Understanding SS7 Vulnerabilities in Telecommunications

Sep 23, 2024

Lecture Notes on SS7 Vulnerabilities and Telephone Hacking

Introduction

  • Speaker: Linus from Linus Tech Tips
  • Topic: Hacking the phone network to spy on someone.
  • Methods used: Intercepting phone calls and stealing two-factor passcodes remotely.

Historical Context

Early Phone Systems

  • 1970s: Long-distance calls were expensive (e.g., $25/min from NY to London).
  • Creation of the "blue box" by Steve Jobs and Steve Wozniak to hack the phone network.
  • Achievements included calling the Pope by tricking the telephone operators.

Technical Explanation

Phone Call Connection Process

  • Pre-1920s: Phones did not have dialing; operators manually connected calls.
  • 1910s: Over a million operators in the U.S. for call connections.
  • Introduction of rotary dial to automate the connection process.
  • Pulses sent by rotary dials represented numbers to connect calls.

Introduction of Touch Tone Phones

  • Touch tone phones used two frequencies to send control signals within the voice band.
  • This allowed telephone networks to automate call connections over distance.

Exploiting SS7

  • Jobs and Woz used control signals to create free long-distance calls.
  • They would send a 2600 Hz tone to trick the network into thinking a call had been dropped.
  • Introduction of Signaling System Number 7 (SS7) as a response to vulnerabilities.

Modern Vulnerabilities

SS7 and Its Exploitation

  • SS7's closed network has many entry points due to the number of telecom operators.
  • Access to SS7 can be purchased, costing a few thousand dollars per month.
  • Hackers gain access to SS7, collect International Mobile Subscriber Identity (IMSI) numbers, and exploit trust to attack.

Demonstration

  • The speaker demonstrated how to intercept Linus’s calls using SS7 vulnerabilities.
  • Successful calls were rerouted to the speaker's device instead of Linus’s phone.

Attack Methods Using SS7

  1. Infiltrate SS7
    • Access SS7 networks to perform attacks.
  2. Gain Trust
    • Collect IMSI numbers to appear trusted to the network.
  3. Attack
    • Intercept calls and messages, including two-factor authentication codes (2FA).

Risks of SMS

  • SMS-based 2FA can be intercepted using SS7 vulnerabilities.
  • Hackers can gain access to crucial accounts, including social media and banking.

Additional Attack Methods

  • SS7 can be used to track targets’ locations without GPS.
  • Methods include triangulating signals from multiple cell towers.

Real-World Implications

  • Example: Princess Latifa of Dubai’s case where SS7 was exploited for tracking.
  • SS7 attacks have been linked to million-dollar fraud by intercepting 2FA codes.
  • The NSO Group's Pegasus spyware exploits SS7 and other vulnerabilities for surveillance.

Security Measures and Future Considerations

  • Current Solutions:
    • Use authenticator apps or hardware tokens instead of SMS for 2FA.
    • Utilize encrypted communication apps (e.g., Signal, WhatsApp) to avoid phone tapping.
  • Long-Term Solutions:
    • SS7 is deeply integrated into the telecom infrastructure; transitioning to 5G is complex but necessary.
    • SS7 vulnerabilities need to be addressed systematically for better security.

Conclusion

  • The ease of exploiting SS7 vulnerabilities poses serious threats to privacy and security.
  • Importance of awareness and understanding technology risks in the digital age.

Full transcript