How secure is your mobile phone? Would it surprise you that it could be hacked? Probably not. If the Edward Snowden leaks are anything to go by, you probably expect the NSA, FBI, GCHQ, or another government acronym to have the capability to spy on you. Of course, to do so, they would need expensive equipment, direct access to your mobile network, and highly trained hackers.
But what if your mobile phone could be hacked much more easily, without expensive equipment? And what if hackers don’t even have to be connected to your mobile network, or even located in your country? Unfortunately, this scenario is quite possible and, as of now, a massive security flaw exists in the way all mobile networks operate and communicate with each other.
A huge security issue has surfaced and a problem for operators is that this flaw is not confined to a small, unused part of the network, but is actually at the very heart of mobile networks operations.
The SS7 problem
The Signal System Number 7 (SS7) is a set of telephony signal protocols that handles almost every function in a mobile network, including voice calls and text messages. The problem is that the SS7 was developed over 30 years ago without including any security mechanisms. SS7 network was considered a trusted network offering by design the possibility for a Network Element to pretend to be and to respond on behalf of any other Network Element. These design features are actually the flaws that can be exploited by hackers. In fact, the SS7 was conceived at a time before hacking was even called hacking.
To make matters worse, because of roaming agreements, SS7 messages flow freely between mobile operators. This means that an on-net call (calling and called part from the same network) that should never leave that mobile operator can be controlled by or redirected to any other mobile network operator. This allows hackers to target a mobile subscriber from anywhere in the world.
Hackers use messages normally exchanged between mobile operators, which make SS7 attacks very difficult to detect. By sending seemingly normal requests they can obtain the International Mobile Subscriber Identity (IMSI), a unique number associated to every SIM card. Using the IMSI, the hackers can target their attack on a single mobile phone, sending only a couple of SS7 messages per targeted IMSI. The few “untypical” messages sent by hackers are quite difficult to spot among the billions of SS7 messages handled by a mobile operator every day. They are like drops of red ink in a blue sea. they are there but almost undetectable.
What can hackers do?
Once an IMSI number is retrieved, hackers can target individuals’ simply through their phones. They can start collecting sensitive information, like the mobile phone location or the numbers called from that specific device. Even more, all calls made to or received from the device can be recorded. All this information and recordings can be obtained without the mobile subscriber noticing anything.
The potential problem is even bigger. The hacker could gain full control of your calls. Apart from call recording, they could change your identity (caller ID) when making calls and redirect your call to another number. For instance, when Angela Merkel tries to call Barack Obama, hackers could redirect the call to Putin and change the caller ID so it appears Obama is calling. You can imagine everyone’s surprise when Putin answers. Of course, this is not a real life scenario, Angela Merkel does not use standard GSM when making top secret calls.
But real-life scenarios could potentially be equally insidious. A hacker could redirect a call you make to your bank and, pretending he is a bank representative, ask for your personal information, including your secret password. Then, he could call your bank pretending to be you and get access to your account by providing all the bank authentication details you gave him earlier.
By redirecting the calls you make, hackers could provide you with false information that you would easily trust. For instance, your call could be redirected when calling the local tax authority to check if you need to pay a tax, as an e-mail you received stated. This could take Nigerian Letters (or 419 scams) to the next level.
In addition, hackers can also use the same flaws in SS7 protocols to deny the GSM service for its target. They could block all your calls, SMS, and mobile data. And this can be done in combination with the location information, making your mobile phone unusable when you are in a certain location.
The examples listed above are only some of the things that hackers could do once they have access to the network. Having full control over your calls and having access to your location, the options are limited only by the hacker’s imagination.
This may all sound like something out of a Robert Ludlum novel. However, this is a very real challenge all mobile operators have to address.
What can be done?
Every mobile network is potentially at risk and consequently, every mobile user is as well. Mobile operators can secure the access to their own core network but do not have control over what happens with other mobile operators. The challenge for mobile operators is to block attacks while allowing normal messages exchange between operators. The current equipments used for routing SS7 (STP) are not capable of detecting and blocking these types of attacks. A solution is not easy, but nonetheless, it exists. First, mobile operators can hide the subscriber’s real IMSI and MSC/VLR address. By home routing SMS messages, the real IMSI can be hidden while the SMS messages are still delivered. Hiding the IMSIs is a great step towards network security, since all the attacks need the subscriber’s real IMSI. However, this first step is not enough, as hackers may already know the IMSIs of their targets from previous attacks. The IMSI is linked to the SIM card, so it changes very rarely. In addition to hiding the real IMSIs, mobile operators could enhance their STPs routing features. Messages received from other mobile operators can be sent to an external application that can decide, based on the data carried in that message, if the request is a genuine request or an attack.
For more information and solutions on how you can overcome all SS7 firewall threats Contact us. We have already helped a large mobile operator secure their network against these threats.