Signaling System 7 (SS7) is a big security problem. It's the packet-switched control network for the phone system, and it has very little security. It was designed in 1980 to be run only internally between phone switches.<p>The main function of SS7 is call setup. All the switches along the route get their switching commands over SS7, not over the circuit-switched channel. (That went out with SS5, the old audio-tone based system). Call setup is preceded by "translation", turning a destination phone number into a route. That's done with query messages over SS7.<p>This allows outsourced wiretapping. Verisign offers this as a service for telcos, so they don't have to deal with law enforcement themselves.<p><a href="http://www.verisign.com/static/001927.pdf" rel="nofollow">http://www.verisign.com/static/001927.pdf</a><p>Verisign, which also runs much of the US SS7 network (<a href="http://www.verisign.com/stellent/groups/public/documents/data_sheet/005169.pdf" rel="nofollow">http://www.verisign.com/stellent/groups/public/documents/dat...</a>) is well placed to do this. All they have to do for a wiretap is to have the translations for a source or destination number reroute to a wiretap point, which then records while forwarding to the desired destination. As an SS7 provider, they already have all the call metadata.<p>Vulnerabilities come in because more parties now have SS7 access. Cellular roaming and VoIP to landline routing are managed over SS7. So a large number of computers other than dedicated telco switches now have SS7 connections. A break-in at any of those points has wiretapping potential.
An interesting read on the current state of SS7, circa 2013:<p><a href="http://blog.pt.com/vendors-eol-announcement" rel="nofollow">http://blog.pt.com/vendors-eol-announcement</a><p><i>The 3G/4G segment of subscribers will have a distribution of 3.4 billion using 3G (SS7) services and .9 billion using 4G services. The total outcome of this research indicates that a total of 7.65 billion subscribers, out of a total of 8.5 billion subscribers, will remain on SS7-based networks in 2017.</i><p><i>Verizon went on to further explain that a final 2G/3G (SS7) sunset timeframe decision has not been made.</i><p>The good news is vendors are not happy considering the availability of hardware is will decrease significantly over the same time period, hopefully speeding the sunset for this technology.<p><i>Some service providers are planning on a strategy of consolidating their network, having no support and cannibalizing existing spare equipment for hardware support.</i>
In Turkish Ministry of Foreign Affairs it is forbidden to bring cell phones in to meetings. However it is totally okay to bring tablets and laptops into the meetings. Source: my friend works there.<p>Edit: phones are forbidden due to the recent spying events.
Of course we can be sure, that those fellows were not the first to learn about that.<p>The hack of belgium telco Belgacom sees more light day by day.<p>This system is broken beyond repair. We need to build it up from the ground, safe.
German state-controlled media and the Deutsche Telekom immediately reported that big carriers have already fixed the problem and are no longer allowing "unauthorized" requests for encryption parameters via SS7. ;-)<p>(source: <a href="http://heise.de/-2503376" rel="nofollow">http://heise.de/-2503376</a> - sorry, German)
The only interesting thing here is the new attack at the radio level that allows call monitoring. It sounds like it might be easier than setting up a fake tower. It still sounds like it required an active attack though so in practice the difference might be all that important.
"anyone" can not listen to your cell calls. Only people that have access to inject commands into the SS7 network that your call is routed through can do that.
I just tried searching this entire comments page for the string “batman”. Incredibly, there were 0 occurrences. So I'll just add: this sounds kinda like that batman movie where they turned every cellphone in the city into a remote listening device (and then declared that nobody should have that kind of power).
A couple of random thoughts on potential applications/uses:<p>1. Alexandria needs to communicate with Bilbo. Alexandria has the privilege of being trusted by whatever organization she belongs to (be that her country, company, etc) and as such is unmonitored AFAsheKs. Biblo on the other hand is some fugitive-type and is unable, or perhaps unwilling, to enter direct communication with Alexandria for fear of compromising himself or his beloved Alexandria. Bilbo could then monitor Alexandria's calls for an encoded message via a protocol they predetermine. This protocol could take the form of linguistic or audio steganography. One could image all sorts of information being leaked by Alexandria.<p>2. More realistically this could be tool for bribery. Monitor a set of vulnerable targets, wait until they reveal something, take a bribe to stay quite.<p>3. Or, for the Machiavellian-minded leak information that was supposedly confidential between two parties.
Of course there are insecurities, but this sounds like an opening shot calling for a "new" system to allow better security, or rather, a system even more easily controlled.
