Research finds cellphone security flaws

German researchers have found security flaws that could let hackers, spies and criminals listen to private phone calls and intercept text messages on a potentially massive scale — even when cellular networks are using the most advanced encryption now available.

The flaws, to be reported at a hacker conference in Hamburg this month, are the latest evidence of widespread insecurity on SS7, the global network that allows the world’s cellular carriers to route calls, texts and other services to each other. Experts say it’s increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world’s billions of cellular customers.

The flaws found by the German researchers are actually functions built into SS7 for other purposes — such as keeping calls connected as users speed down highways, switching from cell tower to cell tower — that hackers can repurpose for surveillance because of the lax security on the network.

Those skilled at the myriad functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption. There also is potential to defraud users and cellular carriers by using SS7 functions, the researchers say.

These vulnerabilities continue to exist even as cellular carriers invest billions of dollars to upgrade to advanced 3G technology aimed, in part, at securing communications against unauthorized eavesdropping. But even as individual carriers harden their systems, they still must communicate with each other over SS7, leaving them open to any of thousands of companies worldwide with access to the network. That means that a single carrier in Congo or Kazakhstan, for example, could be used to hack into cellular networks in the United States, Europe or anywhere else.

“It’s like you secure the front door of the house, but the back door is wide open,” said Tobias Engel, one of the German researchers.

Engel, founder of Sternraute, and Karsten Nohl, chief scientist for Security Research Labs, separately found these security weaknesses as they studied SS7 networks in recent months, after The Washington Post reported the widespread marketing of surveillance systems that use SS7 networks to locate callers anywhere in the world. The Post reported that dozens of nations had bought such systems to track surveillance targets and that skilled hackers or criminals could do the same using functions built into SS7. (The term is short for Signaling System 7 and replaced previous networks called SS6, SS5, etc.)

The researchers did not find evidence that their latest discoveries, which allow for the interception of calls and texts, have been marketed to governments on a widespread basis. But vulnerabilities publicly reported by security researchers often turn out to be tools long used by secretive intelligence services, such as the National Security Agency or Britain’s GCHQ, but not revealed to the public.

“Many of the big intelligence agencies probably have teams that do nothing but SS7 research and exploitation,” said Christopher Soghoian, principal technologist for the ACLU and an expert on surveillance technology. “They’ve likely sat on these things and quietly exploited them.”

The GSMA, a global cellular industry group based in London, did not respond to queries seeking comment about the vulnerabilities that Nohl and Engel have found. For the Post’s article in August on location tracking systems that use SS7, GSMA officials acknowledged problems with the network and said it was due to be replaced over the next decade because of a growing list of security and technical issues.

The German researchers found two distinct ways to eavesdrop on calls using SS7 technology. In the first, commands sent over SS7 could be used to hijack a cell phone’s “forwarding” function — a service offered by many carriers. Hackers would redirect calls to themselves, for listening or recording, and then onward to the intended recipient of a call. Once that system was in place, the hackers could eavesdrop on all incoming and outgoing calls indefinitely, from anywhere in the world.

The second technique requires physical proximity but could be deployed on a much wider scale. Hackers would use radio antennas to collect all the calls and texts passing through the airwaves in an area. For calls or texts transmitted using strong encryption, such as is commonly used for advanced 3G connections, hackers could request through SS7 that each caller’s carrier release a temporary encryption key to unlock the communication after it has been recorded.

Nohl on Wednesday demonstrated the ability to collect and decrypt a text message using the phone of a German senator, who cooperated in the experiment. But Nohl said the process could be automated to allow massive decryption of calls and texts collected across an entire city or a large section of a country, using multiple antennas.

“It’s all automated, at the push of a button,” Nohl said. “It would strike me as a perfect spying capability, to record and decrypt pretty much any network … Any network we have tested, it works.”

