Denys Rudyi - Fotolia
A massive security hole in modern telecommunications is exposing billions of mobile phone users around the world to covert theft of their data, bugging of their voice calls and tracking of their location.
Hackers, fraudsters, rogue governments and unscrupulous commercial operators using hundreds of online portals are exploiting vulnerabilities in mobile phone signalling architecture System Signalling Number 7 (SS7).
German hackers working from Berlin were able to intercept and record a mobile phone conversation between 60 Minutes reporter Ross Coulthart in the UK and the Australian senator Nick Xenophon in Australia’s Parliament House.
The Berlin hackers from SR Labs, who first warned of the vulnerability in SS7 in 2008, were able to intercept and read the senator’s SMS from Australia to Coulthart in London. They were also able to monitor the senator’s movements as he travelled to Japan on official business, tracking him around Tokyo and Narita, and later around the streets near his south Australian home.
Calls for public enquiry
Xenophon, who agreed to take part in the hacking demonstration, called for an immediate full public inquiry into SS7.
"This is actually quite shocking because it affects everyone. It means anyone with a mobile phone can be hacked, can be bugged, can be harassed. The implications of it are enormous and what we find is shocking is that the security services, the intelligence services, they know about this vulnerability," he told 60 Minutes.
The German hacker behind the hacking demonstration, SR Labs' Luca Melette, added: "This is quite shocking for me also that SS7 is not secure."
It was another hacker, Tobias Engel, who first warned of the vulnerabilities in SS7, demonstrating how it might be done at a Chaos Computer Club conference in Germany in December 2014.
Weaknesses in mobile phone signaling system
SS7 is the signalling system between phone companies which allows a mobile phone to roam from one country to another. Under international agreements all telecommunications providers have to provide details of their subscribers automatically via the SS7 system on request from another provider.
An SS7 request on a phone number instantly provides the phone handset’s unique identifier – known as the IMEI number – the name and contact details of the phone account subscriber, whether their phone is allowed to roam internationally, what kind of account they use, and perhaps most disturbingly of all, it shows the nearest mobile phone tower to which the mobile phone is currently connected.
Using this information, a determined hacker with access to the SS7 system can actually listen in to any mobile phone conversation by forwarding all calls on a particular number to an online recording device and then re-routing the call on to its intended recipient with the man-in-the-middle attack undetected. It also allows the movements of a mobile phone user to be geo-tracked on an application such as Google Maps.
SS7 attacks 'a reality'
Historically, only large telecommunications providers were allowed access to query SS7 for subscriber data but in recent years voice over IP providers, smaller phone companies and numerous third-party SMS messaging services are now gaining access. There are also fears some providers with SS7 access are illicitly sub-leasing their portal to third parties.
The global body representing mobile phone users – the Groupe Speciale Mobile Association (GSMA) – lists 800 members from 220 countries with full authority to run mobile phone networks, including access to the SS7 signalling system which has the gaping security flaw.
Those GSMA country members include mobile phone providers from many poor and unstable war-stricken nations including Iraq, Syria and Afghanistan – countries with ongoing insurgencies; it raises the possibility that terrorists or criminals who seize a local phone company with SS7 access could misuse it to cause havoc or commit crimes across the telecommunications system.
60 Minutes is aware of a recent analysis carried out by a French Telco which revealed a huge spike in SS7 queries from Africa and the Middle East, which far exceeded the number of phones roaming in those regions – this suggests the SS7 any time interrogation (ATI) queries for subscriber information and location were done for illicit purposes such as espionage or criminal fraud.
"SS7 attacks are a reality," a telecommunications conference was recently told.
Surveillance systems on sale
In August 2014, the Washington Post published a story alleging that makers of surveillance systems are offering government and other clients around the world access to SS7 to track the movements of anyone who carries a cell phone – a use that goes far beyond the original intentions of system, and which raises substantial privacy and commercial espionage concerns.
