The Cellular company networks are using the most advanced encryption now available, but still it is vilnerable. This flaw was reported at a hacker conference in Hamburg at this month.
The Researchers are actually functions built into SS7 for other purposes such as keeping calls connected as users speed down highways, switching from cell tower to cell tower that hackers can repurpose for surveillance because of the lax security on the network.
Those skilled at the myriad functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption.
These vulnerabilities continue to exist even as cellular carriers invest billions of dollars to upgrade to advanced 3G technology aimed, in part, at securing communications against unauthorized eavesdropping.
But even as individual carriers harden their systems, they still must communicate with each other over SS7, leaving them open to any of thousands of companies worldwide with access to the network.
The researchers found two distinct ways to eavesdrop on calls using SS7 technology.
In the first, commands sent over SS7 could be used to hijack a cell phone’s “forwarding” function a service offered by many carriers. Hackers would redirect calls to themselves, for listening or recording, and then onward to the intended recipient of a call. Once that system was in place, the hackers could eavesdrop on all incoming and outgoing calls indefinitely, from anywhere in the world.
The second technique requires physical proximity but could be deployed on a much wider scale. Hackers would use radio antennas to collect all the calls and texts passing through the airwaves in an area. For calls or texts transmitted using strong encryption, such as is commonly used for advanced 3G connections, hackers could request through SS7 that each caller’s carrier release a temporary encryption key to unlock the communication after it has been recorded.
The researchers did not find evidence that their latest discoveries, which allow for the interception of calls and texts, have been marketed to governments on a widespread basis.
The researchers also found that it was possible to use SS7 to learn the phone numbers of people whose cellular signals are collected using surveillance devices.
The calls transmit a temporary identification number which, by sending SS7 queries, can lead to the discovery of the phone number. That allows location tracking within a certain area, such as near government buildings.
Other German researchers Tobias Engel says, “It’s like you secure the front door of the house, but the back door is wide open”.
