 |
| This photo by Coni T. Tawong |
German
researchers have discovered security flaws that could let hackers, spies and
criminals listen to private phone calls and intercept messages on a potentially
massive scale– even when cellular networks are using most advanced encryption
now available.
The flaws, to
be reported at a hacker conference in Hamburg this month, are latest evidence
of widespread insecurity on SS7, the global network that allows the world’s
cellular carriers to route calls, texts and other services to each other.
Experts say it’s increasingly clear that SS7, first designed in the 1980s, is
riddled with serious vulnerabilities that undermine the privacy of the world’s
billions of cellular customers.
The flaws
discovered by the German researchers are actually functions built into SS7 for
other purposes – such as keeping calls connected as users speed down highways,
switching from cell tower to cell tower – that hackers can repurpose for
surveillance because of the lax security on the network.
Those skilled
at the myriad functions built into SS7 can locate callers anywhere in the
world, listen to calls as they happen or record hundreds of encrypted calls and
texts at a time for later decryption. There also is potential to defraud users
and cellular carriers by using SS7 functions, the researchers say.
These
vulnerabilities continue to exist even as cellular carriers invest billions of
dollars to upgrade to advanced 3G technology aimed, in part, at securing
communications against unauthorized eavesdropping. But even as individual
carriers harden their systems, they still must communicate with each other over
SS7, leaving them open to any of thousands of companies worldwide with access to
the network. That means that a single carrier in Congo or Cameroon, for
example, could be used to hack into cellular networks in the United States,
Europe or anywhere else.
“It’s like
you secure the front door of the house, but the back door is wide open,” said
Tobias Engel, one of the German researchers.
Engel,
founder of Sternraute, and Karsten Nohl, chief scientist for security Research
Labs, separately discovered these security weaknesses as they studied SS7
networks in recent months, after the Washington Post reported the widespread
marketing of surveillance systems that use SS7 networks to locate callers
anywhere in the world. The Washington Post reported that dozens of nations had
bought such systems to track surveillance targets and that skilled hackers or
criminals could do same using functions built into SS7. (The term is short for
Signaling System 7 and replaced previous networks called SS6, SS5, etc.)
The
researchers did not find evidence that their latest discoveries, which allow
for the interception of calls and texts, have been marketed to governments on a
widespread basis. But vulnerabilities publicly reported by security researchers
often turn out to be tools long used by secretive intelligence services, such
as the National Security Agency or Britain’s GCHQ, but not revealed to the
public.
“Many of the
big intelligence agencies probably have teams that do nothing but SS7 research
and exploitation,” said Christopher Soghoian, principal technologist for the
ACLU and an expert on surveillance technology. “They have likely sat on these
things and quietly exploited them”.
The GSMA, a
global cellular industry group based in London, did not respond to queries
seeking comment about vulnerabilities that Nohl and Engel have found. For the
Washington Post’s article in August on location tracking systems that use SS7,
GSMA officials acknowledge problems with the network and said it was due to be
replaced over the next decade because of a growing list of security and
technical issues.
The German
researchers found two distinct ways to eavesdrop on calls using SS7 technology.
In the first, commands sent over SS7 could be used to hijack a cell phone’s
“forwarding” function – a service offered by many carriers. Hackers would
redirect calls to themselves, for listening or recording, and then onward to
the intended recipient of a call. Once that system was in place, the hackers
could eavesdrop on all incoming and outgoing calls indefinitely, from anywhere
in the world.
The second
technique requires physical proximity but could be deployed on a much wider
scale. Hackers would use radio antennas to collect all the calls and text
passing through the airwaves in an area. For calls or texts transmitted using
strong encryption, such as is commonly used for advanced 3G connections,
hackers could request through SS7 that each caller’s carrier release a
temporary encryption key to unlock the communication after it has been
recorded.
