Hackers can read text messages, listen to phone calls and track mobile phone users’ locations with just the knowledge of their phone number using a vulnerability in the worldwide mobile phone network infrastructure.
The exploit centres on a global system that connects mobile phone networks, and can give hackers, governments or anyone else with access to it remote surveillance powers that the user cannot do anything about.
But how can this happen, is it currently being used and what can you do about it?
What is being hacked into?
Signalling System No 7 (SS7), which is called Common Channel Signalling System 7 (CCSS7) in the US or Common Channel Interoffice Signaling 7 (CCIS7) in the UK, is a system that connects one mobile phone network to another.
It was first developed in 1975 and has many variants. Most networks use protocols defined by the American National Standards Institute and the European Telecommunications Standards Institute.
What does SS7 normally do?
SS7 is a set of protocols allowing phone networks to exchange the information needed for passing calls and text messages between each other and to ensure correct billing. It also allows users on one network to roam on another, such as when travelling in a foreign country.
What can access to SS7 enable hackers to do?
Once they have access to the SS7 system, a hacker can essentially have access to the same amount of information and snooping capabilities as security services.
They can transparently forward calls, giving them the ability to record or listen in to them. They can also read SMS messages sent between phones, and track the location of a phone using the same system that the phone networks use to help keep a constant service available and deliver phone calls, texts and data.
Who is affected by the vulnerability?
Should a hacker gain entry to the SS7 system on any number of networks, or if they are used by a law enforcement agency as part of its surveillance, anyone with a mobile phone could be vulnerable.
What’s being done about it?
Since the exposure of security holes within the SS7 system, certain bodies, including the mobile phone operators’ trade association, the GSMA, have set up a series of services that monitor the networks, looking for intrusions or abuse of the signalling system.
Mobile phone networks have also employed security contractors, including the German security researcher, Karsten Nohl, who uncovered the flaw in 2014 and demonstrated it for 60 Minutes, to perform analysis of the SS7 systems in use to try and prevent unauthorised access.
Nothing is hack-proof, however, and their success will likely be on a network-by-network basis. Reportedly, recent security testing of SS7 by an operator in Luxembourg took Norway’s largest network operator offline for over three hours due to an “unexpected external SS7 event”.
What are the implications for users?
The risk of surveillance of your average user, given the billions of mobile phone users across the globe, is small. Those in a place of power, within organisations or government, could be at risk of targeting, as all that’s required to perform the surveillance is access to the SS7 system and a phone number.
One of the biggest dangers, beyond someone listening to calls and reading text messages, is the interception of two-step verification codes that are often used as a security measure when logging into email accounts or other services sent via text message.
Banks and other secure institutions also use phone calls or text messages to verify a user’s identity, which could be intercepted and therefore led to fraud or malicious attacks.
What can I do to protect myself from snooping via SS7?
Given that the vulnerabilities and the possibilities of spying on users relies on systems outside of user control, there is very little you can do to protect yourself beyond not using the services.
For text messages, avoiding SMS and instead using encrypted messaging services such as Apple’s iMessage, Facebook’s WhatsApp or the many others available will allow you to send and receive instant messages without having to go through the SMS network, protecting them from surveillance.
For calls, using a service that carries voice over data rather than through the voice call network will help prevent your calls from being snooped on. Messaging services including WhatsApp permit calls. Silent Circle’s end-to-end encrypted Phone service or the open-source Signal app also allow secure voice communications.
Your location could be being tracked at any stage when you have your mobile phone on. The only way to avoid it is to turn off your phone or turn off its connection to the mobile phone network and rely on Wi-Fi instead.
Why is this happening now?
Security holes within SS7 were first uncovered by security researchers, including Nohl, and demonstrated at Chaos Communication Congress hacker conference in Hamburg in 2014. The hacking of Italian surveillance software vendor Hacking Team last year highlighted the continuing use of the SS7 system in government and criminal snooping, both on users and mobile phone operators.
But it is Nohl’s demonstration of remotely surveilling a US congressman in California from Berlin for CBS’s 60 Minutes that has brought SS7 under the spotlight once again. Since the programme aired, congressman Ted Lieu has called for an oversight committee investigation into the vulnerability.