and which cell tower the call should be routed through.
To make sure incoming calls can find them, phones periodically send messages to nearby towers identifying a user’s location.
Hackers can hijack this process by flooding the system with their own messages pretending to be a network that contains a specific phone. This can cause some confusion since the original phone will continue to transmit its actual location, but hackers can usually overcome true signals.
“Your phone only says ‘Hi’ once every six hours where we can say ‘Hi’ every minute so we can dominate that ping pong game,” Nohl says.
In this way, hackers can intercept all calls destined for a certain number and send the calls through their computers first. Then, they can instruct their system to connect the call to the number the caller originally dialed. A hacker can listen in while the caller talks with the recipient, oblivious to the third party on the line.
2. Intercept a forwarded call
Each mobile phone carrier also operates a Home Location Register, which is the primary database of information about its subscribers. Hackers can use this register to re-route requests or instructions placed by a particular phone.
For example, when a customer sets up call forwarding to send calls directly to voicemail, to a secretary, or to another phone, that transfer is coordinated through the register. The customer’s phone sends out digital packets to their carrier’s register that effectively say, “Mary would like her calls to go to this new number.”
A hacker can divert this message and insert instructions, called supplementary service codes, to again route the call to their own computers. Then, they can connect the call to the number that the caller intended to reach and record the conversation, unbeknownst to anyone else on the call.
3. Fake out CAMEL
Mobile carriers rely on a protocol called CAMEL to make sure the people using their network are real subscribers who have paid their bills. The protocol essentially manages permissions for each registered phone number, but comes with some built-in capabilities that are extremely convenient for hackers.
One such function is that when a user dials a phone number, their phone sends out a request, asking, “Is Mary permitted to call this number?” Normally, a carrier might respond via the CAMEL protocol with a simple “Yes” or “No,” (or perhaps “Yes, but only for three minutes” if a user is running low on prepaid credits).
However, CAMEL also allows carriers to basically say, “Yes, but the number Mary really wants to call is XXX-XXX-XXXX.” Such a function could come in handy if, for example, a caller forgot to dial a country code.
But it also allows hackers to pose as a carrier by sending out their own message that routes every phone call originating from a specific number through their system first. Or, as Nohl says, “We can make it so that every number you dial is us.”
The growing number of attacks has captured the attention of mobile carriers and governments around the world. McDaid of AdaptiveMobile estimates that each day, an average-sized carrier that serves 1 to 5 million customers might be subject to thousands of simple attacks, and a few dozen sophisticated ones.
So what can carriers do to protect customers?
Many have already begun to install protections. AdaptiveMobile has developed firewalls and software for 70 or 80 carriers since 2013. Nohl compares this shift in awareness to the early days of the Internet, when companies and consumers first realized they needed to protect computers from viruses.
McDaid says carriers don’t have any other choice. “The network, it’s really not going to be going anywhere. It’s a multi-billion dollar system that allows mobile carriers to be mobile carriers, basically,” he says. “There really is no alternative to protecting it.”
In some countries, regulators have compelled companies to install certain protections, saying communications is as essential to public infrastructure as water and power. After the 60 Minutes episode, the U.S. Federal Communications Commission said it would study SS7 design flaws and Lieu also asked the House Oversight Committee to examine the network.
In addition to describing the hacks, Nohl and McDaid spoke to IEEE Spectrum about a couple of the most popular protections implemented by mobile carriers today:
1. Checking the plausibility of requests
One way to fend off would-be hackers is to deny requests that don’t make sense based on what a carrier knows about a particular user. This is similar to automatic denials that many credit card companies have in place. Requests or messages that claim a user is in Europe, for example, can be thrown out if the user was detected just five minutes ago in the U.S. Nohl estimates that about 39 percent of SS7 hacks could be prevented if carriers instituted so-called plausibility checks.
2. Blocking “anytime interrogation”
Carriers can also weed out illicit requests known as “anytime interrogations,” which Nohl admits is a “very creepy name” for a “very creepy functionality.” Carriers send these requests to inquire about a user’s whereabouts, but the requests are also frequently exploited for government surveillance.
Nohl says the ability to conduct an anytime interrogation was only supposed to permit carriers to locate their customers, and never meant to be shared. Therefore, blocking all such requests that originate outside of a carrier’s network is an easy way to prevent outside monitoring. He says installing a firewall that denies anytime interrogations as well as a range of other suspicious messages could prevent another 60 percent of SS7 attacks.