A massive security hole in modern telecommunications is exposing billions of mobile phone users in the world to covert theft of their data, bugging of their voice calls, and tracking of their location.
Hackers, fraudsters, rogue governments and unscrupulous commercial operators using hundreds of online portals across the planet are exploiting vulnerabilities in the mobile phone signalling architecture.
German hackers working from Berlin, were able to intercept and record a mobile phone conversation between 60 Minutes reporter Ross Coulthart in the UK, and the Australian Senator Nick Xenophon in Australia’s Parliament House.
The Berlin hackers from SR Labs, who first warned of the vulnerability in SS7 in 2008, were able to intercept and read the Senator’s SMS’ from Australia to Coulthart in London and monitor the Senator’s movements as he travelled to Japan on official business, tracking him around Tokyo and Narita and later around the streets near his South Australian home.
Calls for public enquiry
Xenophon, who agreed to take part in the hacking demonstration, called for an immediate full public inquiry in to SS7. ‘This is actually quite shocking because it affects everyone. It means anyone with a mobile phone can be hacked, can be bugged, can be harassed. The implications of it are enormous and what we find is shocking is that the security services, the intelligence services, they know about this vulnerability,’ he told 60 Minutes.
The German hacker behind the hacking demonstration, Luca Melette, from SR Labs, told 60 Minutes : ‘This is quite shocking for me also that SS7 is not secure.’ It was another hacker, Tobias Engel, who first warned of the vulnerabilities in SS7 and he demonstrated how it might be done at a Chaos Computer Club conference in Germany in December last year.
Weaknesses in mobile phone signaling system
SS7 is the signaling system between phone companies which allows a mobile phone to roam from one country to another. Under international agreements all telecommunications providers have to provide details of their subscribers automatically via the SS7 system on request from another provider.
An SS7 request on a phone number instantly provides the phone handset’s unique identifier, known as IMEI number, the name and contact details of the phone account subscriber, whether their phone is allowed to roam internationally, what kind of account they use – post or pre-paid? – and, perhaps most disturbingly of all, it shows the nearest cell phone tower to which that mobile phone is currently connected.
Using this information, a determined hacker with access to the SS7 system can actually listen in to any mobile phone conversation by forwarding all calls on a particular number to an online recording device and then re-routing the call on to its intended recipient with the man-in-the-middle attack undetected. It also allows the movements of a mobile phone user to be geo-tracked on an application like Google Maps.
SS7 attacks ‘a reality’
Historically, only large telecommunications providers were given allowed access to query SS7 for subscriber data but in recent years VOIP (Internet Phone) providers, smaller phone companies and numerous third-party SMS messaging services are now gaining access. There are also fears that some providers with SS7 access are illicitly sub-leasing their portal to third parties.
The global body representing mobile phone users – the GSMA (Groupe Speciale Mobile Association ) – lists 800 members from 220 countries with full authority to run mobile phone networks, including access to the SS7 signalling system which has the gaping security flaw.
Those GSMA country members include mobile phone providers from many poor and unstable war-stricken nations including Iraq, Syria and Afghanistan, countries with ongoing insurgencies; it raises the possibility that terrorists or criminals who seize a local phone company with SS7 access could misuse SS7 to cause havoc or commit crimes across the telecommunications system.
60 Minutes is aware of a recent analysis done by a French Telco which revealed a huge spike in SS7 queries from Africa and the Middle East which far exceeded the number of phones roaming in those regions; this suggests the SS7 ‘Any-Time-Interrogation’ (ATI) queries for subscriber information and location were done for illicit purposes such as espionage or criminal fraud. ‘SS7 attacks are a reality,’ a telecommunications conference was told two weeks ago.
Surveillance systems on sale
In August last year the Washington Post published a story alleging that makers of surveillance systems are offering government and other clients around the world access to SS7 to track the movements of anyone who carries a cell phone; a use that goes far beyond the original intentions of system, and which raises substantial privacy and commercial espionage concerns.
It is no revelation of course that intelligence agencies such as the US National Security Agency or the Australian Signals Directorate, part of the so-called five-eyes communications spying alliance, have such powers. But the Post story raised legitimate concerns at the time that a rogue government could access the SS7 portal to track political dissidents or to gather economic espionage on a competitor country.
What the story did not detail was that SS7 access can also allow remote bugging of any mobile phone user’s calls, which is the hack 60 Minutes has now demonstrated is possible.
One of the companies offering commercial access to SS7 for the purpose of location tracking is Verint, based in New York, with offices across the world, including Australia. 60 Minutes has obtained a copy of Verint’s confidential brochure for a product named SkyLock, a cellular tracking system, with the subtitled catchphrase: ‘Locate. Track, Manipulate’.
Verint pledges in its marketing material that it does not use Skylock against US or Israeli phone users but its marketing pitch does not exclude the possibility that it is offering access to Australian phone subscriber data to its clients.
If those clients have access to SS7’s ‘Any Time Interrogation’ (ATI) query capacity then there would be nothing stopping them from using SS7 to query the details and to track phone subscribers anywhere in the world.
Australian Federal Government procurement records show Verint’s Australian office provided $795,000 of ‘software’, ‘computer services’ and ‘software maintenance and support’ to the Australian Crime Commission from 2005 to 2012.
