SS7, the network you really should know of, needs far more protection from surveillance

27 Jan 2015

The network that underpins all mobile communications in the world has been compromised, and it’s up to mobile operators to sort it out.

Late last year, numerous news reports emerged following fresh research into the SS7 network, the overarching framework behind mobile phone use around the world.

It seems that, following decades of use, fresh eyes noticed some significant structural realities that were being undermined, contaminating the network and meaning it was open to detailed, unscrupulous behaviours.

The SS7 network is the layer beneath which all our mobile phone communications travel, underpinning our radio network and allowing phone operators to manage their global offerings.

Too big to imagine

It’s how mobile operators set up parameters whereby their customers can make phone calls, send text messages, roam between countries etc. When you add it all up, too, far more people use the SS7 network then, say, the internet.

Unlike the internet, however, customers can’t get access to it. Whereas you or I can connect to the internet, via an IP address, and start communicating, SS7 is the domain of the phone operators. It’s their world, and we’re to stay out – in theory.

It’s huge, it services most of the world and, you guessed it, has been compromised.

“There are certainly different types of attacks that can be executed if you do have access to the SS7 network,” explains Cathal McDaid, head of data intelligence & analytics at AdaptiveMobile.

“You can do things like call interception, get people’s location, intercept messages and lots of other nasty things that you wouldn’t want somebody to do to your phone number, or indeed operators wouldn’t want done to their network.”

The pain in Ukraine falls mainly on the Russian plains

McDaid and his team released a report late last year that went, relatively speaking, under the radar. It turns out that people based in Russia, according to the Ukrainian regulator, had compromised the SS7 network, hacking in to phone calls across three Ukrainian networks and re-routing them through St Petersburg, giving those who accessed them the ability to monitor and track the correspondence.

For its part, MTS Russia (MTS Ukraine was the original victim) denied that the SS7 address used was under its control, thus leaving the ultimate instigator a mystery.

The problem, it appears, is not structural, merely down to the modern age. The network is built on a set of assumptions, deliberately designed to operate in the way it operates now.

“What’s happened in time,” explains McDaid, “is that world operator numbers have gone from 100-150 operators, up to 700 or 800. Each one of these operators may sell connectivity to a certain group of partners.

“When that happens, then you get fraying at the edges. If you are a person that has access, you may try to do more than what you should be doing.”

SS7: Locate. Track. Manipulate. Speaker Tobias Engel at December’s Chaos Communication Congress in Hamburg

Rocky foundations undermine even the strongest of structures

McDaid is quick to defend the network as a whole, claiming that attacks on IP addresses far outweigh those on the SS7 network, however even a small number of hacks into the network undermines the whole thing, surely.

“Well essentially, once the genie is out of the bottle on some of these types attacks, it doesn’t matter how many or how few are being executed,” he agrees, before saying it’s really down to mobile operators to sort it out.

“They need to look at their networks, realise the world that we live in now, and secure the networks using different techniques. Either through firewalling or securing their existing infrastructure, and addressing this as a real issue that needs to be fixed.”

From McDaid’s point of view, a lot of work has already gone in to securing the network, with operators aready taking steps. However, looking at state-sponsored surveillance of pretty much every possible mode of communications all over the world could prove a futile approach.

SS7 arms race

Indeed AdaptiveMobile’s own report on the Ukrainian SS7 problem notes how new legislation in the eastern European country, according to media sources there, could allow their security services to “legally listen, in turn, to subscribers of foreign mobile operators, track their location and obtain ‘other’ information about the activity of subscribers.”

“Taken to extremes between countries, this would lead to a form of ‘mutually assured surveillance’, with mobile operators and mobile phone users on both sides suffering,” reads the report.

This echoes the thoughts of Christopher Soghoian, an expert on surveillance technology, who was quoted in The Washington Post when the first murmurs of problems in the SS7 network emerged last year.

“Many of the big intelligence agencies probably have teams that do nothing but SS7 research and exploitation,” he said at the time. “They’ve likely sat on these things and quietly exploited them.”

Now that would be a surprise. Oh wait…

Communications towers image, via Shutterstock

Gordon Hunt was a journalist with Silicon Republic