German Researchers Discover A Flaw That Could Let Anyone Listen To Your Cell Calls

This photo by Coni T. Tawong

German researchers have discovered security flaws that could let hackers, spies and criminals listen to private phone calls and intercept messages on a potentially massive scale– even when cellular networks are using most advanced encryption now available.

The flaws, to be reported at a hacker conference in Hamburg this month, are latest evidence of widespread insecurity on SS7, the global network that allows the world’s cellular carriers to route calls, texts and other services to each other. Experts say it’s increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world’s billions of cellular customers.

The flaws discovered by the German researchers are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network.

Those skilled at the myriad functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption. There also is potential to defraud users and cellular carriers by using SS7 functions, the researchers say.

These vulnerabilities continue to exist even as cellular carriers invest billions of dollars to upgrade to advanced 3G technology aimed, in part, at securing communications against unauthorized eavesdropping. But even as individual carriers harden their systems, they still must communicate with each other over SS7, leaving them open to any of thousands of companies worldwide with access to the network. That means that a single carrier in Congo or Cameroon, for example, could be used to hack into cellular networks in the United States, Europe or anywhere else.

“It’s like you secure the front door of the house, but the back door is wide open,” said Tobias Engel, one of the German researchers.

Engel, founder of Sternraute, and Karsten Nohl, chief scientist for security Research Labs, separately discovered these security weaknesses as they studied SS7 networks in recent months, after the Washington Post reported the widespread marketing of surveillance systems that use SS7 networks to locate callers anywhere in the world. The Washington Post reported that dozens of nations had bought such systems to track surveillance targets and that skilled hackers or criminals could do same using functions built into SS7. (The term is short for Signaling System 7 and replaced previous networks called SS6, SS5, etc.)

The researchers did not find evidence that their latest discoveries, which allow for the interception of calls and texts, have been marketed to governments on a widespread basis. But vulnerabilities publicly reported by security researchers often turn out to be tools long used by secretive intelligence services, such as the National Security Agency or Britain’s GCHQ, but not revealed to the public.

“Many of the big intelligence agencies probably have teams that do nothing but SS7 research and exploitation,” said Christopher Soghoian, principal technologist for the ACLU and an expert on surveillance technology. “They have likely sat on these things and quietly exploited them”.

The GSMA, a global cellular industry group based in London, did not respond to queries seeking comment about vulnerabilities that Nohl and Engel have found. For the Washington Post’s article in August on location tracking systems that use SS7, GSMA officials acknowledge problems with the network and said it was due to be replaced over the next decade because of a growing list of security and technical issues.

The German researchers found two distinct ways to eavesdrop on calls using SS7 technology. In the first, commands sent over SS7 could be used to hijack a cell phone’s “forwarding” function – a service offered by many carriers. Hackers would redirect calls to themselves, for listening or recording, and then onward to the intended recipient of a call. Once that system was in place, the hackers could eavesdrop on all incoming and outgoing calls indefinitely, from anywhere in the world.

The second technique requires physical proximity but could be deployed on a much wider scale. Hackers would use radio antennas to collect all the calls and text passing through the airwaves in an area. For calls or texts transmitted using strong encryption, such as is commonly used for advanced 3G connections, hackers could request through SS7 that each caller’s carrier release a temporary encryption key to unlock the communication after it has been recorded.

Nohl on Wednesday demonstrated the ability to collect and decrypt a text message using the phone of a German Senator, who cooperated in the experiment. But Nohl said the process could be automated to allow massive decryption of calls and texts collected across an entire city or a large section of a country, using multiple antennas. “It’s all automated, at the push of a button,” Nohl said, “It would strike me as perfect spying capability, to record and decrypt pretty much any network… Any network we have tested, it works.”

Those tests have included more than 20 networks worldwide including T–Mobile in the United States. The other major U.S. carriers have not been tested, thought Nohl and Engel said its likely at least some of them have similar vulnerabilities. (Several smartphone – based text messaging systems, such as Apple’s iMessage and Whatsapp, use end–to–end encryption methods that sidestep traditional cellular text systems and likely would defeat the technique described by Nohl and Engel.

In a statement, T–Mobile said: “T–Mobile remains vigilant in our work with other mobile operators, vendors and standards bodies to promote measures that can detect and prevent these attacks.”

The issue of cell phone interception is particularly sensitive in Germany because of news reports last year, based on documents provided by former NSA contractor Edward Snowden, that a phone belonging to Chancellor Angela Merkel was the subject of NSA surveillance. The techniques of that surveillance have not become public, though Nohl said that the SS7 hacking method that he and Engel discovered is one of several possibilities.

U.S. embassies and consulates in dozens of foreign cities, including Berlin, are outfitted with antennas for collecting cellular signals, according to reports by German Magazine Der Spiegel, based on documents released by Snowden. Many cell phone conversations worldwide happen with either no encryption or weak encryption.

