back to article White hats do an NSA, figure out LIVE PHONE TRACKING via protocol vuln

Security vulnerabilities in the SS7 phone-call routing protocol that allow mobile call and text message tracking will be revealed this weekend. Details of SS7 vulnerabilities are due to be revealed to the public for the first time at the Chaos Communication Congress hacker conference in Hamburg on 27 December (schedule here). …

  1. Uberseehandel

    Cracking encryption in real time becomes trivial when the 16 most significant bits of the encryption key are set to zero, as they are for most networks in central and eastern Europe.

    Taking over the cells is equally trivial.

    All this sloppy procedure saves the federal authorities the bother of arranging matters formally, as the laws, in the various jurisdictions, require.

    Is it any wonder that undesirables jump on board?

  2. Christian Berger

    There will be streams

    Unlike other events where streaming is outsourced to incompetent companies like "LiveStream", streaming is done by themselves. So no flash plug-in or other weird stuff needed. Streaming just like it should be.

    1. phil dude
      Thumb Up

      Re: There will be streams



    2. Christian Berger

      Re: There will be streams

      The first streams are already online.

      The direct URLs are on the page with the actual streams. And you can even select a slide stream.

  3. Anonymous Coward
    Anonymous Coward

    How convenient

    > Engel also told us that while the A5/3 encryption used in 3G (and some GSM) has not been cracked, signalling data which is normally used between switching centres that want to hand over a call if the subscriber travels into a new service area can, however, leak the key.

    It's stuff like this which fuels the tinfoil hat's paranoia.

  4. Anonymous Coward
    Anonymous Coward

    Did I miss something?

    Was some solution to block this vulnerability offered?

  5. Slx

    I wonder if we're forgetting to patch these old-school 'non-sexy' systems because so much focus is on more modern purely IP technology.

    SS7 emerged in the 1970s and got standardised officially in 1980. It's very old-school in many ways and is designed for handling telephone calls and ISDN data on digital telephone exchange networks. It has umpteen different national versions and proprietary extensions for various purposes.

    It underlies a big chunk of how GSM and UMTS work too. LTE (4G) is all-IP based, but your voice and text traffic is still falling back onto older SS7 based traditional telephony technologies in most cases as VoIP type systems for LTE haven't been widely rolled out.

    It's easy to forget that a lot of voice calls and data still get processed by some rather dusty old digital technology that developed quite separately from the internet and IP.

    Also, a lot of those systems were built with "legal interception" capabilities from day one too. So, I'm sure there are plenty of things that could be spoofed, intercepted, or otherwise hacked by someone who really knew their way around those old voice and data networks.

    I just always get the impression that 'the industry' and the equipment vendors thought that all of these old networks would have been shut down and replaced by something more modern like SIP and VoIP for voice by now. However, there are still loads of old telephone switchs like Ericsson AXE, Alcatel-Lucent's 5ESS (Bell Labs), E10 (Alcatel) and S12 (ITT), Nokia/Siemens EWSD and DX200, Nortel/Genband DMS, Marconi System X (UK only) and so on all still chugging away providing ISDN and Dial tones all over the world, they've been adapted and tweaked to sit on more modern networks, but the old school stuff's often still there in the local exchange / central office along side cutting edge fibre to kerb and everything else.

    These older systems and protocols are also firmly embedded in modern IP networks and SS7 is used for many call handling functions even in much later generation networks and you'll find telephone switching systems running on modern blade servers etc etc..

    From what I can see, these systems will be with us for a lot longer than anticipated and we'd really want to ensure they're locked down against modern threats!

    1. Christian Berger


      Well actually the mind set is currently being taken over to SIP. So the people who made weird and complex extensions to SS7, now make weird and complex things with SIP. This falls under the name of "Next Generation Networks".

      For example one large German telephone company puts the username of the PPPoE session of a call into the SIP headers... Those headers then commonly leak out to connected carriers.

      Essentially the "NGN" crowd wants to stuff everything into SIP blowing up the complexity of the protocol. This will mean that at least between carriers there will be lots of interesting things to toy with. Depending on your carrier some headers may in fact even be passed on to the end customer.

  6. Anonymous Coward
    Anonymous Coward

    What about VoLTE?

    What happens when everyone is on VoLTE in a few years? Since that's packet switched rather than circuit switched, if both ends of the call were on the same carrier that supports VoLTE there would be no SS7 protocol used, right?

    Assuming that's true, what about calls between two carriers that support VoLTE, would they use SS7 for the hand off or would it be IP between the two?

    Any call involving a traditional landline on either end is probably ALWAYS going to involve SS7. There isn't any incentive to replace it when traditional landlines are a dying breed, being replaced by mobile and VoIP. As the article says SIP is probably just as exploitable because it too is being extended well beyond its original intent, and wasn't built from the ground up with security as the most important feature. So ironically, wireless calls may be more secure than other options in the future, when it has been (or was believed to have been) the opposite in the past.

    I think it is safe to assume that the NSA, GCHQ and friends have been exploiting all the weaknesses in SS7 for ages, and will probably work behind the scenes to extend its life as long as possible, or insert weaknesses into whatever eventually replaces it.

    1. Daniel B.

      Re: What about VoLTE?

      Crypto will set you free.

      Landline stuff can be made secure with end-to-end crypto, if you have that it doesn't matter if you have SS7 vulns leaking your voicestream somewhere else. Of course, the SS7 metadata itself is still vulnerable and will still "talk" about you.