It is no revelation, of course, that intelligence agencies such as the US National Security Agency (NSA) or the Australian Signals Directorate (ASD), part of the so-called five-eyes communications spying alliance, have such powers. But the story raised legitimate concerns at the time that a rogue government could access the SS7 portal to track political dissidents or to gather economic espionage on a competitor country.
What the story did not detail was that SS7 access can also allow remote bugging of any mobile phone user’s calls, which is the hack 60 Minutes has now demonstrated is possible.
What the phone companies say:
60 Minutes approached Australia’s major telecommunications companies – Telstra, Vodafone and Optus – for comment.
• Telstra takes the security and privacy of our customers seriously, constantly monitoring our networks for suspicious activity. Where Telstra detects malicious network activity we act quickly to address any impact on the privacy of our customers and to maintain the security of our networks.
• SS7 is a protocol used by telecommunication providers to direct calls and text messages between providers. Like any protocol, SS7 is vulnerable to exploitation by sophisticated and well-funded third parties with criminal intentions. In recognition of this we have network monitoring in place, not just with reference to SS7, and where we detect unusual or suspected illegal activity, we take action and report this to the relevant authorities where appropriate.
• Where we detect suspected illegal activity on our mobile network, for which we constantly monitor, we report the suspected illegal activity to the Australian Federal Police for investigation as part of our consistent practice. Unlawful access to our network and interception of customer calls is illegal and there is legislation in place which prohibits possession of the equipment for, and the undertaking of, unlawful interception.
• Telstra won't speculate on the alleged capabilities or intentions of foreign intelligence agencies or national security services.
• Optus takes privacy very seriously, however we don’t comment on security matters in detail. As a provider of national telecommunications infrastructure, Optus takes its responsibility for network and information security seriously. We regularly liaise with law enforcement and national security agencies, and review our systems to assess risks and ensure the integrity of our security processes and information.
• The protection of our customers’ personal data and information is our highest priority. At Vodafone, we have security measures in place to protect our customers against unauthorised access to customer communications or data.
• We are continually reviewing and upgrading our systems and processes, including using global best practice to minimise the possibility of any unauthorised access. Vodafone is fully aware of its legal responsibilities to protect customer communications and data, and complies with those obligations.
• We are not aware of any use of SS7 signalling to gain unauthorised access to Vodafone customer communications or data.
One of the companies offering commercial access to SS7 for the purpose of location tracking is Verint, based in New York, with offices across the world, including Australia. 60 Minutes has obtained a copy of Verint’s confidential brochure for a product named SkyLock, a cellular tracking system, with the subtitled catchphrase: "Locate. Track. Manipulate."
Verint pledges in its marketing material that it does not use SkyLock against US or Israeli phone users but its marketing pitch does not exclude the possibility that it is offering access to Australian phone subscriber data to its clients.
If those clients have access to SS7’s ATI query capacity then there would be nothing stopping them from using SS7 to query the details and to track phone subscribers anywhere in the world.
Australian Federal Government procurement records show Verint’s Australian office provided $795,000 of software, computer services. and software maintenance and support to the Australian Crime Commission from 2005 to 2012.
Verint did not respond to questions from 60 Minutes asking whether they had sold SkyLock to Australian customers or whether there were any protections to stop SkyLock customers from misusing the system for illicit purposes such as corporate espionage or fraud.
Evidence NSA is using SS7
It has long been speculated in security industry circles that the reason why countries like the UK, US and Australia, have not rushed to ensure the SS7 vulnerability is fixed is because the location tracking and call bugging capacity has been widely exploited by intelligence services for espionage.
In December 2013, an Australian newspaper detailed how US diplomatic cables leaked by NSA whistleblower Edward Snowden revealed that in 2009, Australia’s then Defence Signals Directorate – now ASD – had targeted the mobile phone of Kristiani Herawati, the wife of the then Indonesian president Susilo Bambang Yudhuyono.
How that bugging was done has never been explained but it seems the use – or misuse perhaps – of SS7 is the most likely explanation. A simple query of the signalling system would have provided the Indonesian first lady’s unique IMEI number, then enabling tracking and call-forwarding to a recording device.