Those tests have included more than 20 networks worldwide, including T-Mobile in the United States. The other major U.S. carriers have not been tested, though Nohl and Engel said it’s likely at least some of them have similar vulnerabilities. (Several smartphone-based text messaging systems, such as Apple’s iMessage and Whatsapp, use end-to-end encryption methods that sidestep traditional cellular text systems and likely would defeat the technique described by Nohl and Engel.)

In a statement, T-Mobile said: “T-Mobile remains vigilant in our work with other mobile operators, vendors and standards bodies to promote measures that can detect and prevent these attacks.”

The issue of cell phone interception is particularly sensitive in Germany because of news reports last year, based on documents provided by former NSA contractor Edward Snowden, that a phone belonging to Chancellor Angela Merkel was the subject of NSA surveillance. The techniques of that surveillance have not become public, though Nohl said that the SS7 hacking method that he and Engel discovered is one of several possibilities.

U.S. embassies and consulates in dozens of foreign cities, including Berlin, are outfitted with antennas for collecting cellular signals, according to reports by German magazine Der Spiegel, based on documents released by Snowden. Many cell phone conversations worldwide happen with either no encryption or weak encryption.

The move to 3G networks offers far better encryption and the prospect of private communications, but the hacking techniques revealed by Nohl and Engel undermine that possibility. Carriers can potentially guard their networks against efforts by hackers to collect encryption keys, but it’s unclear how many have done so. One network that operates in Germany, Vodafone, recently began blocking such requests after Nohl reported the problem to the company two weeks ago.

Nohl and Engel also have found new ways to track the locations of cell phone users through SS7. The Post story, in August, reported that several companies were offering governments worldwide the ability to find virtually any cell phone user, virtually anywhere in the world, by learning the location of their cell phones through an SS7 function called an “Any Time Interrogation” query.

Some carriers block such requests, and several began doing so after the Post’s report. But the researchers in recent months have found several other techniques that hackers could use to find the locations of callers by using different SS7 queries. All networks must track their customers in order to route calls to the nearest cellular towers, but they are not required to share that information with other networks or foreign governments.

Carriers everywhere must turn over location information and allow eavesdropping of calls when ordered to by government officials in whatever country they are operating in. But the techniques discovered by Nohl and Engel offer the possibility of much broader collection of caller locations and conversations, by anyone with access to SS7 and the required technical skills to send the appropriate queries.

“I doubt we are the first ones in the world who realize how open the SS7 network is,” Engel said.

Secretly eavesdropping on calls and texts would violate laws in many countries, including the United States, except when done with explicit court or other government authorization. Such restrictions are likely do little to deter criminals or foreign spies, say surveillance experts, who say that embassies based in Washington likely collect cellular signals.

The researchers also found that it was possible to use SS7 to learn the phone numbers of people whose cellular signals are collected using surveillance devices. The calls transmit a temporary identification number which, by sending SS7 queries, can lead to the discovery of the phone number. That allows location tracking within a certain area, such as near government buildings.

The German senator who cooperated in Nohl’s demonstration of the technology, Thomas Jarzombek of Merkel’s Christian Democratic Union party, said that while many in that nation have been deeply angered by revelations about NSA spying, few are surprised that such intrusions are possible.

“After all the NSA and Snowden things we’ve heard, I guess nobody believes it’s possible to have a truly private conversation on a mobile phone,” he said. “When I really need a confidential conversation, I use a fixed-line” phone.

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Local News

Alan Edward Dean, convicted of the 1993 murder of Melissa Lee, professes his innocence in the courtroom during his sentencing Wednesday, April 24, 2024, at Snohomish County Superior Court in Everett, Washington. (Ryan Berry / The Herald)
Bothell man gets 26 years in cold case murder of Melissa Lee, 15

“I’m innocent, not guilty. … They planted that DNA. I’ve been framed,” said Alan Edward Dean, as he was sentenced for the 1993 murder.

Bothell
Man gets 75 years for terrorizing exes in Bothell, Mukilteo

In 2021, Joseph Sims broke into his ex-girlfriend’s home in Bothell and assaulted her. He went on a crime spree from there.

