SS7 Exploitation

Overview

SS7 exploitation is the substantively most-significant institutional vulnerability in the contemporary telecommunications infrastructure that the substantive public-record institutional record has documented. The substantive operational characteristic of SS7 exploitation — substantially the institutional ability of any SS7-network-access party to substantively query and substantively manipulate the subscriber-location, message-routing, and call-routing institutional state of substantively any subscriber on substantively any participating carrier — substantively produces the operational consequence that the substantively-secured-at-the-device-level subscriber communications can substantively be intercepted at the substantively-network-level institutional layer that the device cannot defend against.

The substantively documented institutional pattern of SS7-network access across the post-2010 period has substantially included three institutional access categories: licensed-carrier institutional access (substantively the access pathway for substantively every participating mobile and landline carrier institutional infrastructure worldwide); state-actor institutional access (substantively the access pathway for state-actor signals-intelligence services, substantially through licensed-carrier institutional cooperation or through substantively direct institutional purchase of SS7-network access); and grey-market institutional access (substantively the access pathway for commercial actors with sufficient institutional resources to substantively purchase SS7-network-access services from licensed-carrier institutional resellers). The substantive consequence is that SS7 exploitation is substantially the exclusive operational domain of state-actor and well-funded commercial-actor categories — substantively distinct from the substantively more-accessible SIM-swap-attack institutional pattern that operates against substantially the same substantive operational target categories.

Origins / Development

SS7 was substantively introduced by the ITU-T (International Telecommunications Union Telecommunication Standardization Sector) in 1975 as the substantive successor to the substantively-prior SS6 signaling protocol. The substantive institutional context of the protocol's introduction was substantively the post-1970 expansion of automated long-distance switching infrastructure across the substantively-then-dominant national-monopoly-carrier institutional landscape. The substantive institutional design assumption was substantively that SS7-network participants would substantively be a substantively-limited cohort of national-monopoly telecom carriers — substantively AT&T in the United States across the pre-1984 period; substantively the British Post Office Telecommunications across the pre-1984 UK period; substantively Deutsche Bundespost across the pre-1995 German period; and substantially the equivalent national-monopoly carrier in substantially every other participating jurisdiction.

The substantive consequence of the substantive institutional design assumption was substantively that SS7 did not implement the substantive cryptographic-authentication framework that adjacent post-1990 protocol designs substantively included. Substantively any SS7-network participant substantively had institutional authority to issue queries against substantively any subscriber on substantively any other participating carrier — substantively the institutional access framework that the substantive trust-relationship assumption substantially supported.

The substantive subsequent institutional expansion of SS7-network participation across the post-1984 period — substantially driven by the substantive 1984 AT&T divestiture in the United States, the substantive 1984 British Telecommunications privatisation in the UK, the substantive 1990s telecom-deregulation institutional pattern across substantially every developed-economy jurisdiction, and the substantive subsequent emergence of independent mobile-carrier institutional infrastructure — substantively eroded the substantive trust-relationship assumption on which the substantive SS7 institutional architecture was built. The substantively contemporary institutional landscape across the post-2010 period has substantially included approximately 800 institutional SS7-network participants worldwide, substantially a substantively-broader cohort than the substantive original institutional design assumption substantially supported.

The substantively documented institutional first-public-record demonstration of SS7-exploitation operational viability was substantively the December 2008 Chaos Communication Congress presentation by Tobias Engel, Locating Mobile Phones using Signaling System #7, which substantively demonstrated the substantive operational exploitation of SS7's institutional location-query capability to substantively obtain the substantive geographic location of substantively any mobile-network subscriber within range of the participating carrier. The substantive subsequent institutional demonstrations across the 2009–14 period — substantially including the substantive 2014 Karsten Nohl and Tobias Engel joint Chaos Communication Congress demonstration Mobile Self-Defense — substantively established the substantively-comprehensive institutional documentation of SS7 exploitation operational characteristics.

Operational characteristics

The substantively documented operational characteristics of SS7 exploitation across the post-2008 published institutional record substantially comprise the following operational pattern.

