Researchers Tobias Engel and Karsten Nohl demonstrated serious vulnerabilities in the SS7 protocol for cellular service, putting the privacy of phone calls and users’ location data at risk for intercept.

The recently concluded Chaos Communications Congress (31c3) in Hamburg, Germany was an all-out assault on cellular call privacy and security. Of particular interest was the SS7 protocol used to route calls between switching centers.

Researchers, doing parallel research as it turns out, found gaping holes in the protocol that allow an attacker to sit in a man-in-the-middle position and re-route calls and SMS messages, or carry out denial-of-service attacks. More worrying to physical security is also the ability to learn a person’s location and track them.

The bugs are a spy’s dream, and Tobias Engel said he is aware of one real-world attack carried out in the Ukraine and discovered by a telecommunications operator in that country carried out by a Russian SS7 network.

Engel, founder of Sternraute, a Berlin-based service provider specializing in privacy, said that an attacker would need only to know his target’s phone number in order to track their location or spy on their calls. The maligned SS7 protocol was designed in the 1980s, long before mainstream cellular use, and security and privacy shortcomings have not kept up with the times, Engel said. Services built on top of SS7 to enable mobile communication, MAP and CAMEL, operate without authentication, Engel said, leaving the door wide open for abuse.

Karsten Nohl, of SR Labs in Germany, also spoke at 31c3 and tore into SS7 and demonstrated that attacks can also be carried out over 3G networks in order to record voice and SMS communication as well. He released a tool for Android devices called SnoopSnitch that detects IMSI catchers and other attacks over SS7.

“I think it’s really scary. You don’t have to know somebody, you just have to know his phone number and you can track him from the other side of the world. You don’t have to be near him, you just need SS7 access,” Engel said, pointing out that such access can be purchased from telecom and network operators. Also, he said, there are vendors selling products that maneuver against SS7. “Companies offering these services are saying they are only offering them to law enforcement and government agencies. I don’t know about you but there are many countries in the world whose governments I wouldn’t trust with this functionality.”

Governments have been known not only to monitor call activity of citizens and high-value industrial or government targets, but also track the location of activists and dissidents in oppressed parts of the world. Engel’s SS7 presentation included a demonstration of tracking he did of a volunteer, mapping out their journey from Seattle, to their home in the Netherlands and eventually to Hamburg and 31c3.

https://www.youtube.com/watch?v=lQ0I5tl0YLY

Engel’s attack takes advantage of the Home Location Register (HLR), a database containing subscriber data including their phone number. The HLR, he said, knows which mobile switching center, or visitor location register (VLR) is closest to the subscriber in order to deliver calls and SMS messages. An attacker can use a Mobile Application Part (MAP) anyTimeInterrogation request to the HLR to learn the subscriber’s cell ID, which then pages the right switching center and returns the information to the attacker, Engel said. European networks block ATI requests for the most part, but that won’t deter an attacker, who instead can just ping the mobile switching center directly to learn the cell ID and IMSI number. Most switching centers, he said, accept requests from anywhere and no plausibility checks are done, Engel said.

https://www.youtube.com/watch?v=GeCkO0fWWqc

Engel brought the problem to the attention of a number of German operators, he said. The operators looked at their traffic and saw a lot of it carried people’s geo-positions. After filtering out the ability to learn IMSI and switching center location, attack traffic dropped 80 percent, Engel said. The remaining traffic were either misconfigured networks, or unknown traffic that he said were requests by state actors or other network operators. Some attacks persist because an attacker can learn the IMSI from other sources, or brute-force a number range from the switching center.

Engel also demonstrated how an attacker could abuse the CAMEL protocol to overwrite switching center data belonging to the subscriber with the attacker’s GSM address without the subscriber’s knowledge. When a subscriber makes a call, he said, the switch center would instead contact the attacker’s ID. The attacker could record traffic, learning what numbers are dialed and bridge calls, sitting in the middle and recording content, Engel said.

“Everybody who has a phone in his pocket indirectly uses SS7,” Engel said. “Every movement can be tracked and every call can be intercepted.”