Hackers exploit SS7 vulnerability to spy on Australian senator: report

Metaratings
31 Aug 2015
00:00

ITEM: Researchers have demonstrated on an Australian news magazine show that it’s possible for anyone to exploit a vulnerability in SS7 networks to intercept voice calls and SMS messages.

On a segment during the Australian version of 60 Minutes, German hackers from SR Labs accessed an SS7 access portal and intercepted and recorded a phone call between 60 Minutes reporter Ross Coulthart and Independent Australian Senator Nick Xenophon. The hackers also intercepted and read Xenophon’s SMS to Coulthart, and used cellular base stations to track Xenophon as he travelled to Japan and then back to Australia.

Not unexpectedly, Senator Xenophon called for an immediate public inquiry after being shown the results.

From the 60 Minutes story web page:

The demonstration also shows how the key fraud protection relied on by banks to protect banking transactions from fraud – verification by SMS message – is useless against a determined hacker with access to the SS7 portal because they can intercept and use the SMS code before it gets to the bank customer. The same technique can also be used to take over someone’s online email account. The call-forwarding capacity of SS7 also allows any mobile to be forcibly redirected to call hugely expensive premium numbers, the cost of which is then billed to that customer’s account. SS7 also allows any number to be blocked, raising the fearful possibility that the vulnerability could be used by criminals or terrorists to stop a victim from calling police or emergency services.Historically, only large telecommunications providers were given allowed access to query SS7 for subscriber data but in recent years VOIP (Internet Phone) providers, smaller phone companies and numerous third-party SMS messaging services are now gaining access. There are also fears that some providers with SS7 access are illicitly sub-leasing their portal to third parties.

A few caveats are worth relaying at this point:

1. The vulnerability isn't new – SR Labs uncovered this particular vulnerability in 2008.

2. The hackers had legal access to an SS7 portal for the purposes of the demo. Actually hacking your way into an SS7 portal does take considerable skill and effort (although it is of course not impossible).

That said, one of the concerns raised in the report isn’t that bad guys will try to crack an SS7 portal and spy on you, but that cellcos are actually letting third parties access SS7:

The demonstration also shows how the key fraud protection relied on by banks to protect banking transactions from fraud – verification by SMS message – is useless against a determined hacker with access to the SS7 portal because they can intercept and use the SMS code before it gets to the bank customer. The same technique can also be used to take over someone’s online email account. The call-forwarding capacity of SS7 also allows any mobile to be forcibly redirected to call hugely expensive premium numbers, the cost of which is then billed to that customer’s account. SS7 also allows any number to be blocked, raising the fearful possibility that the vulnerability could be used by criminals or terrorists to stop a victim from calling police or emergency services.Historically, only large telecommunications providers were given allowed access to query SS7 for subscriber data but in recent years VOIP (Internet Phone) providers, smaller phone companies and numerous third-party SMS messaging services are now gaining access. There are also fears that some providers with SS7 access are illicitly sub-leasing their portal to third parties.

(NOTE: In his recent book Data And Goliath, security expert Bruce Schneier wrote that several companies are already selling products based on SS7 tracking. The Washington Post ran a story about SS7 tracking systems last year.)

While 60 Minutes is one of the more respectable TV news magazines (at least in the US – I’m not sure about Australia), it’s not above a little drama and hyperbole to keep their viewers’ attention. Going by the written online version, it sounds a little more alarmist than the situation warrants.

On the other hand, if you’re a telco, your customers are getting their information about privacy and security issues regarding your network from hyperbolic online posts and TV shows like this.

This is what operators are up against when it comes to concerns over data privacy – the average customer doesn’t know how cellular networks work, or why SS7 does what is does, or why SS7 tracking is even a business model.

The 60 Minutes report includes some written responses from Telstra, Optus and Vodafone at the end, but they’re focused mainly on illegal exploits of SS7, not third-party access, and – it has to be said – are worded so carefully that it’s hard to imagine mobile users who saw the 60 Minutes story feeling more assured.

It’s been said elsewhere but it’s worth repeating: data privacy is a matter of trust, and that trust is eroded every time a story like this comes out, or every time something like Ashley Madison happens. We don’t yet know what the consequences will be for companies banking on Big Data as a business model, but unless you’re the size of Google or Facebook, it’s probably not a good idea to wait until your company make headlines (and not in a good way) to address your customer’s fears and concerns.

Related content

Comments
No Comments Yet! Be the first to share what you think!