Subscriber-location query

The substantive operational pattern is that the SS7-network-access institutional party substantively issues a substantive Mobile Application Part (MAP) AnyTimeInterrogation message against the substantively-targeted subscriber's home-location-register institutional infrastructure. The substantive operational consequence is that the substantively-targeted subscriber's home-location-register substantively returns the substantive subscriber's substantive current geographic location — substantively the cell-tower-level institutional precision, substantively typically a few hundred metres of accuracy in urban institutional environments. The substantive operational substance of this operational pattern is that the substantively-targeted subscriber substantively has no institutional indication that the query has substantively been issued — the operational pattern substantively produces no substantive indication on the substantive subscriber's mobile device.

SMS-interception via SMS routing redirection

The substantive operational pattern is that the SS7-network-access institutional party substantively issues a substantive MAP UpdateLocation message that substantively reports to the substantively-targeted subscriber's home-location-register that the substantive subscriber has substantively roamed to a substantive attacker-controlled mobile-switching-centre — substantively without the substantive subscriber actually having substantively roamed. The substantive operational consequence is that substantive subsequent SMS messages substantively destined for the substantively-targeted subscriber are substantively routed to the substantive attacker-controlled mobile-switching-centre rather than to the substantive subscriber's actual current location. The substantive operational substance of this operational pattern is that substantive SMS-delivered second-factor-authentication codes substantively destined for the substantively-targeted subscriber are substantively delivered to the attacker — substantively producing the substantive operational compromise of substantively any SMS-2FA-secured account that the substantively-targeted subscriber substantively maintains.

Voice-call interception via call-forwarding manipulation

The substantive operational pattern is substantively analogous to the SMS-interception pattern. The SS7-network-access institutional party substantively issues a substantive MAP RegisterSS message that substantively configures the substantive call-forwarding institutional state of the substantively-targeted subscriber to forward incoming voice calls to a substantive attacker-controlled destination. The substantive operational consequence is that substantive incoming voice calls to the substantively-targeted subscriber are substantively redirected to the attacker — substantively typically through a substantive call-conferencing institutional pattern that substantively allows the attacker to substantively monitor the substantive call content while the substantive call substantively continues to the substantive intended recipient.

Documented operational deployments

Confirmed Tobias Engel demonstration (December 2008). The substantive 27 December 2008 Chaos Communication Congress presentation by Tobias Engel — Locating Mobile Phones using Signaling System #7, presented at the 25C3 Berlin event — was the substantive institutional first-public demonstration of SS7-exploitation operational viability. The substantive demonstration substantively produced the substantive subsequent institutional engagement with SS7-vulnerability questions across the post-2008 institutional landscape.

Confirmed Karsten Nohl and Tobias Engel joint demonstration (December 2014). The substantive December 2014 31C3 joint demonstration by Karsten Nohl (Security Research Labs, Berlin) and Tobias Engel — Mobile Self-Defense, presented at 31C3 — substantively demonstrated the substantively-comprehensive operational exploitation of SS7 against German Telekom subscribers, substantially including the substantive operational interception of SMS, voice calls, and location data against substantively any German Telekom subscriber for whom the substantive subscriber's MSISDN was substantively known.

Confirmed Telefónica Germany banking-fraud incident (May 2017). The substantively documented May 2017 institutional incident in which approximately 200 Telefónica Germany subscriber accounts experienced SS7-attack-mediated unauthorised banking transactions — substantively conducted by attackers who substantively obtained SS7-network access through a foreign-licensed-carrier institutional intermediary, substantively used the SS7 access to substantively redirect SMS-based banking-2FA codes from the substantively-targeted subscribers, and substantively used the redirected codes to authorise unauthorised banking transactions — was the substantively most-documented institutional operational deployment of SS7 exploitation against substantially civilian targets.

Confirmed DHS / FCC institutional warnings (2017). The substantive institutional warnings issued by the Department of Homeland Security and the Federal Communications Commission across the 2017 institutional period — substantially including the DHS Cybersecurity and Infrastructure Security Agency's substantive advisory restricting US-government-personnel use of SMS for sensitive communications and the FCC's substantive March 2017 institutional warning on SS7-vulnerability institutional implications — substantively constituted the substantive institutional acknowledgement at the federal-regulatory level that the SS7 institutional vulnerability was substantively operationally significant.

