15 comments

[ 4.3 ms ] story [ 48.5 ms ] thread
It's as if SS7 was deliberately SIGINT-Enabled to allow for snooping. I'm not saying it is deliberately weak, but they could have done a better job baking in privacy. SS7 telephony is horribly outdated and needs something else in its place, and preferably something not weak and something that can stand the test of time, going forward (possibly even quantum resistant secure comms would be nice to have).
I don't imagine they deliberately intended to facilitate all the snooping and tracking that's happening nowadays -- think about how old SS7 is, how "closed" telco networks were at the time, and how the Internet and VoIP were still just figments of our imaginations. I'll give 'em the benefit of the doubt in that regard.

However...

The vulnerabilities in SS7 have been known publicly for at least 12 years (per Wikipedia). While I realize that it's going to take an absolutely enormous amount of time and effort to roll out protocol "enhancements" and "upgrades" across the biggest network in the world without completely breaking everything but the (apparent) lack of any progress whatsoever is what makes me start to question whether it's just negligence or if it is, in fact, intentional.

The cellular / mobile phone networks, though?

Personally, I'm 100% convinced the issues there (CMEA, A5/1, etc.) were intentional and "by design"... For those who don't know what I'm talking about, just look into NSA's "alleged" involvement with CMEA -- knowing what we do now, post-Snowden, about the NSA -- and let me know if you don't feel the same way!

It's fun to see people today rail against ESS7 for being insecure.

Back when SxS and Crossbar were still around, SS7 was seen as the technology that was so secure it would stop all hacking of telcos forever.

Same level of hyperbole. Different eras.

We bought access to SS7 through a Jordan telco just to make prank calls and get the cell id of our friends to welcome them into different parts of town by SMS (like when you get a welcome sms in another country)
Out of curiosity how much did it cost?
Last time this came up on HN, I believe it was $5000
How did you know where the cell ids were located. Did you figure this out yourselves, or were you able to get this information somewhere?
We figured it by seeing the cells they were typically connected to when we knew for sure that they were in a specific part of town. So trial and error basically.
I thought access to SS7 was pretty well firewalled to the average person?

Its not like its the 90s when you could just send raw SS7 down ISDN with not consequences.

who allows you to have unfettered SS7 access nowadays?

Because of the international nature of telephone systems, you don't need to get SS7 access locally. There's plenty of telcos worldwide that sell SS7 capable lines.
I believe you can get access from eastern European phone companies for as little as a few thousand dollars. SS7 was designed kind of like BGP: if you're in the "in crowd" you can do whatever you want. You can start by googling "ss7 attack".
Mostly correct about BGP, except we have started adding verification / validation to operations lately (e.g. RPKI).
> googling "ss7 attack".

Oh indeed, I'm old enough to have played with raw SS7 back in the day. I'm just surprised that intentional access is allowed. I had assumed that this kind of access died when frame relays were phased out for fibre/"ethernet"

Obviously if you peer with a telecoms company then you'll get some level of access, but for obvious reasons I would have thought it would have some level of filtering, if only to stop them fucking with the billing.

Asterisk PBX + a T1/PRI card and service from a local telco provided basically unfettered access to SS7 when I toyed with it like 15 years ago.. I'm guessing not much has changed?
I eagerly await the Biden administration to take swift action to correct Trump's obvious personal malfeasance in this matter.

Good grief. How about the simple answer - it will cost big bucks to fix, and fixes tend to break things adding even more costs. Combine that with our government TLAs probably using the same vulnerabilities for their own purposes too means this is an evergreen problem and not specific to the current administration. After all, it did exist long before the orange man was bad.