The poorly secured Signaling System No. 7 (SS7) protocol, used for communication between telecom providers, makes it easy to retrieve the location of a phone user, a German security researcher reports.
According Tobias Engel, a German security researcher who reported his findings during the Computer Chaos Club security conference in Hamburg, an attacker only needs the phone number of a victim to retrieve the location of the user. “That’s very creepy”, Engel states, “you don’t even need to know someone, you only need to know his phone number.”
SS7 is a protocol used by operators to communicate with each other, e.g. to pass on phone conversations and text messages, to settle roaming costs and to exchange subscription data between servers. The protocol hardly uses authentication and plausibility checks.
To retrieve someones location the attacker needs to send specific SS7 commands to the server of a telecom provider. The protocol is only intended for communication between telecom providers but there are several ways of gaining access. To get access a so called “global title” is required, an identification number similar to an IP address. A global title can be purchased from certain telecom providers but an attacker can also hack a femtocell or penetrate a bad secured server.
Once the attacker has obtained a global title, the attacker can retrieve to which cell tower his victim connects. Each cell tower has an unique number and only the number of the cell tower is required to retrieve the location of the victim. There are commercial databases that show the location of a cell tower. “Especially in cities where cell towers are close to each other, you can follow someone on street level”, according to Engel.
The method is already used, Engel claims. The researcher worked closely with a German provider to investigate the matter and found out that a transportation company uses the method to track its cars. There’s even a commercial company that offers the possibility to retrieve someone’s location based on only a phone number.
According to Engel it’s also possible to send other commands to a SS7 server. The commands could cause a denial of service, which deletes the user of the server. Even worse is the possibility to hijack conversations, an attacker can send a command to the server to forward calls, e.g. to record them. Also text messages can be intercepted. “It already happens”, according to Engel who explained the method to the Washington Post earlier. Using special equipment it’s also possible to retrieve all phone users and their numbers in a specific area.
The introduction of 4G won’t solve the SS7 issues, according to Engel. The successor of SS7, called Diameter contains many of the problems of SS7. Also telephony over 2G and 3G (both using SS7) will continue to exist for a while.
Engel recommends telecom providers to take additional measures to prevent their subscribers from being vulnerable. However providers can’t fully protect themselves, they’ll need to support SS7 to communicate with other providers. Users also can’t do much, except asking their telecom provider to take measures and/or throwing away their phone, Engel concludes.