Am sure you have all see people on social media selling cheap voice or internet data bundles from several carrier networks. The most popular are data bundles that cost UGX 100,000 could be sold to the masses for a measly UGX 60,000. Have you wondered how such guys get to pull this off such hacks? This also applies to security agencies that are able to tap phone conversations for wanted people or get to know the location of anyone using any mobile phone network. Mobile networks have very many security vulnerabilities and today we get to explore some of these loopholes have hackers use.
In 2016, a newer method of attack on cellular networks was discovered. It was neither required costly radio scanners nor high-tech computers and is available to virtually anyone. Besides, mobile networks have no practical means of protecting against this type of attack.
Rather than target specific devices, sophisticated attacks are being perpetrated on entire networks. From a mobile service provider perspective, once your network’s protocol is successfully compromised, hackers are privy to your subscriber’s personal information. They can access text messages, phone calls, track device location, and all without your or the subscriber’s knowledge.
ALSO READ: 4 important Netflix hacks you can use in this lockdown
The old SS7 protocol hack
The compromise is based on the attack on a very old 40-year old technology known as SS7. But what is SS7? It was introduced and adopted in the mid-70s, SS7 also known as Common Channel Signaling System No. 7 or C7 has been the industry standard since, and hasn’t advanced much in decades. It’s outdated security concepts make it especially vulnerable to hackers.
SS7’s success has also, in a way, been its curse. At least when it comes to cybersecurity. The SS7 protocol is used everywhere and is the leading protocol for connecting network communication worldwide. Because it is so prevalent, used by both intelligence agencies and mobile operators. From a surveillance perspective, it is considered effective. As such, SS7 is an attacker’s best friend, enabling them access to the same surveillance capabilities held by law enforcement and intelligence agencies.
Over time other applications were integrated into SS7. This allowed for the introduction of new services like SMS, number translation, prepaid billing, call waiting/forwarding, conference calling, local number portability, and other mass-market services.
Amazingly, SS7 does not employ the basic means of protection against hacks: the traffic is not encrypted and the equipment is unable to distinguish between legitimate and rogue commands. The system would process any command it would get regardless of the source.
The reason is very simple: as presupposed by those who elaborated on the protocol 40 years ago, in SS7, the signalling layer is separated from the voice layer, and, consequently, no one apart from the staff at the phone switch would be able to access this channel.
Even if someone would, there was no practical use in it: no commands, except those telling to connect to a subscriber, were transmitted through the network, so there was no need to think about faux packets being transported across the layer.
However, the situation changed as soon as the procedure of processing SS7 commands over IP was introduced in 2000, essentially exposing the SS7 layer to outside access.
The good news is: no, it’s not possible to connect to any carrier network from a random computer over the Internet. One would need a special device – a SS7 hub.
Loopholes the criminals leverage
Location Identification
Now, let us review the options a criminal or a hacker could leverage. First to find out the exact location of a subscriber who has a specific mobile number or IMSI, an attacker can request information about which base station tower he/she is using and in response receive a unique CGI cell identifier that consists of four parameters:
- MCC (Mobile Country Code);
- MNC (Mobile Network Code);
- LAC (Location Area Code);
- CID (Cell Identity).
Using these parameters, the open database can to the nearest hundred meters show where the victim is currently located.
SMS Interception
The interception of text messages is carried out after blocking subscriber’s services. No additional actions are required for this attack. Since SMS requests from MSC/VLR delivery of confirmation, attacker has several options:
- to send to the sender confirmation on the message delivery,
- send confirmation to the sender and a modified message to the subscriber, or
- do not send confirmation to the sender, intercept the message to his/her address and request to resend this message to the subscriber.
If desired, an attacker can specify his/her Mobile Switching Center (MSC)/ Visitor Location Register (VLR) address and start receiving the victim’s traffic: read all message history or request one-time SMS passwords for authorization on various online services.
