Information security
Researchers discover security
flaws that could let anyone hear your cell calls
"It's like you secure the
front door of the house, but the back door is wide open," said German
researcher Tobias Engel (Kacper Pempel / Reuters)
By Craig Timberg Washington Post
Researchers discover security
flaws that could let anyone hear your cell calls
German researchers have
discovered security flaws that could let hackers, spies and criminals listen to
private phone calls and intercept text messages on a potentially massive scale
- even when cellular networks are using the most advanced encryption now
available.
The flaws, to be reported at a
hacker conference in Hamburg this month, are the latest evidence of widespread
insecurity on SS7, the global network that allows the world's cellular carriers
to route calls, texts and other services to each other. Experts say it's
increasingly clear that SS7, first designed in the 1980s, is riddled with
serious vulnerabilities that undermine the privacy of the world's billions of
cellular customers.
It would strike me as a perfect
spying capability, to record and decrypt pretty much any network. . . Any network
we have tested, it works.- Karsten Nohl
The flaws discovered by the
German researchers are actually functions built into SS7 for other purposes -
such as keeping calls connected as users speed down highways, switching from
cell tower to cell tower - that hackers can repurpose for surveillance because
of the lax security on the network.
Those skilled at the myriad
functions built into SS7 can locate callers anywhere in the world, listen to
calls as they happen or record hundreds of encrypted calls and texts at a time
for later decryption. There also is potential to defraud users and cellular
carriers by using SS7 functions, the researchers say.
These vulnerabilities continue
to exist even as cellular carriers invest billions of dollars to upgrade to
advanced 3G technology aimed, in part, at securing communications against
unauthorized eavesdropping. But even as individual carriers harden their
systems, they still must communicate with each other over SS7, leaving them
open to any of thousands of companies worldwide with access to the network.
That means that a single carrier in Congo or Kazakhstan, for example, could be
used to hack into cellular networks in the United States, Europe or anywhere
else.
"It's like you secure the
front door of the house, but the back door is wide open," said Tobias
Engel, one of the German researchers.
Engel, founder of Sternraute,
and Karsten Nohl, chief scientist for Security Research Labs, separately
discovered these security weaknesses as they studied SS7 networks in recent
months, after The Washington Post reported the widespread marketing of
surveillance systems that use SS7 networks to locate callers anywhere in the
world. The Post reported that dozens of nations had bought such systems to
track surveillance targets and that skilled hackers or criminals could do the
same using functions built into SS7. (The term is short for Signaling System 7
and replaced previous networks called SS6, SS5, etc.)
The researchers did not find
evidence that their latest discoveries, which allow for the interception of
calls and texts, have been marketed to governments on a widespread basis. But
vulnerabilities publicly reported by security researchers often turn out to be
tools long used by secretive intelligence services, such as the National
Security Agency or Britain's GCHQ, but not revealed to the public.
"Many of the big
intelligence agencies probably have teams that do nothing but SS7 research and
exploitation," said Christopher Soghoian, principal technologist for the
ACLU and an expert on surveillance technology. "They've likely sat on
these things and quietly exploited them."
The GSMA, a global cellular
industry group based in London, did not respond to queries seeking comment
about the vulnerabilities that Nohl and Engel have found. For the Post's
article in August on location tracking systems that use SS7, GSMA officials
acknowledged problems with the network and said it was due to be replaced over
the next decade because of a growing list of security and technical issues.
The German researchers found
two distinct ways to eavesdrop on calls using SS7 technology. In the first,
commands sent over SS7 could be used to hijack a cell phone's "forwarding"
function -- a service offered by many carriers. Hackers would redirect calls to
themselves, for listening or recording, and then onward to the intended
recipient of a call. Once that system was in place, the hackers could eavesdrop
on all incoming and outgoing calls indefinitely, from anywhere in the world.
The second technique requires
physical proximity but could be deployed on a much wider scale. Hackers would
use radio antennas to collect all the calls and texts passing through the
airwaves in an area. For calls or texts transmitted using strong encryption,
such as is commonly used for advanced 3G connections, hackers could request
through SS7 that each caller's carrier release a temporary encryption key to
unlock the communication after it has been recorded.
