A huge security flaw in a Signalling System Number 7 (SS7) left billions of mobile phone users at a risk of eavesdropping.
The loophole allows hackers to infect any targeted smartphone user, intercepting their voice calls and text messages, and will be able to track their locations as well.
Recently demonstrated in the Australian TV programme 60 minutes, episode titled bugged, tracked, hacked, that aired on August 16th, the investigators presented an extraordinary report about how hackers were able to intercept and record the telephonic conversations as well as the locations of Australian senator, even when the hacker was located thousands of miles away in Germany.
Investigations and reports revealed that eavesdropping is possible because of a security bug within the design of signaling system number 7.
For those of you who don’t know, Signalling System Number 7 (SS7) is telephony signaling protocols that were developed in 1975 and used to set up Public Switched Telephone Network (PSTN) based telephonic calls. This protocol supports local number portability, mobile phone roaming, Short Messaging Service (SMS), prepaid billing and other relevant services. And under international agreements, every telecommunication service provider must have to provide details of subscribers using SS7 on another service provider’s request.
Exploiting a vulnerability in this protocol and mobile phone roaming functionality, any hacker or intelligence agency can listen or record mobile phone conversation of any user by forwarding all voice calls to a web-based recording device. And then they can intentionally reroute those calls back to the projected recipient, initiating a well-known untraceable attack called man-in-the-middle.
Nick Xenophon, the Australian senator, told 60 Minutes in the programme:
“The implications of it are enormous and what we find is shocking is that the security services, the intelligence services, they know about this vulnerability.”
Luca Melette, a guy behind SR Labs and a German-based hacker, while explaining about the hack said:
“This is quite shocking for me also that Signalling System Number 7 (SS7) is not secure.”
SS7 request from the service provider instantly discloses personal details of the mobile phone user including the IMEI, name, account type as well as the contact details. And surprisingly, the requested information includes details about the cellular tower with which the mobile phone is currently connected, discovering the user’s current location.
So apart from recording the conversations, hackers can also keep track of the targeted mobile phone user’s location and movement using an application like Google Maps.
What is more thought-provoking is that from past few years, third party SMS messaging service providers and Voice-Over-Internet Protocol (VOIP) providers have been granted permissions to access SS7 query data, increasing the flaw in the signaling system protocol.
The demonstration also revealed that because of the security flaw in the system, SMS verification methods are also vulnerable as hackers can easily gain access to the victim’s messages even before it reaches the customer. The similar method could be used to hack into victim’s online email account.
“Verification by SMS message is useless against a determined hacker with access to the SS7 portal because they can intercept and use the SMS code before it gets to the bank customer.”
But there’s something worth noticing in this demonstration. The German-based hackers had a legal access to the SS7 protocol service to carry out the hacking procedure. But in most of the cases, hackers won’t have any access to the SS7 query details, making this vulnerability less exploitable.
After hackers demonstrated the SS7 vulnerability to the senator, he became heated and ordered a full public inquiry for SS7, and said:
“This is actually quite shocking because it affects everyone. It means anyone with a mobile phone can be hacked, can be bugged, can be harassed.”