Researchers discover a flaw that could let anyone listen to your cell calls by exploiting SS7 protocol

German researchers have identified serious vulnerabilities in cellphone communication systems that can allow an evil mind to listen to every word you say on a call. Unfortunately, this vulnerability exists in protocol used by every network provider across the globe. To add fuel to the fire, no encryption mechanism is available to safeguard any cyber criminal for exploiting it.

Signaling Systems

The researchers have said that they will reveal the flaws including its PoC in a hacker conference in Hamburg this month. The flaws have been detected in the Signaling Systems (SS7) protocol, which is used by network providers to route calls and text messages among one another. SS7 is the current iteration of the protocol in use. Experts have voiced their opinions that the SS protocol developed in the 1980’s is vulnerable to have many flaws like this, making billions of cell phone users vulnerable to exploits.

The flaws in question, are actually exploit the functionalities of the protocol which have been baked into SS7. These functionalities come into play when a cell phone user moves from a cell circle to another cell circle or is speeding down a highway/travelling on a interstate railway. The cell network is designed in such a way that it allows the users to remain connected while switching over from network to network or cell tower to cell tower.

It is during this switching over that the flaws arise letting a potential hacker with protocol skills to exploit the cell network and listen/record any calls and messages. There is also a probability of an attacker using these functions to carry out fraudulent activities. These flaws have persisted carrier’s push to upgrade to advanced 3G and 4G technologies, which are supposed to serve the purpose of securing communications, among others.

No matter if a particular carrier strengthens its services, they still need to use SS7 to communicate with other carriers. Thus, an attacker can access cell phone calls of an American citizen while sitting far away in China. “It’s like you secure the front door of the house, but the back door is wide open,” said Tobias Engel, one of the German researchers.

Flaw known to GSMA?

Engel, founder of Sternraute, and Karsten Nohl, chief scientist for Security Research Labs, separately discovered these security weaknesses as they studied SS7 networks in recent months, after The Washington Post reported the widespread marketing of surveillance systems that use SS7 networks to locate callers anywhere in the world. The Post reported that dozens of nations had bought such systems to track surveillance targets and that skilled hackers or criminals could do the same using functions built into SS7.  The researchers have not found any evidence to suggest that these flaws have been marketed to government agencies, but there is a tendency of such vulnerabilities turning out to be long used weapons by security agencies the world over.

“Many of the big intelligence agencies probably have teams that do nothing but SS7 research and exploitation,” said Christopher Soghoian, principal technologist for the ACLU and an expert on surveillance technology. “They’ve likely sat on these things and quietly exploited them.” The GSMA, a global cellular industry group based in London, had responded to claims of vulnerabilities in the protocol before, however the group refused to comment on the findings of these researchers. It seems possible that these flaws have been known before and were swept under the carpet.

The Exploits

The researchers found 2 ways to eavesdrop on calls. The first involves the forwarding function of the protocol. This function is what lets us users to forward an incoming call from one cell phone to another. Hackers would redirect calls to themselves, for listening or recording, and then onward to the intended recipient of a call. Once that system was in place, the hackers could eavesdrop on all incoming and outgoing calls indefinitely, from anywhere in the world.  The second technique requires the perpetrator to be in close proximity of its target. This technique involves antennae for recording all calls in the nearby communication spectrum. And in case the call is encrypted, the attacker could request the carrier a temporary encryption key to decrypt the call later. One network that operates in Germany, Vodafone, recently began blocking such requests after Nohl reported the problem to the company two weeks ago.

U.S. embassies and consulates in dozens of foreign cities, including Berlin, are outfitted with antennas for collecting cellular signals, according to reports by German magazine Der Spiegel, based on documents released by Snowden. Many cell phone conversations worldwide happen with either no encryption or weak encryption

Nohl on Wednesday demonstrated the ability to collect and decrypt a text message using the phone of a German senator, who cooperated in the experiment. But Nohl said the process could be automated to allow massive decryption of calls and texts collected across an entire city or a large section of a country, using multiple antennas. “It’s all automated, at the push of a button,” Nohl said. “It would strike me as a perfect spying capability, to record and decrypt pretty much any network… Any network we have tested, it works.”

Real World tests

The researchers have tested the vulnerabilities across many major carriers and have gotten positive results for them. Which is not good news for us consumers. In a statement, T-Mobile said: “T-Mobile remains vigilant in our work with other mobile operators, vendors and standards bodies to promote measures that can detect and prevent these attacks.” Although, there is one silver lining, many popular mobile messaging services such as iMessage and WhatsApp use end-to-end encryption mechanisms which conveniently sidestep these vulnerabilities. Looks like our teenagers have been more secure than country presidents.

Snowden Leaks affect on Germany

This issue of communication privacy is very sensitive in the researcher’s native country of Germany. After the furore caused by Snowden and the alleged tapping an German Chancellor’s personal cell phone, Germans have begun taking privacy very seriously. This is expected to make them scrutinize security mechanisms all the more, especially since these two flaws are not the only ones found in the protocol.

Nohl and Engel also have discovered new ways to track the locations of cell phone users through SS7. The Post story, in August, reported that several companies were offering governments worldwide the ability to find virtually any cell phone user, virtually anywhere in the world, by learning the location of their cell phones through an SS7 function called an “Any Time Interrogation” query. Network carriers have begun blocking such requests since the story first broke. But these researchers have uncovered more than one ways to attack a user. “I doubt we are the first ones in the world who realize how open the SS7 network is,” Engel said.

The researchers also found that it was possible to use SS7 to learn the phone numbers of people whose cellular signals are collected using surveillance devices. The calls transmit a temporary identification number which, by sending SS7 queries, can lead to the discovery of the phone number. That allows location tracking within a certain area, such as near government buildings. “After all the NSA and Snowden things we’ve heard, I guess nobody believes it’s possible to have a truly private conversation on a mobile phone,” he said. “When I really need a confidential conversation, I use a fixed-line” phone.

We will have to wait till the Hamburg Hacker Conference to know the PoC and what action the GSMA takes on this serious issue.

Resource : Washingtonpost


  1. “When I really need a confidential conversation, I use a fixed-line” phone.
    A fixed-line communication is as secured as a wired computer, and all know how secured a wired computer is.

    • John, if these flaws, vulnerabilities, attacks and leaks continue we may soon be in the era where fixed line telephone and manual typewriters may be best options for security 😛


Please enter your comment!
Please enter your name here