📞

Understanding SS7 Security Risks

Sep 22, 2024

SS7 Security Vulnerabilities and Exploitation

Introduction

  • Linus from Linus Tech Tips was involved in a demonstration where his phone network was hacked to spy on him.
  • The hack included intercepting his phone calls and stealing two-factor passcodes without physical access or notifications to his phone.
  • The demonstration highlighted the vulnerabilities in the SS7 (Signaling System No. 7) network.

Historical Context

  • Blue Box:

    • In the 1970s, Steve Jobs and Steve Wozniak created a device called a "Blue Box" that hacked the phone network to make free long-distance calls.
    • They used 2600 Hertz tones to trick phone systems into thinking calls were disconnected.

  • Telephone Evolution:

    • Early phones were manually connected by operators.
    • Rotary dial phones automated dialing using pulses that corresponded to numbers.
    • Touch-tone phones used specific frequencies for each button, enabling long-distance automation.

SS7 Network

  • Introduction to SS7:

    • SS7 was developed to carry control signals separately from voice data, securing phone networks.
    • It's used for global roaming and managing connections across different networks.

  • Vulnerabilities:

    • It's a closed network with global titles for identification.
    • Originally secure, but now with over 1200 operators and 4500 networks, making it susceptible to breaches.
    • Access can be sold or rented, sometimes for as low as a few thousand dollars per month.

Exploiting SS7

  • Steps to Exploit:

    • Infiltrate SS7: Gain access to the network via trusted Global Titles.
    • Gain Trust: Obtain a target's IMSI (International Mobile Subscriber Identity) from their SIM card.
    • Attack: Redirect calls and messages, intercept text messages to steal one-time passwords.

  • Demonstration with Linus:

    • Linus's phone calls were intercepted and routed to another device without his knowledge.
    • SMS two-factor authentication was intercepted, allowing unauthorized access to accounts.

Real-World Implications

  • Princess Latifa's Case:

    • Her escape was compromised likely through an SS7 attack on the yacht captain's phone.

  • Financial and Privacy Threats:

    • Criminals exploit SS7 to intercept banking codes and personal information.
    • SS7 forms the backbone of many telecommunications systems, including some emergency services.

Moving Forward

  • Alternatives to SMS 2FA:

    • Use authenticator apps or hardware tokens instead of SMS for two-factor authentication.
    • Use encrypted communication services for voice calls.

  • Future of SS7:

    • Despite known vulnerabilities, transitioning away from SS7 is slow due to its integral role in 2G and 3G systems.
    • Newer protocols like those used in 5G are more secure but not widely adopted yet.

Conclusion

  • SS7 vulnerabilities pose serious privacy and security risks.
  • Awareness and use of alternative security measures can mitigate personal risks.
  • There's a need for industry-wide shifts to more secure protocols to protect against these vulnerabilities.

Gemini Pro 1.5 Experimental

SS7: How We Hacked the Phone Network

Introduction

Linus from Linus Tech Tips and Derek from Veritasium demonstrate how they were able to intercept Linus's phone calls and steal his two-factor authentication codes by exploiting vulnerabilities in the SS7 (Signaling System No. 7) phone network.

The History of Phone Networks and SS7

  • Early phone systems: Initially, phone calls were manually connected by operators.
  • Rotary dial phones: Introduced to automate the process, they sent pulses corresponding to the dialed number.
  • Touch-tone phones: Used specific frequencies to represent numbers, allowing for long-distance automation.
  • Jobs and Wozniak's Blue Box: Exploited vulnerabilities in the touch-tone system to make free long-distance calls by mimicking control signals.
  • SS7: Developed in the 1980s as a more secure system using a separate digital line for control signals. However, it has vulnerabilities that can be exploited.

How SS7 Attacks Work

Step 1: Infiltrate SS7

  • Gaining access to the SS7 network often involves purchasing illegal access from companies with legitimate access. This can cost a few thousand dollars per month.

Step 2: Gain Trust

  • Obtain the target's IMSI (International Mobile Subscriber Identity) to appear as a legitimate user on the network.

Step 3: Attack

  • Call Interception: By tricking the network into thinking the target is roaming, calls can be rerouted to the attacker's device.
  • SMS Interception: Similar to call interception, reroute messages to the attacker, allowing for theft of two-factor authentication codes.
  • Location Tracking: Obtain the cell tower the target is connected to, providing approximate location information.

Case Study: Princess Latifa

Princess Latifa's attempted escape from Dubai was thwarted when her yacht's captain was subjected to a sophisticated SS7 attack. Multiple attempts were made to obtain his IMSI and location information. While some requests were blocked, others may have succeeded, leading to her capture.

Real-World Threats and Exploits

  • Financial Crimes: Criminals can steal money from bank accounts using SS7 to intercept two-factor authentication codes.
  • Surveillance: Governments and organizations can use SS7 to track individuals' locations and intercept their communications.
  • Zero-Click Hacks: SS7 can be used to gather preliminary information about a target's device before deploying more sophisticated spyware like Pegasus.

Protecting Yourself

  • Limited Options: There's little individuals can do to prevent location tracking through SS7.
  • Alternatives to SMS 2FA: Opt for app-based or hardware authentication tokens whenever possible.
  • Encrypted Communication: Use encrypted messaging and calling apps like Signal or WhatsApp.

The Future of SS7

  • Slow Transition: Replacing SS7 is a slow process due to its widespread use in 2G and 3G networks, including essential services like emergency calls in vehicles.
  • 5G Offers Hope: Newer 5G signaling protocols are more secure, but widespread adoption will take time.

Conclusion

SS7 vulnerabilities pose a significant threat to privacy and security. While individuals can take some steps to protect themselves, a complete solution requires a global effort to transition to more secure technologies. Building knowledge and staying informed about these threats is crucial in navigating an increasingly interconnected world.

Key Individuals Mentioned:

  • Linus (Linus Tech Tips)
  • Derek (Veritasium)
  • Steve Jobs and Steve Wozniak
  • Princess Latifa Al Maktoum
  • Sheikh Mohammed
  • Tiina (Latifa's martial arts instructor)
  • Hervé Jaubert (yacht captain)
  • Karsten Nohl (cybersecurity specialist)
  • Alexandre De Oliveira (cybersecurity specialist)
  • James (Hacksmith)
  • Yvonne (Linus's wife)
  • Ted Lieu (US Congressman)
  • Tobias Engel (security researcher)
  • Crofton Black (investigative journalist)

Key Opinions and Statements:

  • Steve Wozniak: Blue Box experience was crucial for the development of Apple.
  • Crofton Black: The attack on Latifa's yacht captain is a "textbook example" of SS7 risks.
  • Karsten Nohl: SS7 anytime interrogation requests have no legitimate purpose and are a privacy intrusion.
  • Experts: SS7 attacks are mainly targeted at individuals of interest to state agencies.
  • Karsten Nohl: Privacy and freedom from surveillance are prerequisites for democracy.
  • Derek: SS7 vulnerabilities are a real problem and easily exploited, even by non-state actors.

Full transcript