The move to 3G networks offers far better encryption and the prospect of private communication. But the hacking techniques revealed by Nohl and Engel undermine that possibility. Carriers can potentially guard their networks against efforts by hackers to collect encryption keys, but it’s unclear how many have done so. Germany Vodafone, recently began blocking such requests after Nohl reported the problem to the company two weeks ago.

Nohl and Engel also have discovered new ways to track the locations of cell phone users through SS7. The Washington Post story, in August, reported that several companies were offering governments worldwide the ability to find virtually any cell phone user, virtually anywhere in the world, by learning the location of their cell phones through an SS7 function called an “Any Time Interrogation” query.

Some carriers block such requests and several began doing so after the Washington Post’s report. But the researchers in recent months have found several other techniques that hackers could use to find the locations of callers by using different SS7 queries. All networks must track their customers in order to route calls to the nearest cellular towers, but they are not required to share that information with other networks or foreign governments.

Carriers everywhere must turn over location information and allow eavesdropping of calls when ordered to by government officials in whatever country they are operating in. but the techniques discovered by Nohl and Engel offer the possibility of much broader collection of caller locations and conversations, by anyone with access to SS7 and the required technical skills to send the appropriate queries.

“I doubt we are the first ones in the world who realize how open the SS7 network is,” Engel said. Secretly eavesdropping on calls and texts would violate laws in many countries, including the United States, except when done with explicit court or other government authorization. Such restrictions likely do little to deter criminals or foreign spies, say surveillance experts, who say that embassies based in Washington likely collect cellular signals.

The researchers also found that it was possible to use SS7 to learn the phone numbers of people whose cellular signals are collected using surveillance devices. The calls transmit a temporary identification number which, by sending SS7 queries, can lead to the discovery of the phone number. That allows location tracking within a certain area, such as near government buildings.

The German Senator who cooperated in Nohl’s demonstration of the technology, Thomas Jarzombek of Merkel’s Christian Democratic Union Party, said that while many in that nation have been deeply angered by revelations about NSA spying, few are surprised that such intrusions are possible.

Craig Timber

“After all the NSA and Snowden things we have heard, I guess nobody believes it’s possible to have a truly private conversation on a mobile phone,” he said. “When I really need a confidential conversation, I use a fixed–line” phone.
By Craig Timber

Craig Timberg is a National technology reporter for the Washington Post.

Abuse of Human Rights In Southern Cameroons By Britain, Nigeria And The UN

The Anglophone Problem in Cameroon

It is important to emphasize that Nigeria and Britain with the complicity of the UN intentionally refused to give Southern Cameroonians the opportunity to participate in administering their country and to develop themselves educationally, economically and socially like their francophone brothers. This is an aspect of abuse of human rights for which Cameroonians accuse Nigeria, Britain and the UN.

The UN herself a watch dog over Southern Cameroons may find it difficult today to go over a mess committed by her; that is to review the activities of Britain and Nigeria in Southern Cameroons. The International community should take judicious note and help Cameroonians in general and Anglophone Cameroonians in particular to speak out. Britain had much to gain from Nigeria and as such abandoned Southern Cameroons to Nigeria to colonize. This was why Britain never cared to know what Nigeria was doing in Southern Cameroons. In 1961 when British and Nigerian citizens were fleeing from the civil service in Southern Cameroons en mass, the UN on her part was passive, as such failed to put in place an organ to ensure that Southern Cameroons revenue in the Nigerian Treasury was transferred to West Cameroon.

Britain and Nigeria treated Southern Cameroons as an enemy territory in 1961

One month to reunification of Southern Cameroons and La Republique du Cameroun in 1961, Her Majesty’s Government treated Southern Cameroons as an enemy territory, by abruptly withdrawing all British and Nigeria Civil Servants from the Civil Service and closed down all British firms. J. O. Field is said to have personally supervised his office messenger Ewonkem to burn all files from his office before leaving. The UN did not bring in an independent body to supervise British and Nigerian citizens as they abandon their offices, considering the fact that Cameroonians were yet to be recruited to take over these offices. Fleeing British and Nigerian Civil Servants might have taken along by looting anything they could lay hands on.

The way British and Nigeria Civil Servants left Southern Cameroons, can only be compared to combatants escaping from an enemy zone. There were indications that Britain and Nigeria expected immediate failure by those they were leaving behind. They were aware that there was none of them with the expertise to restructure a new civil service. Note should be taken of the fact that at independence the Nigerian Civil Service was so advanced but British Civil Servants in Nigeria did not abandon it en mass as they did in Southern Cameroons.