A Tesla electric vehicle is seen at a Tesla electric vehicle charging station at Willow Festival shopping plaza parking lot in Northbrook, Ill., Saturday, Dec. 3, 2022. A Tesla driver who had set his car on Autopilot was “distracted” by his phone before reportedly hitting and killing a motorcyclist Friday on Highway 522, according to a new police report. (AP Photo/Nam Y. Huh)
Tesla driver on Autopilot caused fatal Highway 522 crash, police say

The driver was reportedly on his phone with his Tesla on Autopilot on Friday when he crashed into Jeffrey Nissen, killing him.

The Seattle courthouse of the U.S. 9th Circuit Court of Appeals. (Zachariah Bryan / The Herald) 20190204
Mukilteo bookkeeper sentenced to federal prison for fraud scheme

Jodi Hamrick helped carry out a scheme to steal funds from her employer to pay for vacations, Nordstrom bills and more.

A passenger pays their fare before getting in line for the ferry on Thursday, Sept. 28, 2023 in Mukilteo, Washington. (Olivia Vanni / The Herald)
$55? That’s what a couple will pay on the Edmonds-Kingston ferry

The peak surcharge rates start May 1. Wait times also increase as the busy summer travel season kicks into gear.

In this Jan. 4, 2019 photo, workers and other officials gather outside the Sky Valley Education Center school in Monroe, Wash., before going inside to collect samples for testing. The samples were tested for PCBs, or polychlorinated biphenyls, as well as dioxins and furans. A lawsuit filed on behalf of several families and teachers claims that officials failed to adequately respond to PCBs, or polychlorinated biphenyls, in the school. (AP Photo/Ted S. Warren)
Judge halves $784M for women exposed to Monsanto chemicals at Monroe school

Monsanto lawyers argued “arbitrary and excessive” damages in the Sky Valley Education Center case “cannot withstand constitutional scrutiny.”

Mukilteo Police Chief Andy Illyn and the graphic he created. He is currently attending the 10-week FBI National Academy in Quantico, Virginia. (Photo provided by Andy Illyn)
Help wanted: Unicorns for ‘pure magic’ career with Mukilteo police

“There’s a whole population who would be amazing police officers” but never considered it, the police chief said.

President of Pilchuck Audubon Brian Zinke, left, Interim Executive Director of Audubon Washington Dr.Trina Bayard, center, and Rep. Rick Larsen look up at a bird while walking in the Narcbeck Wetland Sanctuary on Wednesday, April 24, 2024 in Everett, Washington. (Olivia Vanni / The Herald)
Larsen’s new migratory birds law means $6.5M per year in avian aid

North American birds have declined by the billions. This week, local birders saw new funding as a “a turning point for birds.”

FILE - In this May 26, 2020, file photo, a grizzly bear roams an exhibit at the Woodland Park Zoo, closed for nearly three months because of the coronavirus outbreak in Seattle. Grizzly bears once roamed the rugged landscape of the North Cascades in Washington state but few have been sighted in recent decades. The federal government is scrapping plans to reintroduce grizzly bears to the North Cascades ecosystem. (AP Photo/Elaine Thompson, File)
Grizzlies to return to North Cascades, feds confirm in controversial plan

Under a final plan announced Thursday, officials will release three to seven bears per year. They anticipate 200 in a century.s

Everett
Police: 1 injured in south Everett shooting

Police responded to reports of shots fired in the 9800 block of 18th Avenue W. It was unclear if officers booked a suspect into custody.

Patrick Lester Clay (Photo provided by the Department of Corrections)
Police searching for Monroe prison escapee

Officials suspect Patrick Lester Clay, 59, broke into an employee’s office, stole their car keys and drove off.

People hang up hearts with messages about saving the Clark Park gazebo during a “heart bomb” event hosted by Historic Everett on Saturday, Feb. 17, 2024 in Everett, Washington. (Olivia Vanni / The Herald)
Clark Park gazebo removal complicated by Everett historical group

Over a City Hall push, the city’s historical commission wants to find ways to keep the gazebo in place, alongside a proposed dog park.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.