preload preload preload preload preload preload
0 Comments | Dec 21, 2018

Hacking the CCS7 Network

SS7The Threat

The CCS7 network was developed in the mid seventies to control the routing of phone calls using out-of-band signaling. The data packets transmitted on the network control not only the initiation and completion of calls, but also numerous billing functions and the activation of advanced features that are today taken for granted (call forwarding, call waiting, etc.). Because the data packets transmitted via CCS7 are unencrypted, it has become relatively easy to gain access to this network and to use it to perform numerous nefarious activities, most notable of which are locating a cell phone with an accuracy of a few meters and intercepting and eavesdropping on calls.

The weaknesses of the CCS7 network came to the fore in mid 2014 with the publication of several technical articles describing ways of gaining access to the network and the various actions that such access could facilitate. Much has since been written on this issue, and it has even attracted the attention of U.S. government officials. In April 2016, Congressman Ted Lieu called for an oversight committee investigation, saying:

“The applications for this vulnerability are seemingly limitless, from criminals monitoring individual targets to foreign entities conducting economic espionage on American companies to nation states monitoring US government officials … The vulnerability has serious ramifications not only for individual privacy, but also for American innovation, competitiveness and national security.” 


How Does It Work?

On the plus side, it is not possible to initiate such an attack by accessing a carrier network using an everyday computer and the Internet. However, the SS7 hub hardware that is required is easily accessible to anyone who acquires a telecom carrier license, something that is remarkably easy to accomplish in many countries.

The only piece of information required by the attacker is the target’s unique SIM card identifier, the International Mobile Subscriber Identity (IMSI). The actual attack is then carried out using SMS text messages, which are carried over the CCS7 network. With this information and a copy of the readily available “SS7 for Linux” software package, the fraudster has all he needs to intercept and eavesdrop on calls.

It is worth noting that setting up this sort of attack typically results in the target’s first call failing, which forces them to initiate a second. Most people think little of this occurrence, but if you regularly have to make two attempts to get a mobile call to complete, this is almost certain evidence that your calls are being eavesdropped on.

Tobias Engel, cofounder of mobile security firm Sternraute, has written extensively on this situation. He wryly observed in one recent paper:


“I doubt we are the first ones in the world who realize how open the CCS7 network is.”


The Bottom Line

Because the Vysk QS1 encrypts calls at the source (inside the mobile phone) and decrypts them at the recipient’s mobile phone using proprietary hardware and software algorithms, there is no point in the call-flow where this attack methodology can access the unencrypted voice information. Manually decrypting an intercepted call that has been encrypted at its source is a profoundly difficult challenge, one that most hackers have neither the resources nor the inclination to undertake.

Leave a Reply

* Required
** Your Email is never shared