Verint did not respond to questions from 60 Minutes asking whether they had sold Skylock to Australian customers or whether there were any protections to stop Skylock customers from mis-using Skylock for illicit purposes such as corporate espionage or fraud.
Evidence NSA is using SS7
It has long been speculated in security industry circles that the reason why countries like the UK, US and Australia, have not rushed to ensure the SS7 vulnerability is fixed is because the location tracking and call bugging capacity has been widely exploited by intelligence services for espionage.
In December 2013 the Australian newspaper detailed how US diplomatic cables leaked by NSA whistleblower Edward Snowden revealed that in 2009 Australia’s then Defence Signals Directorate (now ASD) had targeted the mobile phone of Kristiani Herawati the wife of the then Indonesian President Susilo Bambang Yudhuyono.
How that bugging was done has never been explained but it seems the use – or mis-use perhaps – of SS7 is the most likely explanation. A simple query of the signalling system would have provided the Indonesian First Lady’s unique cell-phone IMEI number, then enabling tracking and call-forwarding to a recording device.
Rouge cell towers widely used by criminals
The 60 Minutes investigation also revealed how, using a GSMK Cryptophone, the program has detected IMSI catchers – rogue cell-towers – in use in Australia. The Cryptophone has a baseband firewall that detects when a rogue cell tower is trying to force the phone to connect to it, and it warns if the IMSI catcher is attempting to force its 3G or 4G encryption down to 2G – a weak encryption level that is easily cracked.
Over the past few months 60 Minutes reporter Ross Coulthart detected suspected IMSI catchers in operation around central Sydney, including outside the Australian Stock Exchange building in Bridge Street. Each time the rogue cell tower was attempting to force the phone to connect with it unencrypted, which would have allowed access to any of the data on a normal mobile phone.
He also recorded multiple detections in an undisclosed eastern suburbs Sydney location, filming the alerts in real time as they were detected on the Cryptophone. While there is a clear possibility the IMSI’s detected were part of a legitimate law enforcement operation but experience in the United States suggests at least some of those rogue cell towers are being used illegally by criminals and corporate spies for fraud and espionage.ESD America is a company based in Las Vegas which markets the Cryptophone and specialises in counter-surveillance technology. Its CEO Les Goldsmith said 60 Minutes that his company has detected 68 IMSI catchers in locations across the US, including at sensitive Government hearings and military installations.He said that IMSI catchers are now widely in use by criminals because ‘An IMSI catcher in criminal hands is going to mean that they have the ability to target an apartment building where they can listen to the phone calls and pick up and record all the calls and hope to pick up somebody calling their bank and giving their passwords or suchlike vital private transactions.’
Technology breakthrough detects fake cell towers
ESD has developed technology in conjunction with the German firm GSMK called Overwatch which, for the first time, allows real-time detection of rogue cell phone towers to distinguish them from the real ones. GSMK principal Bjoern Rupp demonstrated the technology for the first time on-camera, showing how Overwatch allows rogue cell towers to be pinpointed on a map using triangulation from sensors placed around a city.
The purpose of Overwatch is to provide Governments and telecommunications providers with the first ever warning system that can alert them to the presence and location of an illegal IMSI catcher. The technology break-through potentially threatens the efficacy of one of the most powerful tools used by intelligence agencies for the past few decades of mobile phone telephony – IMSI catchers are a primary tool of modern espionage. GSMK and ESD have also developed another product called Oversight, a system which detects suspicious SS7 activity.
Oversight is already being installed by a number of Telco’s in Europe and reports suggest they are already noticing extensive suspicious use of SS7 which they are then able to block.
The ramifications of the Oversight and Overwatch technological breakthroughs are enormous; they potentially spell the end to rampant easy-access by a host of governments and rogue criminal elements internationally to undetected misuse of the SS7 hack and IMSI catchers. However, for the moment, the huge security hole in SS7 remains unfixed.
SS7 hacking services on offer
In an amusing twist, when Hacking Team, an Italian based seller of privacy intrusive surveillance hacking technology, suffered a major leak of its emails in July, the leaked email traffic revealed their knowledge of how the leak was likely perpetrated. ‘This is BLATANT privacy violation!,’ complained Hacking Team CEO David Vincenzetti, ‘HOW did they collect such information?’
The answer back from his technical experts was that whoever it was who did the hack had likely accessed their data using SS7 via a contact in Italian phone company Telecom Italia.
The leaked emails also disclosed that Hacking Team had previously been approached by a company called CleverSig, which claimed to have online access to SS7 tracking via another operator at a cost of US$14,000 to 16,000 per month.
It suggests, as many security operators are beginning to fear, that the SS7 system’s surveillance apabilities are now wide-open to unscrupulous commercial operators … for a fee.
When 60 Minutes contacted CleverSig’s founder Eitan Keren in Israel for comment about the leaked emails he said ‘not all the data you see there is valid. Take the data you read with caution’. He then went on to disclaim any knowledge of or involvement in SS7 tracking.
Questions were also sent to Verint, the makers of SKYLOCK surveillance technology. They did not respond.
Ross Coulthart is an investigative journalist at 60 Minutes, Australia. Twitter: @rosscoulthart