31 - Signalling System Number 7 (SS7) and phone networks
Signalling System number 7
- Is a set of telephony protocols developed in 1975.
- It’s used in most parts of the worldwide public switched telephone network.
- Used to
- Start calls
- Tear down calls
- Number translation
- Local number portability
- The ability for a number to change carrier. In some countries (like Canada) it’s possible to move a number from a cell phone to landline.
- Prepaid billing
- SMS
- and others
Variants
There’s multiple regional variants, which follow a recommendation. Most are based on the ones from the American Standard Institute and European Telecommunications Standards Institute. There’s also the Chinese and Japanese ones which are more different.
The IETF also created a compatible protocol that works over the Internet. It’s sometime called Pseudo SS7.
History
Hard time finding information about SS1. Found a scan of a printed manual for SS-1 from “American Telephone and Telegraph Company, 1968”.
In the 70s, there was SS5 which was using in-band signaling. This means that it was easy to hack since you could simply produce the right sound in the mic to signal commands. We already talked about this in the dial-up modem episode with the multi frequency signaling which was using a set of audible tones.
Fun fact, we initially received a copyright notice for that episode on youtube. But, it’s not there anymore.
SS6 and SS7 are using a separated signaling channel. Those are called Common-channel signaling protocols, or CCS.
In the dial-up episode, we were wondering if we could use the multi frequency tones from the modems on a cellphone, and the answer is probably no since now the signalling layer and voice layer are separated.
Compared to the Internet
- ARPANET started in the early 70s.
- Residential connections to the Internet started in 1989.
Features
Signaling methods prior to SS7 couldn’t transmit a lot of information during the signaling phase. This means that they couldn’t have many features other than calling a phone number. SS7 was a “high speed” packet based protocol. This gave us access to many call management features like
call forwarding (busy and no answer), voice mail, call waiting, conference calling, calling name and number display, call screening, malicious caller identification, busy callback.
The fact that it’s using different channels means that it’s possible to transmit signaling information during a call.
Layers
Just like Ethernet technology, SS7 has multiple layers. North America and Europe are not even using exactly the same higher level protocols.
Problems
Over the years multiple vulnerabilities have been publicly disclosed. Those flaws have been used by criminals and governments.
SS7 is supposed to be connecting trusted operators like ISPs togethers. It was developed in a time where you could trust every operator. Every protocol on SS7 doesn’t require any authentication. This means that once you are on the network, you can do pretty much anything.
How to connect
- It’s pretty easy to get access to SS7. You can buy access from operators. Can be useful for companies like Twilio.
- Some SS7 operators didn’t secure their networks.
Position
The SS7 network needs to know where you are to be able to route traffic to you. This means that someone on SS7 can query this information.
In the USA, 911 have access to a protocol to get access to the caller position. The security of this protocol is really weak. This protocol can even enable the GPS receiver on the phone.
Record calls
SS7 has a powerful protocol to rewrite how a cell phone interacts with a network. This can be used by an attacker to setup a persistent man in the middle for that phone number and record calls.
2FA - SMS
Can listen to SMS, this means that if you use SMS as a 2FA, they can hijack it. They can also totally redirect SMSes.
SIM swapping
If the criminal doesn’t have directly to SS7, they can try to do a SIM card swapping attack. Call the phone provider and social engineer the reps to change your SIM card. This means that they now have access to your phone number.
CRTC
Canadian telecoms and CRTC don’t want to divulge what they are doing against SIM hijacking attacks.
Easy to find out who’s around you
Towers send “paging requests” (link pings) to cell phones. They use temporary identifiers to not divulge the identity of the user. But, if you have access to SS7, you can simply ask the network to find out all the information behind this temporary identifier.
[1] https://en.wikipedia.org/wiki/Signalling_System_No._7
[2] https://en.wikipedia.org/wiki/Local_number_portability
[3] http://etler.com/docs/BSP/982/982-325-100_I3.pdf
[4] https://en.wikipedia.org/wiki/History_of_the_Internet
[5] https://www.firstpoint-mg.com/blog/ss7-attack-guide/
[6] https://fedotov.co/ss7-hack-tutorial-software-video/
[7] https://mobilesyrup.com/2020/10/24/crtc-telecom-refuse-share-data-sim-hijacking-prevention-efforts/