Hackers on new “secure” phone networks can bill your account for their roaming charges

I have good news! The infamous SS7 networks used by mobile operators to interoperate, e.g.
when you’re roaming — which were built on trust, essentially devoid of security, and permitted rampant fraud, SMS hijacking, eavesdropping, password theft, etc. — are being replaced. Slowly. But I have bad news, too! Which is: the new systems still have gaping holes.

One such was described at the Def Con hacking convention today by Dr. Silke Holtmanns of Nokia Bell Labs. She gave a fascinating-to-geeks-like me summary of how the IPX network which connected five Scandinavian phone systems in 1991, using the SS7 protocol suite secured entirely by mutual trust, has grown into a massive global “private Internet” connecting more than two thousand companies and other entities. It is this private network-of-networks which lets you fly to another country and use your phone there, among many other services.

The quote which stood out most starkly from her slides regarding IPX was this: “Security awareness only recently started (2014).” 😮 That’s … awfully late to start thinking about security for a massive semi-secret global network with with indirect access to essentially every phones, connected car, and other mobile/SIM-card enabled device on the planet. He understated grimly.

Still, better later than never, right? A new protocol, called Diameter, is slowly lurching into place, in fits and starts. (Technically the old system used two protocol suites, SS7 and Radius: Diameter is the successor to Radius, but flexible enough that it can and will absorb SS7’s functions too.) Alas, even Diameter has at least one flaw: its so-called “hop-by-hop” routing can be used by an attacker to spoof an endpoint, i.e. to pretend to be a company which they aren’t.

This, combined with the ability to harvest a unique ID number (known as the IMSI) from a phone, with a device such as a Stingray, and the ability to request a re-assessment of a phone’s quality of service and billing information at any point, ultimately means that a capable hacker could upgrade their phone service at your expense … or downgrade your service to e.g. 2G-only, while roaming, if they were feeling more malicious than greedy.

2G-only! The horror! OK, this is a lot better than the long litany of fundamental flaws to which SS7 was vulnerable, but it’s still sad. Worst of all is the list of countermeasures that Dr. Holtmanns suggested. There are long list of things which companies and operators on the IPX network can do to fix or mitigate this vulnerability; but if you’re a user? All she can recommend is “check your bill” and “keep an eye on the news.”

This is yet another instance of what I call “the trustberg.” When you pick up your phone, because your bank texted you a one-time password, or to text something private, do you even know who you’re trusting to keep your texts and accounts unhacked? The bank itself, and Google or Apple, sure. Whatever Android app handles your texts, maybe. But it turns out this is only the tip of the trustberg.

Power generation and distribution; water and sewers; food processors and grocery trucks; industrial control systems; emergency response systems; microprocessor manufacturers; phone and satellite networks. We assume that somewhere, in some distant room, teams of competent grown-ups are taking care of these systems and making sure they’re safe — right?

Which is why coming to hacker conventions (such as infamous Def Con, from which I write this) is always such a sobering, saddening experience. Two days I wrote about satellite communications devices compromised worldwide … mostly because, it turns out, they relied on hardcoded, easily cracked passwords for “security.” Now I’m writing about new, improved security after a decade of catastrophic failures … and it’s still not actually secure. We can hope the even more important infrastructure I listed above is better taken care of … but the more hacker cons I go to, the harder this hope becomes.

You Might Also Like