A recent 60 Minutes investigation* caused a stir by showing how the SS7 protocol can be used to hack mobile phones—intercepting calls, text messages, and tracking the location of callers. The telecommunications industry is seeing a call for more security on the mobile phone network and regulatory involvement to protect privacy. What is important to note is the vulnerabilities associated with SS7 have been known to the security industry, and many are working to resolve them. The reason there is no “quick fix” available has to do with the nature of SS7.
SS7 is working exactly as it was designed. This protocol was designed in the 1970s to stop hackers who were exploiting the one-channel design of the telephone networks, where the set-up and connection of a call were along the same path. SS7 added a channel, or another step, to the set-up and connection process and made it more difficult for those hackers to access the network. The protocol was born in another era – one in which there was one major carrier per country—carriers were the main groups accessing the network, and there was a level of trust associated with connections on the network.
What has changed is that many others—new operators, MVNOs, partners—are using the network to meet our need for connection, data, and access to information. No one foresaw these other groups using the network, but the reality is that our “interconnectedness” would not happen without them.
As more groups joined the network, and the design of the SS7 protocol became better known, attacks were inevitable.
SS7: the open secret
Experts in the security and telecommunications community have known that the potential for SS7 exploitation existed, but no one had proved that it was possible until 2014. In that May of that year, documents were published by the Ukrainian secret service (SBU) as part of their investigation into suspicious, Russian-originated activity on their phone networks. This was in response to recent, political-themed call interceptions that had occurred on Ukrainian mobile networks. The perpetrators used SS7 exploits to intercept these calls, and this is believed to be one of the first published accounts of an SS7 exploit. The findings were largely ignored by the Western press, due perhaps, to the reports’ being published in Ukrainian. SS7 became very well known in December of 2014 when Security Research Labs from Germany issued a paper on how the protocol could be exploited.
Since that time, security experts, including AdaptiveMobile, have found evidence of SS7 attacks on every major carrier network.
Who is behind the exploits?
Given a number of findings, we believe many of the groups exploiting SS7 are intelligence agencies. AdaptiveMobile has uncovered several very sophisticated, global networks, engaged in the attempted tracking and interception of individuals in sensitive positions. The scale and sophistication as well as the objectives behind these attacks lend themselves to espionage/spying. We also have background material that has been released in various leaks, showing that some intelligence agencies have been collecting information to support attacks.
One key piece of information, is that in late 2014, as part of the Snowden revelations, there was the disclosure of a project called Auroragold within the NSA. The main purpose of Auroragold is the collection of information on mobile operators. They do this by the interception and collection of what are called IR.21s, which are basically documents that mobile operators use to exchange with each other, so their subscribers can interact and roam between networks, and allow networks to correctly bill each other.
The various leaked documents show that Auroragold focused on obtaining these documents in a variety of ways, and then making that information available internally. It was stated that the Auroragold project gets this information in order for them to understand the current state of the networks, and predict trends for the future. However, they also state that this information is of benefit to other Signals Development (SIGDEV) agencies within the NSA, protocol exploitation elements and partners.
Of interest to us, and why we focus on this, is that these IR.21s contain information on the configuration of SS7 networks within each operator—in order for other operators to bill and communicate successfully with it. Therefore, collecting this information would be of use for any element seeking to exploit the SS7 protocol. It’s only a part of the story, and much more than an IR.21 is needed to execute a successful attack, but having this information helps gives a better picture of any network that an agency would want to attack, i.e., what mobile network elements are available, what types of subscriber and network numbers they use, and so on. As we have seen from our own experience, attackers already “scan” target operators for new network elements, and having the information contained in IR.21s helps them focus these attacks. When it comes to espionage, every piece of information helps in executing successful attacks, and the authors leaked documents clearly understood that exploitation elements would want to use their information.
The average person myth
Another comment from the 60 Minutes segment was that the average person is unlikely to be affected by an SS7 hack. For the most part, yes, the average person will not be hacked or targeted. But almost everyone can be affected by an SS7 attack, as evidenced in spectacular fashion on the largest mobile network in Norway roughly two months ago.
On February 19, more than 1 million mobile subscribers of the Telenor Norway network found themselves with no cellular coverage for a period of three-and-half hours, due to an unexpected external SS7 “event.” As Telenor explained it, they had received packets over the SS7 network from external sources that had caused a key part of their network – their Home Location Register (HLR) network element—to enter an ‘infinite loop’ due to the receipt of an unexpected packet format. What this meant that there was no activity for about 1 million+ subscribers during this time. The source of the Telenor Norway incident turned out to be innocuous—an operator in Luxembourg was executing SS7 vulnerability analysis—but the incident proves that every mobile user is at risk from an SS7-realted outage.
The solution
As stated before, there is no easy fix for SS7, but it should be noted that there is an ongoing activity within the mobile community to address these types of threats. It requires expertise and care, not only to deal with sophisticated adversaries that exploit these networks, but also to ensure that no ill effects come upon networks in determining and implementing security. With so many people depending on their mobile phones to communicate and work, building in security into the mobile network becomes more important every day.
*Disclaimer: AdaptiveMobile provided reference information to the producers of 60 Minutes/CBS for the purposes of explaining security in SS7 networks
Cathal Mc Daid is the Chief Intelligence Officer at AdaptiveMobile. He leads the team that provides network operators with intelligence on the current and emerging threats to their networks. He has 15 years of experience in telecoms, messaging and security. His academic background includes a BEng in Computer Engineering from UL, Ireland and an Executive MBA from INSEAD, France/Singapore.