Don Sambandaraksa

Hackers demo network-level call interception

White-hat hackers at the 31st Chaos Computer Congress have demonstrated fundamental flaws in the underlying infrastructure of 2G and 3G mobile phone networks. The flaws allow attackers to covertly track the location of a phone number as well as intercept calls and SMS - all at the network level.

Tobias Engel from the Chaos Computer Club demonstrated in front of a live audience how it was possible to send a fake network message from his laptop to block a phone from making calls and even divert calls to another phone.

This could be diverted to a man-in-the-middle recording of the conversation.

He also showed how a couple of volunteers were tracked over a few weeks as they travelled around the United States and Europe again by spoofed network messages simply asking the mobile service center (MSC) server for the location of the subscriber.

Engel said that a journalist has contacted him with claims from a security company offering tracking of individuals down to the city street with just their phone number, and asked how it could be done.

GSM and UMTS systems all depend on a protocol called Signalling System 7 (SS7) which was designed around fixed line telephones in the 1980’s. With each phone line at a physical house and most telcos being trusted state-owned operators, privacy was not a concern at the time.

SS7 has been extended with new protocols added over time to allow for mobility, text messages and geo-location and roaming, for instance. The problem is that SS7 fundamentally does not have any authentication.

Many operators are selling legitimate access to SS7, for instance for text messaging or vehicle fleet management.

With the advent of femto cells, it is even possible for people to hack into their femto units to gain direct access to the SS7 network.

In order to track a target with simply his phone number, the attacker with access to SS7 can simply ask the HLR (home location register) for the international mobile subscriber identity (IMSI) and the mobile switching center (MSC) that the target is currently using. This is done by using what is called an anytime interrogation SS7 message to the HLR.

Many networks have blocked anytime interrogation messages but a workaround is to use the SMS routing to find the IMSI and MSC instead again with SS7 messages.

If that fails (with home SMS routing installed) an attacker with the IMSI address gained through out-of-band means can simply brute-force requests to MSCs all over the world until the right MSC is found.

Armed with the IMSI and the MSC, the attacker then send an SS7 message directly to the MSC to query the location of the target.

“The MSC does not do plausibility assessments. If a German user is in his home network, an Indonesian network should not have anything to do with it [but is not prevented]. Most MSCs accept requests from anywhere and anyone,” he said.

Engel said that some networks have implemented a verify sender address mechanism for geo-location. But he said that simply by spoofing the source address, called the global title, to something that looks similar to the global title of the MSC, it was possible to circumvent the check and be treated as a legitimate, local server.

Away from location, it is possible to use SS7 messages to manipulate a target’s phone. Since this is at the network level, it is irrelevant if it is a smartphone or a simple feature phone.

Engel demonstrated in front of the live audience how it was possible to send SS7 messages to the MSC in order to block calls to a phone and divert calls to a third party. This could be used to set up a man-in-the-middle to eavesdrop on calls.

This was possible because when roaming, users often dial local numbers without the international prefix. There is an SS7 message that allows the HLR to tell the MSC, “when this subscriber makes a call, ask me first”. The idea is that when, for instance, a German subscriber is roaming in France, for domestic German numbers to be added with the international country code of Germany so it can be routed correctly.

But since the HLR’s SS7 messages can be spoofed, an attacker with access to the SS7 network can send a message pretending to be the target’s HLR and tell the MSC to ask it when the target tries to make a call and thereby set up the man-in-the-middle attack.

The same can be done for SMS, USSD and, Engel said, probably data though he said that was not tested yet.

Yet another vulnerability detailed involved de-anonymizing temporary mobile subscriber information (TMSI) numbers and get the IMSI and phone numbers for other users in the vicinity of the attacker.

By simply capturing TMSI paging requests over the air it is possible to send an SS7 update to the MSC that will result in the full HLR details being returned.

“If you do that often enough in Berlin, I don’t know how long it would take you to get Angela Merkel’s phone number,” he said.

Though SS7 is used on GSM and UMTS 3G networks, LTE uses a new protocol called Diameter. However, Diameter has apparently copied many of the flaws of SS7 and still does not have end-to-end authentication.

Asked about this revelation, AIS vice-president for networks Saran Phaloprakarn pointed out one flaw in the doomsday scenario laid out by the Chaos Computer Club. While he acknowledged that the SS7 protocol was fundamentally flawed, he said the SS7 hacks could be detected at the network level with proper monitoring.

Neither Dtac nor TrueMove responded to questions by time of going to press.