Really, none of this is surprising or new. If you're bored/curious, here's some fun reading on exploring/exploiting telecom networks. Spoiler alert: it's really easy and it has been forever. Big ups to Philippe Langlois for all his great research over the years.<p>Interview: Telecom Security Expert Philippe Langlois on GCHQ Spying (<a href="http://www.spiegel.de/international/europe/interview-telecom-security-expert-philippe-langlois-on-gchq-spying-a-933870.html" rel="nofollow">http://www.spiegel.de/international/europe/interview-telecom...</a>)<p>Vulnerabilities and Possible Attacks
against the GPRS Backbone Network (<a href="http://critis06.lcc.uma.es/files/Vulnerabilities%20and%20Possible%20Attacks%20against%20the%20GPRS%20Backbone%20Network.pdf" rel="nofollow">http://critis06.lcc.uma.es/files/Vulnerabilities%20and%20Pos...</a>)<p>Getting in the SS7 kingdom: hard
technology and disturbingly easy hacks
to get entry points in the walled garden (<a href="http://www.hackitoergosum.org/2010/HES2010-planglois-Attacking-SS7.pdf" rel="nofollow">http://www.hackitoergosum.org/2010/HES2010-planglois-Attacki...</a>)<p>Telecom Signaling Attacks on 3G and LTE networks (<a href="http://www.slideshare.net/p1sec/telecom-security-from-ss7-to-all-ip-allopenv3zeronights" rel="nofollow">http://www.slideshare.net/p1sec/telecom-security-from-ss7-to...</a>)<p>GSM and 3G Security (<a href="https://webcache.googleusercontent.com/search?q=cache:WlEd4HCpl48J:www.blackhat.com/presentations/bh-asia-01/gadiax.ppt+&cd=16&hl=en&ct=clnk&gl=us&client=firefox-a" rel="nofollow">https://webcache.googleusercontent.com/search?q=cache:WlEd4H...</a>)<p>Locating Mobile Phones
using Signalling System #7 (<a href="http://events.ccc.de/congress/2008/Fahrplan/attachments/1262_25c3-locating-mobile-phones.pdf" rel="nofollow">http://events.ccc.de/congress/2008/Fahrplan/attachments/1262...</a>)<p>SCTPscan - Finding entry points to SS7 Networks & Telecommunication Backbones (<a href="https://www.blackhat.com/presentations/bh-europe-07/Langlois/Presentation/bh-eu-07-langlois-ppt-apr19.pdf" rel="nofollow">https://www.blackhat.com/presentations/bh-europe-07/Langlois...</a>)<p>LTE Pwnage: Hacking HLR/HSS and MME Core Network Elements (<a href="http://www.slideshare.net/p1sec/p1security-lte-pwnage-v21" rel="nofollow">http://www.slideshare.net/p1sec/p1security-lte-pwnage-v21</a>)<p>Map of mobile network security (<a href="https://srlabs.de/gsmmap/" rel="nofollow">https://srlabs.de/gsmmap/</a>)<p>Rooting The HLRs Mobile And Critical Infrastructure Insecurity (<a href="https://archive.org/details/D3T202201308021200RootingTheHlrsMobileAndCriticalInfrastructureInsecurityPhilippeLanglois" rel="nofollow">https://archive.org/details/D3T202201308021200RootingTheHlrs...</a>)<p>AURORAGOLD Working Group - Shaping understanding of
the global GSM/UMTS/LTE landscape - from the Snowden leaks (government employees should probably not click this) (<a href="https://s3.amazonaws.com/s3.documentcloud.org/documents/1374178/auroragold-working-group.pdf" rel="nofollow">https://s3.amazonaws.com/s3.documentcloud.org/documents/1374...</a>) (<a href="https://firstlook.org/theintercept/2014/12/04/nsa-auroragold-hack-cellphones/" rel="nofollow">https://firstlook.org/theintercept/2014/12/04/nsa-auroragold...</a>)
There is a maintenance mode in every cell phone that allows it to be remotely turned on, that is, used as a listening device, without your knowledge.<p>I don't know what authentication is required. I expect that it was designed so that only your cell carrier could enable it, however whatever may have been secret about it, quite likely has leaked out by now.<p>If you don't want to be listened-to, don't have _any_ cell phones anywhere near you. Not just your own - say you want a private conversation in a public place; the phones of other people in your general vicinity could be switched on to listen to you.<p>I learned this from a well-known left-wing radical organization known as the United States Air Force, when I applied for the USAF Cyber Command. Their site had a recruiting video, that depicted a couple officers locking their phones into a grounded metal box - a faraday cage - before entering a secure area, that is, a room where secrets were openly discussed.