It was last year when a new method of attack on cellular networks was discovered. It requires neither costly radio scanners nor PC powerhouses and is available to virtually anyone. Besides, carriers have no practical means of protecting against this type of attack.
The compromise is based on the attack on SS7 – a signalling system used by cellular networks and developed back in 1970s. In other words, the era of the first electronic telephone switches.
Amazingly, SS7 does not employ the basic means of protection: the traffic is not encrypted and the equipment is unable to distinguish between legitimate and rogue commands. The system would process any command it would get regardless of the source.
The reason is very simple: as presupposed by those who elaborated on the protocol 40 years ago, in SS7, the signalling layer is separated from the voice layer, and, consequently, no one apart from the staff at the phone switch would be able to access this channel.
Even if someone would, there was no practical use in it: no commands, except those telling to connect to a subscriber, were transmitted through the network, so there was no need to think about faux packets being transported across the layer.
— Matthijs R. Koot (@mrkoot) December 28, 2014
However, the situation changed as soon as the procedure of processing SS7 commands over IP was introduced in 2000, essentially exposing the SS7 layer to outside access.
The good news is: no, it’s not possible to connect to any carrier network from a random computer over the Internet. One would need a special device – a SS7 hub.
The bad news about it is lax regulations on purchase of such network appliances. Some countries easily issue carrier licenses, which in turn, enable anyone to legitimately set up the hub and interconnect it to a transport node. This explains why the black market is overpopulated by illicit merchants offering ‘Connection-as-a-Service’ to such hubs.
— Kaspersky Lab (@kaspersky) July 3, 2015
It does not matter where the hub is positioned. It can be used to send and accept commands on any carrier network globally. There is a good reason for that: blocking commands at certain network junctions is likely to cause disruption of roaming services and cut-off of international connections which make such attacks very challenging to deflect.
Now, let us review the options a criminal could leverage. First, an attacker would need the victim’s International Mobile Subscriber Identity (ISMI), a unique identifier of a SIM card in the cellular network, which is essential for the breach. The attack is carried out via SMS (curiously, initially SMS was an undocumented feature of the GSM protocol: the messages are transported via the signalling channel).
If one issues a request to send an SMS to a particular phone number, the carrier network — or, precisely, Home Location Register (HLR), which is the main database of permanent subscriber information for a mobile network — would respond with IMSI and the reference to the current Mobile Switching Center (MSC) and Visitor Location Register (VLR), a database that contains temporary location-specific information about subscribers that is needed by the MSC in order to service visiting subscribers.
— Kaspersky Lab (@kaspersky) July 24, 2015
The response is as follows: “Hi, here’s the IMSI and the address of the network segment where the subscriber is currently located. Now send the message for the above mentioned IMSI to that MSC/VLR.” While this happens, the address of the HLR database becomes eventually exposed as well. Knowing these addresses and IDs, an adversary is able to send various commands to HLR.
For instance, a fraudster might request the identifier of the cellular base station currently serving the target subscriber. Armed with this unique identifier and any of numerous subscriber databases available on the Internet, one can find out the exact location of the subscriber, with high precision of some dozens of meters. A number of simple programs are able to fully automate the process, conveniently requesting only to input the mobile number and get a dot of the map.
— Kaspersky Lab (@kaspersky) June 19, 2015
One might request HLR to reconnect to another VLR and input the wrong value, thus blocking incoming calls and messages.
There is another inviting option: to input the desirable MSC/VLR address emulated on the fraudster’s computer with the help of a ‘SS7 for Linux’ software pack openly available for downloading. This opens further opportunities to stealthily hijack calls and messages.
For instance, once an adversary gets an SMS to the rogue computer, he won’t return the delivery report service message, but will switch VLR back to the legitimate value. Once it’s done, the outbound server will hook it up again and finally deliver to the intended recipient. SMS hijacking is a perfect method to intercept one-time verification codes used by various two-factor authentication systems.
— Eugene Kaspersky (@e_kaspersky) January 1, 2015
It’s even easier to accomplish in case of phone calls: with access to HLR an adversary is able to set up unconditional forwarding to an intermediary phone number before delivering a call to the legitimate addressee.
The same method allows for eavesdropping on outbound phone calls, with a little more effort applied: the forwarding path could be established for the phone the victim calls to. The number is discovered when the outbound call issues a request containing an intended phone number and forwards it to a billing system so it applies certain call charge rate and then bills the call to the caller.
— Kaspersky Lab (@kaspersky) November 4, 2015
On swapping a legitimate billing system address to an arbitrary address used by the scammer, an adversary is able to discover the target’s number. The victim, as it turns out, would be able to complete the call only on the second attempt, rendering the first attempt unsuccessful and having no second thought about the failed call (by the way, if you tend to get through only on the second attempt, it’s a clear sign someone is eavesdropping on you).
Evidently, all those recent cases with politicians’ secret calls exposed to the entire world, are not bound to bugging their premises and devices or involving secret agents: eventually, an opponent in the current election campaign is totally eligible to do that for a short money.
How easy is hacking a cell network? You’d be surprised with the answer #securityTweet
The impact this method might have on a more ordinary people is mostly limited to petty theft of a couple of dollars from the mobile plan: it can be achieved through sending bogus USSD commands to enable small money transfers or redirecting the calls to paid numbers and generating traffic.
As we mentioned before, there is no 100% remedy to this bug. It is inherent from day one since the protocol has been around. Only a fundamental change in the way cellular communications work might provide an opportunity to eliminate the issue completely.
There is another means of solving the problem, which is bound to deploying complex subscriber activity monitoring system to spot allegedly malicious subscriber activities. A number of IT companies offer automated systems, which, in essence, remind of anti-fraud platforms widely used by banks.
— Kaspersky Lab (@kaspersky) February 4, 2013
Cellular companies are the problem
The carriers are in no particular rush to deploy such systems, leaving the subscribers wondering whether or not they are protected from such attacks. Even if you figure out your safety on your primary carrier, you still cannot assume you’re secure as roaming brings uncertainty.
You should obey the simple rule to prevent your secrets leaking into the hands of criminals: don’t discuss sensitive matters over the phone and try to save those conversations for a personal meeting. Just imagine that you are talking about this on YouTube. To secure SMS sent to you by two-factor authentication systems own a separate SIM card with a number only you would know, solely for this purpose.