      I'm guessing that for telephone convos to be truly safe, you would need VoIP over IPSec.

      1. Anonymous Coward
        Anonymous Coward

        Re: What about VoLTE?

        Sure, the content of the calls can be made secure via encryption, but not the information about who you are calling and who calls you. Given the way the NSA determines who to target, in a way that's almost more important than the actual content of your calls.

        Granted when the telcos cooperate they will just hand this data over, but presumably not all Euro telcos are as easily bent over as the US ones. With this SS7 attack the NSA can still get this information about who Angela Merkel is calling and who is calling her even if she's got NSA-proof call encryption.

    2. Christian Berger

      Re: What about VoLTE?

      Well VoLTE will be interresting. One German telco already embeds the username of VoIP users into their headers. My guess is that they will do similar things for VoLTE.

      Or it might be completely different. LTE already can cooperate with GSM, and adding GSM to an LTE base station is just a matter of software and can be done rather simply, if you can get around SS7. Since the GSM market doesn't show any signs of dying, it's likely that they will have to provide a GSM network for decades to come.

    3. Michael Wojcik Silver badge

      Re: What about VoLTE?

      What happens when everyone is on VoLTE in a few years?

      Everyone? In a few years?

      I'm frequently in places where the best mobile data technology available is EDGE. I don't see them upgrading to LTE anytime soon.

  7. Peter2 Silver badge

    While people are starting to be slightly paranoid about surveillance after Mr Snowdons revelations, might we have a think about precisely why mobile phones send signals whilst turned off? It's easily verifiable simply by having your phone next to a poorly shielded (ie cheap) speaker. You can then hear when the mobile is transmitting by the interference caused on the speaker.

    1. Anonymous Coward
      Anonymous Coward

      Re: why mobile phones send signals whilst turned off

      So your location can be triangulated of course.

    2. Crazy Operations Guy

      So that your phone can be turned on by emergency services to locate someone (say someone was abducted, or they went missing). Of course there isn't much to prevent the various intelligence agencies from abusing it...

      1. I. Aproveofitspendingonspecificprojects

        > there isn't much to prevent the various intelligence agencies from abusing it...

        Or the kidnapper taking the battery out or sending it on a bus somewhere.

  8. Slx

    Also, remember that SS7 was developed in an era when there were highly controlled networks often run by a single monopoly provider, or a very select few telcos.

    An era when there'd be tons of players and open competition wasn't really something that is likely to have crossed the minds of telecommunications engineers in the 70s/80s.

    This is Ma Bell, Euro PTTs and Telecom companies stuff.

    Security was all about having a good lock for the exchange building.

    1. Destroy All Monsters Silver badge

      Then The Two Kevins root through your garbage dump.

  9. FrankAlphaXII

    >>Units of the Russian Federal Security Service (FSB) or Foreign Intelligence Service (SVR) are obvious prime suspects for this sort of malfeasance.

    No. Not really even close. That's exactly the same thing as saying that the FBI and CIA are prime suspect for the NSA/CSS' programs, or that MI5 and SIS are the same for GCHQ's programs.

    But its a forgivable mistake. Russian Signals Intelligence is not very well understood even in the foreign policy and military communities. Most of it is conducted by a part of the Russian Federal Protective Service called the Special Communications Section, or Spetssvyaz, which is a successor agency to the 8th Main Directorate and 16th Main Directorate of the KGB, and the later FAPSI after the fall of the Soviet Union. The rest is undertaken by the Armed Forces GRU.

    1. Destroy All Monsters Silver badge


      Bureaucracy at least is like a Third Reich Salade Mini-Impériale all the world over.

  10. roger stillick

    No one gets SS7 streaming data unless it is GIVEN to them...

    CCIS7, Cmd A link, 56 Kb Data chans, are all signalling channels that have nothing in common with any switched or transported voice channel... they never touch each other, and, no one can connect to them as they are external private - line special circuits, not part of any switched network...anywhere.

    With that being said, how do other folks get the SS7 info ??

    IMHO= it is simply given away by the Telco involved... using a Digital Network Analyzer could pull out the signalling channels on a 1 by 1 basis (involves real time data analysis from multiple channels within any facility cross section) that even the NSA would have trouble doing.

    Reality= don't like SS7 info going to intel agencies or the mobs ?? Thank the local Telcos that give that info away (and the corrupt governments that mandate it)...RS.

  11. I. Aproveofitspendingonspecificprojects

    a situation that could lead to an “SS7 arms-race”

    ..stymied by modern military targeting is pretty obvious. I bet the first Ukraine soldiers to die at the hands of pro Russian civilian forces were targeted by mobile phone watching instruments so sensitive they died where they sat with no idea what was coming through the walls.

  12. roger stillick

    the handset to tower data chan is NOT p/o SS7...

    the low-speed data channel, handset to tower, that makes the "cell phone" system actually function was never meant to be seure... with that being said please remember the handset transmits it's "Serial Number", not it's "phone number" and that "phone number" is found in a lookup table in the reigional SS7 rate,route, setup, takedown, call authentication computer (used for EVERY call in the entire reigion= local, toll, or mobile).

    Sorry= after a 3rd reading n looking at comments= i got sidetracked on a SS7 rant when a simple "yes, handsets are not secure, Do Not say or send anything you don't want on page 1 of the local newspaper" would have been more appropriate...RS.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like