Nohl on
Wednesday demonstrated the ability to collect and decrypt a text message using
the phone of a German Senator, who cooperated in the experiment. But Nohl said
the process could be automated to allow massive decryption of calls and texts
collected across an entire city or a large section of a country, using multiple
antennas. “It’s all automated, at the push of a button,” Nohl said, “It would
strike me as perfect spying capability, to record and decrypt pretty much any
network… Any network we have tested, it works.”
Those tests
have included more than 20 networks worldwide including T–Mobile in the United
States. The other major U.S. carriers have not been tested, thought Nohl and
Engel said its likely at least some of them have similar vulnerabilities.
(Several smartphone – based text messaging systems, such as Apple’s iMessage
and Whatsapp, use end–to–end encryption methods that sidestep traditional
cellular text systems and likely would defeat the technique described by Nohl
and Engel.
In a
statement, T–Mobile said: “T–Mobile remains vigilant in our work with other
mobile operators, vendors and standards bodies to promote measures that can
detect and prevent these attacks.”
The issue of
cell phone interception is particularly sensitive in Germany because of news
reports last year, based on documents provided by former NSA contractor Edward
Snowden, that a phone belonging to Chancellor Angela Merkel was the subject of
NSA surveillance. The techniques of that surveillance have not become public,
though Nohl said that the SS7 hacking method that he and Engel discovered is
one of several possibilities.
U.S.
embassies and consulates in dozens of foreign cities, including Berlin, are
outfitted with antennas for collecting cellular signals, according to reports
by German Magazine Der Spiegel, based on documents released by Snowden. Many
cell phone conversations worldwide happen with either no encryption or weak
encryption.
The move to
3G networks offers far better encryption and the prospect of private
communication. But the hacking techniques revealed by Nohl and Engel undermine
that possibility. Carriers can potentially guard their networks against efforts
by hackers to collect encryption keys, but it’s unclear how many have done so.
Germany Vodafone, recently began blocking such requests after Nohl reported the
problem to the company two weeks ago.
Nohl and
Engel also have discovered new ways to track the locations of cell phone users
through SS7. The Washington Post story, in August, reported that several
companies were offering governments worldwide the ability to find virtually any
cell phone user, virtually anywhere in the world, by learning the location of
their cell phones through an SS7 function called an “Any Time Interrogation”
query.
Some carriers
block such requests and several began doing so after the Washington Post’s
report. But the researchers in recent months have found several other
techniques that hackers could use to find the locations of callers by using
different SS7 queries. All networks must track their customers in order to
route calls to the nearest cellular towers, but they are not required to share
that information with other networks or foreign governments.
Carriers
everywhere must turn over location information and allow eavesdropping of calls
when ordered to by government officials in whatever country they are operating
in. but the techniques discovered by Nohl and Engel offer the possibility of
much broader collection of caller locations and conversations, by anyone with access
to SS7 and the required technical skills to send the appropriate queries.
“I doubt we
are the first ones in the world who realize how open the SS7 network is,” Engel
said. Secretly eavesdropping on calls and texts would violate laws in many
countries, including the United States, except when done with explicit court or
other government authorization. Such restrictions likely do little to deter
criminals or foreign spies, say surveillance experts, who say that embassies
based in Washington likely collect cellular signals.
The
researchers also found that it was possible to use SS7 to learn the phone
numbers of people whose cellular signals are collected using surveillance
devices. The calls transmit a temporary identification number which, by sending
SS7 queries, can lead to the discovery of the phone number. That allows
location tracking within a certain area, such as near government buildings.
The German
Senator who cooperated in Nohl’s demonstration of the technology, Thomas
Jarzombek of Merkel’s Christian Democratic Union Party, said that while many in
that nation have been deeply angered by revelations about NSA spying, few are
surprised that such intrusions are possible.
 |
| Craig Timber |
“After all
the NSA and Snowden things we have heard, I guess nobody believes it’s possible
to have a truly private conversation on a mobile phone,” he said. “When I
really need a confidential conversation, I use a fixed–line” phone.
By Craig Timber
By Craig Timber
Craig Timberg
is a National technology reporter for the Washington Post.
No comments:
Post a Comment