Sending USSD Requests in Subscriber’s Name
USSD commands allow organizing a conversational interaction of subscriber and telecom operator in the mode of sending short messages.
If an attacker knows MSISDN and Home Location Register (HLR) address, he/she can simulate a specific request in the form of numbers combination, asterisks, and grids from VLR to HLR and as a result get access to balance management, the connection of various services and tariff options. For example, by sending a request to transfer mobile money from one account to another, an intruder can deprive the subscriber of funds on his/her phone. Intruder’s activities will remain completely unnoticed provided that he/she intercepts text messages (in case if SMS authorization is needed to confirm operation).
Profile Spoofing
The subscriber’s profile contains information about connected services, forwarding options, addresses of online or mobile money billing platforms, etc.
When sending a fake subscriber profile to MSC/VLR, an attacker can force it to serve subscribers according to parameters he/she sets, e.g. make voice calls bypassing the billing system.
Redirection of Incoming Calls
Attacker has the power to influence the voice call routing mechanism by redirecting the incoming call to an arbitrary number. With an established fraud scheme, this number, for example, can serve as an expensive international route, the traffic of which is put up for sale. In this way a huge connection fee will be charged from the unsuspecting caller.
With this scheme, intruder first identifies the MSC/VLR that currently serves the subscriber. Blocking his/her receipt of incoming calls and text messages, HLR forwards requests to a new MSC/VLR, which in turn sends a phone number to redirect the call. Then this number is transferred by HLR to the GMSC, which redirects the call to the provided MSRN.
Data Acquisition
To commit an attack, hacker needs to obtain an international mobile subscriber identity (or “IMSI”). This can be done by delivering text message from external “network” emulated on the computer. In response to request, home network reports the MSC/VLR address, which helps find out whether the subscriber is at home or in roaming; and if in roaming, which network he/she is using (in order to send SMS there). At the same time transmission of IMSI occurs that is also necessary for message routing.
As a result, an attacker obtains the subscriber’s IMSI to control parameters of his/her “profile”, HLR address where these parameters are stored, as well as the MSC/VLR address (information about what region (country) this subscriber is currently in).
Eavesdropping or Wiretapping calls
The same method allows for a hacker to eavesdrop on outbound phone calls, with a little more effort applied: the forwarding path could be established for the phone the victim calls to. The number is discovered when the outbound call issues a request containing an intended phone number and forwards it to a billing system so it applies certain call charge rate and then bills the call to the caller.
On swapping a legitimate billing system address to an arbitrary address used by the scammer, an adversary is able to discover the target’s number. The victim, as it turns out, would be able to complete the call only on the second attempt, rendering the first attempt unsuccessful and having no second thought about the failed call (by the way, if you tend to get through only on the second attempt, it’s a clear sign someone is eavesdropping on you).
Evidently, all those recent cases with politicians’ secret calls exposed to the entire world, are not bound to bugging their premises and devices or involving secret agents: eventually, an opponent in the current election campaign is totally eligible to do that for short money.
There is no 100% remedy to these bugs. It is inherent from day one since the protocol has been around. Only a fundamental change in the way cellular communications work might provide an opportunity to eliminate the issue completely.
There is another means of solving the problem, which is bound to deploying complex subscriber activity monitoring systems to spot allegedly malicious subscriber activities. A number of IT companies offer automated systems, which, in essence, remind of anti-fraud platforms widely used by banks.
Protecting from such hacks
The carriers are in no particular rush to deploy such systems, leaving the subscribers wondering whether or not they are protected from such attacks. Even if you figure out your safety on your primary carrier, you still cannot assume you’re secure as roaming brings uncertainty.
Some mobile network globally are applying the following protection methods to SIM cards it issues:
- anonymous subscriber connection;
- MSISDN and IMSI hiding;
- installation of unique firmware on SIM cards;
- random routing of voice traffic;
- possibility to replace outgoing numbers and change voice;
- ban on geodata transfer;
- lack of billing;
- calls within the group;
- virtual incoming numbers;
- secure Internet
