Phone hacking through SS7 is frighteningly easy and effective

Imagine a world in which a low-budget hackers can track your every move, listen to your calls, read your texts, drain your bank account, and so on. All of this without leaving their rooms, and from a continent away. Imagine no more. Due to vulnerabilities in the SS7 protocol, this is the world in which you live right now.

A smartphone is not just a phone. You don’t use it just for making calls and receiving text messages. It is a small computer that keeps you connected with your family, friends and the world at large through numerous online services. But it is also a device with a camera and a microphone that you have next to you at all times. Turning this hardware into a surveillance tool is much easier and effective than you think.

According to telecommunications expert Dmitry Fedotov, to gain total control of someone’s phone, an attacker needs just the following:

• A computer
• A Linux OS
• A software development kit for SS7

What is SS7 and should it worry you?

The key part is the last three characters – SS7. Short for Signalling System 7, this is a communications protocol used by all mobile carriers and network across the world. Its purpose is to allow accurate billing for services performed by one operator’s network for another one’s client. It makes roaming possible, as well as calling and texting when you are not in the coverage of one of your carrier’s cell towers.

This protocol was introduced in the 1970s and – despite an update in 2000 to add IP networking – hasn’t changed much since. As you can guess, its security concepts are pretty outdated. Hence, why it is so easy to hack.

On the other hand, the protocol is ubiquitous and connects practically all networks around the globe. Hacking into SS7 gives attackers the same capabilities as mobile operators and intelligence agencies. And in terms of surveillance, they are considerable.

Mobile carriers have access to all the metadata and content of unencrypted communications that travel through their networks. They can also locate handsets – and the people using them – by monitoring what cell tower services a particular device at any moment. Because SS7 links different networks, it allows operators to do all of the above even to users currently outside the reach of their network.

SS7 attacks can be used to bypass encryption

You can see the implication of hackers and cybercriminals tapping into that kind of data. And this is exactly what is happening. With just your phone number (which is an easily obtainable piece of public information), someone who has hacked into SS7 can:

• Forward your calls and record or listen in to them
• Read SMS text messages sent between devices
• Track the location of a phone

What’s more worrying is that because SS7 allows attackers to read SMS messages, they can also bypass the end-to-end encryption provided by services such as WhatsApp, Telegram, Facebook, etc. This is possible due to an encryption workaround that uses a flaw in two-factor authentication.

For example, to log into Facebook on a new device, you need to fill in a password and a second code, which is sent to you via SMS. Because SS7 exploits allow reading such text messages, the attackers can obtain that code and log in with the user’s credentials. Using an identical approach, cybercriminals have been able to steal money from German banks.

To counter such attacks, you must first stop using regular calls and text messages, and opt for end-to-end encrypted chat and VoIP. Then, you might want to do away with regular telephony and SMS altogether – like we have done for Secure Phone. For more reliable two-factor authentication, you can use a token or an extra password, which is not sent to you via text, but through an encrypted channel.