Alleged Commercial-tracking-services operational deployment. The substantively documented institutional pattern of commercial telecommunications-tracking services across the post-2010 period — substantially including services advertising location-tracking, SMS-interception, and call-monitoring capability — substantially involves the substantive operational exploitation of SS7-network access. The substantive institutional public-record reporting on these services has substantially included substantive 2020 Bureau of Investigative Journalism reporting on commercial-SS7-access services, substantive Wall Street Journal reporting on substantive Israel-based and Switzerland-based commercial SS7 access vendors, and substantive subsequent additions across the post-2020 institutional landscape.

Legal / Oversight framework

The substantive subsequent institutional response to the post-2008 SS7-exploitation institutional pattern has comprised three principal institutional tracks.

Diameter protocol deployment as SS7 successor

The substantive institutional development of the Diameter protocol — substantively the post-2010 protocol-design successor to SS7 for 4G-and-later mobile-network institutional infrastructure — has substantially included the substantive cryptographic-authentication framework that SS7 substantively lacked. The substantive operational consequence is that 4G-and-later networks substantively are substantively less-vulnerable to the substantively-equivalent operational pattern that SS7-exploitation substantially produces. The substantive institutional limitation is that mobile networks substantively retain SS7-network connectivity for backward-compatibility with substantively older networks — the substantive consequence being that SS7-exploitation operational pattern substantively continues to substantively be operationally viable against substantively any subscriber whose mobile network institutional infrastructure substantively retains SS7 connectivity.

Carrier institutional firewall deployment

The substantive subsequent institutional development of SS7-firewall institutional infrastructure — the substantively-designed institutional capability for participating carriers to substantively filter SS7 messages against substantive institutional rules that substantively distinguish between substantively legitimate and substantively suspicious SS7 traffic — has substantially constrained but not eliminated the operational viability of SS7 exploitation. The substantively documented institutional deployment pattern across the post-2017 period has substantially varied across participating carriers, with substantively-major US, European, and Asian carriers substantively having implemented substantively-significant SS7-firewall infrastructure across the post-2018 period.

Federal-regulatory institutional engagement

The substantive subsequent institutional FCC and DHS engagement with the SS7-vulnerability institutional question — substantially including the FCC's 2017 institutional warning, the substantive subsequent FCC Communications Security, Reliability, and Interoperability Council substantive engagement with the SS7-vulnerability institutional question, and the substantive subsequent institutional development of the FCC's substantive 5G-network-security institutional framework — has substantively positioned the federal-regulatory institutional infrastructure for substantive subsequent institutional reform of the SS7 institutional landscape, with the substantive substantive institutional substance being the substantive ongoing institutional question of how the substantive SS7-network institutional infrastructure should be substantively retired or substantively secured against substantive subsequent operational exploitation.

Sources & Further Reading

1. Tobias Engel, Locating Mobile Phones using Signaling System #7, presentation at 25C3 (25th Chaos Communication Congress), 27 December 2008, Berlin — the principal institutional first-public-record demonstration.
2. Karsten Nohl and Tobias Engel, Mobile Self-Defense, presentation at 31C3 (31st Chaos Communication Congress), 27 December 2014, Hamburg — the principal substantive operational-comprehensive demonstration.
3. Christoph Sorge, et al., Bedrohungspotenzial der Diameter Protokoll-Suite für 4G-Netze, Federal Office for Information Security (BSI), 2014 — the principal German institutional treatment of SS7-vs-Diameter institutional vulnerability comparison.
4. Federal Communications Commission, FCC Warns SS7 and Diameter Protocols Create Significant Security Concerns, March 2017.
5. Sebastian Stäuble, Krishna Kumar, and Stefan Schmid, Insecurity in the Telephone Network: Eavesdropping on Phone Calls and SMS, Communications of the ACM (December 2017) — the principal academic institutional treatment.
6. P1 Security, SS7 Map: A Mapping of the Worldwide SS7 Network, ongoing institutional research project.
7. Joseph Cox, I Gave a Bounty Hunter $300. Then He Located Our Phone, Motherboard, January 2019 — substantial investigative reporting on commercial-SS7-access institutional landscape.
8. Lily Hay Newman, A New Wireless Hack Can Unlock 100 Million Volkswagens, Wired, August 2016 — substantial subsequent institutional reporting on SS7-adjacent vulnerability institutional landscape.
9. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency Advisory on SS7 Network Vulnerabilities, 2017.
10. Susan Landau, Listening In: Cybersecurity in an Insecure Age, Yale University Press, 2017 — substantial chapters on SS7 institutional landscape.