Signaling System No. 7 (SS7) is a set of telephony signaling protocols. Also known as CCS7 (Common Channel Signalling System 7) or CCIS7 (Common Channel Interoffice Signalling 7), it is a worldwide mobile phone network infrastructure. In 1975, a set of protocols were developed in order to connect one mobile network to another mobile network to exchange the information needed for passing calls and text messages between each other, setting up and tearing down most of the world’s Public Switched Telephone Network (PSTN) telephone calls and this is what is termed as SS7.
What does an SS7 do?
- Routes calls and messages between different networks.
- Short Messaging Service (SMS)
- Out of Band Signaling
- Information Exchange functions (Dial Tone, Call-Waiting Tone, Voice Mail, etc)
- Switching from one Cell Tower to another.
- Prevents Call drops without the decrease in quality.
- Allows users to roam on another when traveling in a different location.
- Number Translation
- Local Number Portability
- Prepaid Billing
SS7 is used in as many as 800 telecommunication companies around the world. Helps Banks in confirming the presence of a customer’s phone in a specific nation to authorize their transactions and prevent fraudulent activities.
Exposure of the SS7 Attack
The security issues in SS7 were first discovered by researchers and demonstrated at Chaos Communication Congress Hacker Conference, 2014 in Hamburg and was brought under the spotlight when Nohl demonstrated remote surveillance of a congressman in California from Berlin for CBS’s 60 minutes. The issue was then called for an oversight committee investigation into the vulnerability.
A weakness in the design of SS7 is taken advantage by hackers thereby enabling them to steal data, become an eavesdropper, track the user location and interfering the user’s text messages. The vulnerabilities are being exposed only after the networks started providing third party access to SS7 Design which was totally relied on trust as a commercial offering. Cooperation with State Governments makes a way for State Surveillance and the greater exposure of the network design enables access by agencies in other countries as well as hackers. Few people also argue that intelligence agencies like NSA are exploiting the SS7 protocol for their surveillance activities.
With the presence of exploit tools available on the Internet, even citizens can track a victim easily by spending the amount as small as $300 and gaining some know-how from the Internet.
Anyone with a mobile phone could be vulnerable to the attack. The movement of the Cell phone users can be tracked virtually from anywhere in the world and has a success rate of nearly 70%. It is a man-in-the-middle attack on cell phone communications which exploits the authentication in communication protocols that run on top of SS7 even when the cellular networks are using advanced encryption. It is like the front door of your home is secured but the rear door is wide open. The attacks are worrying by opening the door to mass surveillance activities. The attack undermines the privacy of billions of customers around the globe. Those in place of power could be at the higher chances of the risk of targeting.
What Powers will the Hackers gain?
Once they have access to the SS7 system, a hacker can essentially have access to the same amount of information and snooping capabilities as security services by using the same system that is used by the service providers to keep a constant service available and seamless delivery of calls and data.
- Forward Calls transparently
- Read Text Messages
- Listen to Phone Calls
- Track User’s Location
- Spoof the identity of victims using proxy features.
- Interception of 2-step verification security measure.
Hackers might access a wealth of subscriber’s information.
Stingrays are common surveillance devices that help in intercepting the phone calls, send fake text messages, install a malware on a mobile device and track the precise location of a victim.
Measures Taken & To Be Taken
Mobile Phone Operators’ Trade Association, the GSMA, has set up a series of services to monitor any intrusions or abuse of the signaling system in the network.
Security Contractors have been employed by the networks and also Mr. Karsten Nohl, a security researcher based in Germany who demonstrated the flaw for 1 hour in 2014 to analyze SS7 system and prevent unauthorized access.
A tool called as SnoopSnitch was created to warn when a certain SS7 attack occurs and detect IMSI Catchers if any.
Instead of traditional SMS, people should better use encrypted messaging services like WhatsApp or iMessage and similarly calls are to be made using voice over IP services like FaceTime in iPhones.
End-to-End Encryption is recommended to palliate the risks.
Many companies intend to replace the SS7 protocol with Diameter, a more secure protocol but still, mobile users are exposed to the risk of a hack due to the backward compatibility with SS7.