Gaining access to the global network used by spies to track phone calls and intercept communications is relatively cheap and easy for hackers, criminals, or even anyone, a Daily Beast investigation has found.
The network, known as SS7, has faced renewed attention in the past few years, especially after researchers exploited it to eavesdrop on a congressman’s calls in real-time from the other side of the world. But a major concern is that more sinister hackers could conduct this sort of surveillance. To test just how possible opening the door to SS7 really is, The Daily Beast posed as a small potential customer to a telecom in Europe, and was offered SS7 access for just a few thousand dollars.
“SS7 is—and will be for years to come—the central nervous system of our telecommunications infrastructure. It was never meant to be accessed by individuals directly,” Tobias Engel, a security researcher who focuses on SS7, told The Daily Beast when presented with the findings.
Armed with just a phone number, those with SS7 access may be able play all sorts of tricks on a target. Someone linked to a Russian telecom has likely used SS7 to listen in on, and subsequently leak, phone calls between high-level U.S. and Ukrainian diplomats. Financially motivated hackers have leveraged flaws in SS7 to empty bank accounts in Europe. More than a dozen for-profit, surveillance companies, including some based in countries hostile to the U.S., offer SS7 services.
But rather than rely on a spying firm to provide SS7 surveillance capabilities, which probably only sell to law enforcement or other government entities, it is perfectly possible to obtain them more directly. The SS7 ecosystem is massive and diverse, with a myriad of resellers, wholesalers, and telecoms. Indeed, this is how SS7 works—the network is particularly important when a mobile-phone user moves from one roaming location to another; in those cases, a more local company may route messages on behalf of other, larger firms.
That wide, open ecosystem is also a serious security issue, with individuals able to buy access from telecoms with ease.
Let’s Do Business
Posing as a potential customer, this reporter registered an email domain—“smsrouter.co”— and, acting as a new text-message routing service, approached a division of a large-scale, legitimate telecommunications provider in Western Europe. The Daily Beast decided not to publicly name the telecom so as to not give criminals a roadmap of who exactly they could obtain SS7 access from.
After exchanging emails over a weeklong period (and specifying the fake company would need coverage in Europe), the telco provided a quote: a one-time setup fee of around $2,650, with 50 percent paid upfront and the rest with the first invoice after testing, and then a $6,600 monthly rental fee for a so-called global title (GT)—a designated address for routing messages. The telco also offered to connect The Daily Beast’s imaginary company over a SIGTRAN link, which, along with the GT, is key to exploiting SS7, Engel said.
In all, that totals to around $9,250—or pocket change for many cybercriminals, organized-crime syndicates, or insider traders. The Daily Beast’s cover identity of a small company was far from sophisticated: relying only on the custom email domain, and posing as a non-tech-savvy sales representative, rather than an engineer, to evade any overly technical questions.
The telco asked this reporter to sign a non-disclosure agreement in order to progress the discussions any further. To avoid legal complications, The Daily Beast decided to stop the experiment at this stage, and did not sign the agreement.
Both Engel and Silke Holtmanns, another SS7 expert from Nokia Bell Labs, said the type of access offered to The Daily Beast would be enough to send some malicious messages across SS7. A budding hacker would need to use special software to communicate with the SS7 network; but Engel pointed out such software can be downloaded for free online.
The price quoted to The Daily Beast is in line with other figures. In the emails of Italian surveillance company Hacking Team, which WikiLeaks archived back in 2015, a three-person startup called CleverSig pitched its own SS7 spying product to Hacking Team. In one email, Eitan Keren from CleverSig wrote that their operator charged between $14,000 and $16,000 a month and covered more than 600 different roaming partners, meaning CleverSig’s service could likely cover multiple countries and continents.
But SS7 access is also traded in a much more muddy gray market. According to a source in a cybersecurity company that offers SS7 protections, multiple shady characters, often using disposable email addresses or phone numbers, approach potential customers and offer SS7 access, sourced particularly from East African telecoms. The Daily Beast granted the source anonymity to discuss sensitive industry matters.
A Hacker’s Playground
When hackers used SS7 to break into European bank accounts this year, they intercepted tokens—those text messages a bank may send to confirm a payment or allow access to an account. That attack originated from SS7 addresses in Central Asia, cybersecurity firm AdapativeMobile, which is helping with the criminal investigation, found.
In September, researchers from U.S.-based Positive Technologies demonstrated how to use SS7 to empty a victim’s online bitcoin account. To do that, the researchers requested a password reset for their target’s Gmail account, which meant Gmail sent a token to the linked cellphone number. By accessing the SS7 network, the hackers then just intercepted the text message, and entered the Gmail account themselves.
But there are more possibilities for a payday with SS7.
“You could track CEOs or other [executives] of corporations and thus maybe get information that is relevant for the stock price,” Engel proposed.
There are likely many more cases of spies or hackers exploiting SS7 that have not made their way into media reports. Karsten Nohl, a third researcher who has worked extensively on SS7, said some members of the GSMA—an umbrella group for telecoms around the world—have looked into their own networks for abuse patterns.
Every network owner that analyzed the issue “has seen in excess of a million attack attempts per month,” Nohl told The Daily Beast. Some of those could be the same person being tracked over and over again every 10 minutes or so, but the issue spanned across operators in Europe, Africa, South America, and South Asia, Nohl added.
“I can not see a scenario where the same numbers wouldn’t apply to the U.S. networks,” Nohl said.
On top of the ease of access, another issue is how some telecoms, including those in the U.S., are apparently failing to deploy basic protections on their own networks against these sort of attacks. In October, several U.S. telecoms sent letters to Senator Ron Wyden detailing some of their security practices, after Wyden asked a set of specific questions.
“Despite years of warnings about vulnerabilities in wireless networks, several U.S. carriers revealed they have yet to take basic steps to protect Americans against criminals, stalkers, and spies who could target our personal devices,” Wyden said in a statement. As The Daily Beast has previously reported, the telecom industry has known about the specific threats SS7 posed, including revealing the geo-location of phones and interception, for nearly two decades.
According to those new letters, which Wyden’s office shared with The Daily Beast, neither T-Mobile or Verizon have an SS7 firewall in place—something that would likely mitigate SS7 attacks. (When asked for comment, T-Mobile seemingly contradicted itself, and insisted it does have an SS7 firewall in place. Verizon did not respond, but Nohl added that Verizon may not necessarily need an SS7 firewall, due to differences in its network when compared to other providers.)
Although one carrier may deploy protections, a phone user may still be vulnerable to spying when they move onto another less secure one, though. Phone users are largely at the mercy of whoever happens to be handling their messages at that point in time.
“Even if a network operator protects their subscribers against SS7 attacks like eavesdropping, location tracking, or denial of service, they are still vulnerable for these attacks once they roam into a less protected network,” Engel said.
There’s very little a cellphone user can do to determine whether the network they are on is open to SS7 attacks; and the attacks themselves are invisible to the target. Telecoms’ feet-dragging over protecting their networks, combined with the relative ease of access to SS7, could be putting people across the world at risk of surveillance and hacking, whether they are legitimate targets or not.
“Two finance guys are talking business,” the representative from the telecom wrote in one email.
Update: This piece has been corrected to clarify that researchers intercepted a congressman's calls, not a senator's.