Nohl on Wednesday demonstrated
the ability to collect and decrypt a text message using the phone of a German
senator, who cooperated in the experiment. But Nohl said the process could be
automated to allow massive decryption of calls and texts collected across an
entire city or a large section of a country, using multiple antennas.
"It's all automated, at
the push of a button," Nohl said. "It would strike me as a perfect
spying capability, to record and decrypt pretty much any network. . . Any
network we have tested, it works."
Those tests have included more
than 20 networks worldwide, including T-Mobile in the United States. The other
major U.S. carriers have not been tested, though Nohl and Engel said it's
likely at least some of them have similar vulnerabilities. (Several smartphone-based
text messaging systems, such as Apple's iMessage and Whatsapp, use end-to-end
encryption methods that sidestep traditional cellular text systems and likely
would defeat the technique described by Nohl and Engel.)
In a statement, T-Mobile said:
"T-Mobile remains vigilant in our work with other mobile operators,
vendors and standards bodies to promote measures that can detect and prevent
these attacks."
The issue of cell phone
interception is particularly sensitive in Germany because of news reports last
year, based on documents provided by former NSA contractor Edward Snowden, that
a phone belonging to Chancellor Angela Merkel was the subject of NSA
surveillance. The techniques of that surveillance have not become public,
though Nohl said that the SS7 hacking method that he and Engel discovered is
one of several possibilities.
U.S. embassies and consulates
in dozens of foreign cities, including Berlin, are outfitted with antennas for
collecting cellular signals, according to reports by German magazine Der
Spiegel, based on documents released by Snowden. Many cell phone conversations
worldwide happen with either no encryption or weak encryption.
The move to 3G networks offers
far better encryption and the prospect of private communications, but the hacking
techniques revealed by Nohl and Engel undermine that possibility. Carriers can
potentially guard their networks against efforts by hackers to collect
encryption keys, but it's unclear how many have done so. One network that
operates in Germany, Vodafone, recently began blocking such requests after Nohl
reported the problem to the company two weeks ago.
Nohl and Engel also have
discovered new ways to track the locations of cell phone users through SS7. The
Post story, in August, reported that several companies were offering
governments worldwide the ability to find virtually any cell phone user,
virtually anywhere in the world, by learning the location of their cell phones
through an SS7 function called an "Any Time Interrogation" query.
Some carriers block such
requests, and several began doing so after the Post's report. But the
researchers in recent months have found several other techniques that hackers
could use to find the locations of callers by using different SS7 queries. All
networks must track their customers in order to route calls to the nearest
cellular towers, but they are not required to share that information with other
networks or foreign governments.
Carriers everywhere must turn
over location information and allow eavesdropping of calls when ordered to by
government officials in whatever country they are operating in. But the
techniques discovered by Nohl and Engel offer the possibility of much broader
collection of caller locations and conversations, by anyone with access to SS7
and the required technical skills to send the appropriate queries.
"I doubt we are the first
ones in the world who realize how open the SS7 network is," Engel said.
Secretly eavesdropping on calls
and texts would violate laws in many countries, including the United States,
except when done with explicit court or other government authorization. Such
restrictions likely do little to deter criminals or foreign spies, say
surveillance experts, who say that embassies based in Washington likely collect
cellular signals.
The researchers also found that
it was possible to use SS7 to learn the phone numbers of people whose cellular
signals are collected using surveillance devices. The calls transmit a
temporary identification number which, by sending SS7 queries, can lead to the
discovery of the phone number. That allows location tracking within a certain
area, such as near government buildings.
The German senator who
cooperated in Nohl's demonstration of the technology, Thomas Jarzombek of
Merkel's Christian Democratic Union party, said that while many in that nation
have been deeply angered by revelations about NSA spying, few are surprised
that such intrusions are possible.
"After all the NSA and
Snowden things we've heard, I guess nobody believes it's possible to have a truly
private conversation on a mobile phone," he said. "When I really need
a confidential conversation, I use a fixed-line" phone.
Read more at: http://www.chicagotribune.com/business/breaking/chi-hack-cell-calls-20141218-story.html#page=1
No comments:
Post a Comment