Feds Finally Decide To Do Something About Years-Old SS7 Spy Holes In Phone Networks

Jessica Lyons reports via The Register: The FCC appears to finally be stepping up efforts to secure decades-old flaws in American telephone networks that are allegedly being used by foreign governments and surveillance outfits to remotely spy on and monitor wireless devices. At issue are the Signaling System Number 7 (SS7) and Diameter protocols, which are used by fixed and mobile network operators to enable interconnection between networks. They are part of the glue that holds today's telecommunications together. According to the US watchdog and some lawmakers, both protocols include security weaknesses that leave folks vulnerable to unwanted snooping. SS7's problems have been known about for years and years, as far back as at least 2008, and we wrote about them in 2010 and 2014, for instance. Little has been done to address these exploitable shortcomings.

SS7, which was developed in the mid-1970s, can be potentially abused to track people's phones' locations; redirect calls and text messages so that info can be intercepted; and spy on users. The Diameter protocol was developed in the late-1990s and includes support for network access and IP mobility in local and roaming calls and messages. It does not, however, encrypt originating IP addresses during transport, which makes it easier for miscreants to carry out network spoofing attacks. "As coverage expands, and more networks and participants are introduced, the opportunity for a bad actor to exploit SS7 and Diameter has increased," according to the FCC [PDF].

On March 27 the commission asked telecommunications providers to weigh in and detail what they are doing to prevent SS7 and Diameter vulnerabilities from being misused to track consumers' locations. The FCC has also asked carriers to detail any exploits of the protocols since 2018. The regulator wants to know the date(s) of the incident(s), what happened, which vulnerabilities were exploited and with which techniques, where the location tracking occurred, and -- if known -- the attacker's identity. This time frame is significant because in 2018, the Communications Security, Reliability, and Interoperability Council (CSRIC), a federal advisory committee to the FCC, issued several security best practices to prevent network intrusions and unauthorized location tracking. Interested parties have until April 26 to submit comments, and then the FCC has a month to respond.

Foreign governments? Please!

[Anonymous Coward]

The biggest threat is from our own government and private enterprise

Re:Foreign governments? Please!

[Anonymous Coward]

It's hard to tell them apart when government uses private enterprise to make an end-run around getting warrants. And top people at private enterprise are former spooks.

used against me multiple times

[Narcocide]

I'm sure the only reason they've finally decided to fix this because I simply stopped using my phone.

Because it's obsolete?

[RogueWarrior65]

Maybe they're only closing the holes because they are no longer useful and the feds have something better.

I just wanna say, Kevin Mitnick RIP, bro.

[Seven Spirals]

They definitely do. It's called Stingray [wikipedia.org] and it's not even close to the only one that uses the man-in-the-middle method. All of this reminds me of Kevin, though, and bro, I miss you. Rest in peace, sir.

Re:

[RogueWarrior65]

Steven Levy's "Hackers" was fascinating. As a matter of interest, I once stumbled upon a phone system test suite. I had a desk phone that had this fancy contact manager in it and a clock. One day I was trying to set the time on the clock and the number sequence triggered this test suite. It had functions for testing payphones e.g. the coin return. That would have been endless fun.

Re:

[Seven Spirals]

As an ESS hacker, user of Blueboxes, and a wardialer of some acclaim (I felt I was the king of 713 and 281), I can confirm: it was fun.

Re:

[quetwo]

Stringray and the SS7 protocol provide hooks in very different ways and different places.

As you mentioned the Stingray is essentially a MIM attack. Unfortunately, it's become much less useful recently as cell vendors are making their cells smaller and smaller and with a ton more available. Also, with VoLTE/5G it's become even less useful since these are all encrypted VoIP conversations anymore. You could still, in theory capture unencrypted IP traffic across the link, but there isn't a ton of that anymore

Re:Because it's obsolete?

[sg_oneill]

Im actually a bit surprised this is still a thing. I was CTO at a small VOIP telco back about a decade ago and the SS7 thing was a *very* big deal. Its a uselessly insecure protocol from an era when people where just not thinking about this stuff. It was entirely possible to break into it with a laptop and an off the shelf SRD radio setup and scoop all sorts of metadata about nearby phones.

Fun fact: Stingray type tech was a prominent feature in David Simmons The Wire before it was ever officially admitted to. And some people thought it implausible. Nope, like most of the plots people wrote off as implausible in that show, we later learned that indeed it was rooted in real stuff going on in the Baltimore PD. As one Baltimore friend put it;- "That show aint a drama, its a documentary".

Re:

[Deal In One]

Actually when SS7 created noone was really thinking in terms of security. Same with FTP, Telnet, HTTP, etc.

It's just that the environment has evolved such that alot of things need some form of security nowadays.

I guess SS7 is still stuck in the tech stone ages cos it does not have as much visibility to the average person compared to HTTP, etc and so most people are not aware, hence not many people for it to be fixed / changed.

Re:

[SuiteSisterMary]

It's this. It's from the era when it was common to leave your root password open so that friendly other people could log into your server and fix issues for you. Because the only other people on the network that any bad actor could be easily identified by name and job location.

Re:Because it's obsolete?

[tlhIngan]

Actually when SS7 created noone was really thinking in terms of security. Same with FTP, Telnet, HTTP, etc.

It's just that the environment has evolved such that alot of things need some form of security nowadays.