Rogue cell towers widely used by criminals
The 60 Minutes investigation also revealed how, using a GSMK Cryptophone, the program has detected international mobile subscriber identity (IMSI) catchers – or rogue cell towers – in use in Australia. The Cryptophone has a baseband firewall that detects when a rogue cell tower is trying to force the phone to connect to it, and it warns if the IMSI catcher is attempting to force its 3G or 4G encryption down to 2G – a weak encryption level that is easily cracked.
Over the past few months 60 Minutes reporter Ross Coulthart detected suspected IMSI catchers in operation around central Sydney, including outside the Australian Stock Exchange building in Bridge Street. Each time the rogue cell tower was attempting to force the phone to connect with it unencrypted, which would have allowed access to any of the data on a normal mobile phone.
He also recorded multiple detections in an undisclosed eastern suburbs Sydney location, filming the alerts in real time as they were detected on the Cryptophone. While there is a clear possibility the IMSI’s detected were part of a legitimate law enforcement operation, experience in the US suggests at least some of those rogue cell towers are being used illegally by criminals and corporate spies for fraud and espionage.
ESD America is a company based in Las Vegas which markets the Cryptophone and specialises in counter-surveillance technology. Its CEO, Les Goldsmith, told 60 Minutes that his company has detected 68 IMSI catchers in locations across the US, including at sensitive government hearings and military installations.
He said that IMSI catchers are now widely in use by criminals because "an IMSI catcher in criminal hands is going to mean they have the ability to target an apartment building where they can listen to the phone calls and pick up and record all the calls and hope to pick up somebody calling their bank and giving their passwords or suchlike vital private transactions".
Technology breakthrough detects fake cell towers
ESD has developed technology in conjunction with German firm GSMK, called Overwatch, which for the first time allows real-time detection of rogue cell phone towers to distinguish them from the real ones. GSMK principal Bjoern Rupp demonstrated the technology for the first time on camera, showing how Overwatch allows rogue cell towers to be pinpointed on a map using triangulation from sensors placed around a city.
The purpose of Overwatch is to provide governments and telecommunications providers with the first ever warning system that can alert them to the presence and location of an illegal IMSI catcher.
The technology breakthrough potentially threatens the efficacy of one of the most powerful tools used by intelligence agencies for the past few decades of mobile phone telephony. GSMK and ESD have also developed another product called Oversight, a system which detects suspicious SS7 activity.
Oversight is already being installed by a number of Telco’s in Europe and reports suggest they are already noticing extensive suspicious use of SS7 which they are then able to block.
The potential ramifications of the Oversight and Overwatch technological breakthroughs are enormous – they potentially spell the end to rampant easy-access by a host of governments and rogue criminal elements internationally to undetected misuse of the SS7 hack and IMSI catchers. However, for the moment, the huge security hole in SS7 remains unfixed.
SS7 hacking services on offer
In an amusing twist, when Hacking Team, an Italian-based seller of privacy intrusive surveillance hacking technology, suffered a major leak of its emails in July 2015, the leaked email traffic revealed their knowledge of how the leak was likely perpetrated. "This is blatant privacy violation!" complained Hacking Team CEO David Vincenzetti, "How did they collect such information?"
The answer back from his technical experts was that whoever it was had likely accessed their data using SS7 via a contact in Italian phone company Telecom Italia.
The leaked emails also disclosed that Hacking Team had previously been approached by a company called CleverSig, which claimed to have online access to SS7 tracking via another operator at a cost of $14,000 to $16,000 per month.
It suggests, as many security operators are beginning to fear, that the SS7 system’s surveillance capabilities are now wide-open to unscrupulous commercial operators – for a fee.
When 60 Minutes contacted CleverSig’s founder Eitan Keren in Israel for comment about the leaked emails he said "not all the data you see there is valid. Take the data you read with caution". He then went on to disclaim any knowledge of or involvement in SS7 tracking. Questions were also sent to Verint, the makers of the SkyLock surveillance technology. They did not respond.
Ross Coulthart is an investigative journalist at 60 Minutes. Twitter: @rosscoulthart