 

Coat Of Many Colours

Now Israel loved Joseph more than all his children, because he was the son of his old age: and he made him a coat of many colours. And when his brethren saw that their father loved him more than all his brethren, they hated him, and could not speak peaceably unto him. And Joseph dreamed a dream, and he told it his brethren: and they hated him yet the more. And he said unto them, Hear, I pray you, this dream which I have dreamed: For, behold, we were binding sheaves in the field, and, lo, my sheaf arose, and also stood upright; and, behold, your sheaves stood round about, and made obeisance to my sheaf. And his brethren said to him, Shalt thou indeed reign over us? or shalt thou indeed have dominion over us? And they hated him yet the more for his dreams, and for his words. And he dreamed yet another dream, and told it his brethren, and said, Behold, I have dreamed a dream more; and, behold, the sun and the moon and the eleven stars made obeisance to me. And he told it to his father, and to his brethren: and his father rebuked him, and said unto him, What is this dream that thou has dreamed? Shall I and thy mother and thy brethren indeed come to bow down ourselves to thee to the earth? And his brethren envied him: but his father observed the saying. And his brethren went to feed their father’s flock in Shechem. And Israel said unto Joseph, Do not thy brethren feed the flock in Shechem? Come, and I will send thee unto them. And he said to him, Here am I. And he said to him, Go, I pray thee, see whether it be well with thy brethren, and well with the flocks; and bring me word again. So he sent him out of the vale of Hebron, and he came to Shechem. And a certain man found him, and, behold, he was wandering in the field: and the man asked him, saying, What sleekest thou? And he said, I seek my brethren: tell me, I pray thee, where they feed their flocks. And the man said, They are departed hence; for I heard them say, Let us go to Dothan. And Joseph went after his brethren, and found them in Dothan. And they said one to another, Behold, this dreamer cometh. Come now therefore, and let us slay him, and cast him into some pit, and we will say, Some evil beast hath devoured him: and we shall see what will become of his dreams. (Genesis 37:3–20)

Google Is Laying The Groundwork For A Version Of Android That Would Be Built Into Cars

Google Inc is laying the groundwork for a version of Android that would be built directly into cars, sources said, allowing drivers to enjoy all the benefits of the Internet without even plugging in their smartphones.

The move is a major step up from Google's current Android Auto software, which comes with the latest version of its smartphone operating system and requires a phone to be plugged into a compatible car with a built-in screen to access streaming music, maps and other apps.
Google, however, has never provided details or a timeframe for its long-term plan to put Android Auto directly into cars. The company now plans to do so when it rolls out the next version of its operating system, dubbed Android M, expected in a year or so, two people with knowledge of the matter said.
The sources declined to be identified because they were not authorized to discuss the plans publicly.
"It provides a much stronger foothold for Google to really be part of the vehicle rather than being an add-on," said Thilo Koslowski, vice president and Automotive Practice Leader of industry research firm Gartner, who noted that he was unaware of Google's latest plans in this area.
If successful, Android would become the standard system powering a car's entertainment and navigation features, solidifying Google's position in a new market where it is competing with arch-rival Apple Inc. Google could also potentially access the valuable trove of data collected by a vehicle.
Direct integration into cars ensures that drivers will use Google's services every time they turn on the ignition, without having to plug in the phone. It could allow Google to make more use of a car's camera, sensors, fuel gauge, and Internet connections that come with some newer car models.
Analysts said Google's plan could face various technical and business challenges, including convincing automakers to integrate its services so tightly into their vehicles.
Google declined to comment.
Technology companies are racing to design appliances, wristwatches and other gadgets that connect to the Internet. Automobiles are a particularly attractive prospect because Americans spend nearly 50 minutes per day on average on their commute, according to U.S. Census data.
Apple unveiled its CarPlay software in March and Google has signed on dozens of companies, including Hyundai, General Motors Co and Nissan Motor Co, for its Open Automotive Alliance and its Android Auto product.
Android Auto and CarPlay both currently "project" their smartphone apps onto the car's screen. Many of the first compatible cars with this smartphone plug-in functionality are expected to be on display at the upcoming Consumer Electronics Show in Las Vegas next month and to go on sale in 2015.
By building Android into a car, Google's services would not be at risk of switching off when a smartphone battery runs out of power, for example.
"With embedded it's always on, always there," said one of the sources, referring to the built-in version of Android Auto. "You don't have to depend on your phone being there and on."
Google's software could potentially connect to other car components, allowing, for example, a built-in navigation system like Google Maps to detect when fuel is low and provide directions to the nearest gas stations.
By tapping into the car's components, Google could also gain valuable information to feed its data-hungry advertising business model. "You can get access to GPS location, where you stop, where you travel everyday, your speed, your fuel level, where you stop for gas," one of the sources said.
But the source noted that Android would need major improvements in performance and stability for carmakers to adopt it. In particular, Android Auto would need to power-up instantly when the driver turns the car on, instead of having to wait more than 30 seconds, as happens with many smartphones.
Automakers might also be wary of giving Google access to in-car components that could raise safety and liability concerns, and be reluctant to give Google such a prime spot in their vehicles.
"Automakers want to keep their brand appeal and keep their differentiation," said Mark Boyadjis, an analyst with industry research firm IHS Automotive. "Automakers don't want to have a state of the industry where you get in any vehicle and it's just the same experience wherever you go."