I guess SS7 is still stuck in the tech stone ages cos it does not have as much visibility to the average person compared to HTTP, etc and so most people are not aware, hence not many people for it to be fixed / changed.

To be fair, SS7 was also supposed to be for a closed trusted network where you could trust every host on the network. And given that phone companies don't blindly connect to other hosts this was the security model in place.

Unlike user visible protocols like TCP/IP and such, the user of a phone system doesn't need to know how it works inside - and SS7 is the "inside" protocol. It was designed in an age where the Baby Bells all trusted each other not to do stupid stuff, and the odd competitor like MCI and Sprint also trusted the network. There was no way for the user to gain access to SS7, quite a sea change from the days when in-band signalling meant free long distance calls.

Of course, then the internet happened, and you had VoIP providers popping up out of nowhere and cellular providers and MVNOs and they all needed access to the network, but in the rush to connect everyone no one was really do a trust exercise. The user themselves still couldn't access SS7 directly, but now you had a lot more entry points and a lot more connected systems making for a much larger attack surface.

The reason not much has changed is a result of this - it's still a controlling protocol that users can't directly access, so to get at its flaws requires getting access in the first place. That' was the main security barrier for SS7. The problem is, with more and more interconnection, the attack surface gets larger.

Re:

[sg_oneill]

The other issue , which isn't so much a prob in 2024 (and frankly SS7 isnt quite as widespread now), was that software defined radio setups (like those TV decoder USB sticks that under the hood had a full SDR decoder and could be repurposed for such uses. I used one to build a hydrogen line radio telescope once, good times) could get into phone towers with the right softare and give direct access to the network for chaotic purposes. Though that was more a via gsm indirect route , you could still abuse the t

Re: Because it's obsolete?

[dowhileor]

Easy because they session down network stacks forced into SS7 to allow computers to listen for multicast packets were not what it was designed for.

Re:Because it's obsolete?

[AmiMoJo]

Look at how quick they were to rip out Huawei gear, with only innuendo and suspicion to justify it. Here we have a known backdoor and it took years. Clearly your security is not the primary concern here.

So they have a new backdoor?

[duerra]

The police aren't going to relinquish a tool they already have in their tool chest. Why else would it still be around 20 years later?

Re:

[bill_mcgonigle]

See Kaspersky's detailed analysis of the backdoor in the iPhone GPU.

It's an excellent back door that only the keepers of the secrets could have exploited.

In a way that's good because literally everybody in the world can't use it but it was so secret they didn't hesitate to deploy it against Tucker Carlson while he was at Fox and using Signal to communicate with sources.

He thought Signal had been compromised but now we know they didn't have to.

Re:So they have a new backdoor?

[Ly4]

Tucker Carlson was making shit up, yet again:
https://www.cnn.com/2021/06/29... [cnn.com]

Re:

[Anonymous Coward]

See Kaspersky's detailed analysis of the backdoor in the iPhone GPU.

Ah, so this is why we hate the Russians, they're revealing all our dirty little secrets!

Tall order

[satsuke]

I was an SS7 network engineer for 20 years ..

The problem will take much longer to fix than a few federal inquiries because SS7 was built with almost no security in mind.

e.g. in the 1970s, the only organizations that can talk on an SS7 network are other SS7 providers, namely large telcos and some businesses.

The cost of entry was very very high.

Diameter is better as most telcos use point to point tunnels between statically linked points, but its still largely unencrypted and such.

The problem becomes when SIP trunks and Diameter peering come into the picture. There's functionally no barrier to entry and telcos are obliged to interconnect on a non-preferential basis to prevent the fracturing of the telephone system. (e.g. if Verizon decided to not interconnect a competitors customers).

Re:

[greengrocer]

oh, game over, man! GAME OVER!

Re:

[Required Snark]

Just call it Quantum Diameter and it will instantly become secure and unbreakable.

Re:Tall order

[cstacy]

Just call it Quantum Diameter and it will instantly become secure and unbreakable.

You need to modulate the quantum diameter, which will require AI. (Preferably, 3D printed AI on the blockchain.)

Re:

[SuiteSisterMary]

I was at a security presentation, oh, about five, maybe seven years back, by a company trying to sell, basically, SS7 firewalls, and advocating for basic security ideas that the Internet went through thirty years ago. "Hey, maybe do the equivalent of filtering your routes so people can't use phone numbers not actually registered to your network" and things like that.

The response you point out was exactly the ones that all of the big boys had; 'we don't need security, we just need to get back to closing SS7

Re:

[Anonymous Coward]

I was in a meeting once with execs from a mobile telco whose name rhymes with horizon, and I asked them what they were doing about preventing folks from breaking into their networks... they looked at me like nobody had asked that question before. Terrifying.

Re:

[satsuke]

SS7 is primarily to do with setting up and tearing down voice telephone calls .. As in like seizing a DS0 on a T1/PRI and shoving enough logic down the wire for the next switch to make its own routing decision. Modern times the DS0 is a SIP/VOIP resource, but the way the digits are analyzed is still pretty much the same.

SMS is part of the conversation, but not enitrely .. that's the diameter end of things and has to do with messages passed over the IMS core.

Just to be clear, the telcos can identify the hig

not needed anymore

[M0nkge]

I assume this same flaw exists in foreign networks. Now that the US Intel agencies have a workaround they gave the ok to fix it.