Signaling System No. 7 (SS7) is a series of telephony signaling protocols. Also known as CCS7 (Common Channel Signaling System 7) or CCIS7 (Common Channel Interoffice Signaling 7), this is a global network infrastructure for cellular phones.
In 1975, a series of protocols was developed to connect one cellular network to another cellular network to exchange information needed for reciprocal communication between calls and text messages, with the majority of Public Switched Telephone Networks (PSTNs) being made and damaged. ) phone calls and this is called SS7.
What Does an SS7 do?
- Routes calls and messages between different networks.
- Short Messaging Service (SMS)
- Out of Band Signaling
- Information Exchange functions (Dial Tone, Call-Waiting Tone, Voice Mail, etc)
- Switching from one Cell Tower to another.
- Prevents Call drops without the decrease in quality.
- Allows users to roam on another when traveling in a different location.
- Number Translation
- Local Number Portability
- Prepaid Billing
SS7 is used in as many as 800+ telecommunication companies around the world.
SS7 also Helps Banks in confirming the presence of their customer’s phone in a specific country to authorize their transactions and prevent fraudulent activities.
Exposure of the SS7 Attack
Security issues in SS7 were first discovered by researchers and demonstrated during the 2014 Chaos Communication Congress Hacker Conference in Hamburg, and were highlighted when Nohl monitored the external monitoring of a congressman in California from Berlin for 60 minutes CBS.
The issue then called for an investigation by the supervisory committee into the vulnerability.
The weakness in the design of SS7 is exploited by hackers, allowing them to steal data, become a listener, monitoring of user’s location and disrupting of user’s SMS messages.
This vulnerabilities only become visible after the third parties have given access to SS7 Design, which was based entirely on trust as a commercial offer. Cooperation with governmental governments creates a way for state surveillance and the greater exposure of the network design allows access by agencies in other countries as well as hackers.
Few people also claim that intelligence services such as NSA use the SS7 protocol for their surveillance activities.
With the presence of exploit tools available on the Internet, even citizens can track a victim easily by spending the amount as small as $300 and gaining some know-how from the Internet.
The Effects:
Anyone with a mobile phone can be vulnerable to the attack. The movements of the mobile phone users can be followed virtually from anywhere in the world and have a success rate of almost 70%.
It is a man-in-the-middle attack on mobile phone communications that exploits authentication in communication protocols running on top of SS7, even when the cellular networks use advanced encryption. It is as if the front door of your house is secured, but the tailgate is wide open.
The attacks are worrying by opening the door to mass surveillance activities. The attack undermines the privacy of billions of customers around the world. Those who are in the place of power can have the higher chances of targeting the risk.
How Can We Exploit This Vulnerability
Exploiting this vulnerabilities is something really easy and at the same time its hard, it depends on the level of your of networking and ethical hacking ideas.
Exploiting SS7 using a script Develpoed by Loay Rozak Called SigPLoit, SigPloit is a free source tool, in addition with an hardware named HackerRf which you can get on Amazon…
Also read: SigPloit – Telecom Signaling Exploitation Framework SS7, GTP, Diameter & SIP
Here is a visual demo of HackerRF On Linux
What Power Will The Hackers Gain?
Once an Hacker have access to the SS7 system, he or she can basically access the same amount of information and snooping capabilities as security services by using the same system used by the service providers to keep a constant service available and seamless delivery to make calls possible. and data.
They can:
- Forward Calls transparently
- Read Text Messages
- Listen to Phone Calls
- Track User’s Location
- Spoof the identity of victims using proxy features.
- Interception of 2-step verification security measure.
Hackers might access a wealth of subscriber’s information.
Measures That Should Be Taken
It is been said that prevention is better than cure. Here Are the measures to be taken
- Using of traditional SMS service:
People should better use encrypted messaging services like Messenger, WhatsApp or iMessage.
- Using Of a Non Default Call Service:
calls are to be made using voice over IP services like TrueCaller or FaceTime in iPhones and avoiding using the default call setup on device.
- Installation Of an App Called SnoopSnitch:
A tool called as SnoopSnitch was created to warn when a certain SS7 attack occurs and detect IMSI Catchers if any.
