Cell-Phone-Spy-How-to-track-a-cell-phone call-listening hqdefault

IN FEBRUARY 2014, the US ambassador to Ukraine suffered an embarrassing leak. A secret conversation between him and US Assistant Secretary of State Victoria Nuland got posted to YouTube, in which Nuland spoke disparagingly about the European Union.

The conversation occurred over unencrypted phones, and US officials told reporters they suspected the call was intercepted in Ukraine, but didn’t say how. Some people believe it occurred using vulnerabilities in a mobile data network known as SS7, which is part of the backbone infrastructure that telecoms around the world use to communicate between themselves about how to route calls and text messages.


A little-noticed report released by the Ukrainian government a few months after the leak gives credence to this theory. Although the report didn’t mention the ambassador, it revealed that for three days in April that year, location data for about a dozen unidentified mobile phone customers in Ukraine got mysteriously sent to a Russian telecom using SS7 vulnerabilities. Text messages and phone calls of some of those customers also got diverted to Russia, where someone could have eavesdropped on the conversations and recorded them.

The telecom industry has known for years that SS7 is vulnerable to spying, but did little about it because many assumed the risks were theoretical. This changed in the wake of the Ukrainian incidents, says Cathal McDaid, head of the threat intelligence unit for AdaptiveMobile, a mobile telecom security firm. His company and others devised ways to detect SS7 attacks, and since then they have discovered suspicious activity in the networks of multiple telecom customers, suggesting that SS7 attacks are very much real-and ongoing. AdaptiveMobile released a report in February highlighting some of those attacks.


SS7 is just now getting more public attention because of a 60 Minutes piece last week, which showed two German researchers using SS7 to spy on US Congressman Ted Lieu, with his permission. Lieu has called for a congressional hearing to look into SS7 vulnerabilities, and the Federal Communications Commission has plans to examine it, too.


So what is SS7 and why is it so vulnerable?


SS7, also known as Signaling System No. 7, refers to a data network-and the series of technical protocols or rules that govern how data gets exchanged over it. It was designed in the 1970s to track and connect landline calls across different carrier networks, but is now commonly used to calculate cellular billing and send text messages, in addition to routing mobile and landline calls between carriers and regional switching centers. SS7 is part of the telecommunications backbone but is not the network your voice calls go through; it’s a separate administrative network with a different function. Think of it like a passenger train system-SS7 is the maintenance tunnels workers use rather than the main tunnels through which passenger trains travel.
SS7 is often used now to set up roaming so that when you travel, say, from New York to Mumbai, you can make and receive calls and texts outside your carrier’s range. An outside carrier will send a request to your carrier via SS7 to obtain your phone’s unique ID to track your device, and also request that your communications be redirected to its network so that it can deliver calls and text messages to you. It’s a way of making sure calls and messages are delivered between networks.

The Problem


The problem is that SS7 is based on trust. Any request a telecom receives is considered legitimate. Therefore anyone with access to a server or gateway on the SS7 network can send a location or redirect request to your telecom for purposes of roaming, and the telecom will likely comply, even if the roaming request comes from St. Petersburg or Mumbai and you and your phone are in New York.


This makes it possible for a remote attacker to spy on lawmakers, corporate executives, military personnel, activists and others. It should be noted that in grabbing your texts and calls in this way, an attacker will also be able to grab your two-factor authentication log-in codes that Gmail and other services send via text so you can access your accounts. An attacker who already knows the username and password for an account can intercept these codes before you receive them in order to log in to your accounts.




Who has access to SS7?


Hundreds of telecoms around the world use it. Government intelligence agencies can also gain access to the network, either with the permission of telecoms or not. Commercial companies also sell SS7 phone tracking services to governments and other customers. Criminal groups able to purchase access from corrupt telecom workers can also use SS7, as can hackers who hijack unsecured SS7 equipment.

It wasn’t until December 2014 that telecoms began to implement ways to thwart SS7 attacks. That’s when Karsten Nohl of the Berlin-based Security Research Labs and an independent researcher named Tobias Engel gave presentations about SS7 at the Chaos Communication Congress in Germany, months after the Ukrainian incidents were discovered. Engel had demonstrated an SS7 method for tracking phones in 2008, but that method wasn’t as refined as the ones he and Nohl described in 2014. The latter prompted regulators in Northern Europe to demand that carriers there implement measures to mitigate SS7 attacks by the end of 2015.




How Exactly Can SS7 Be Hacked to Track You?


To track you, an attacker could send what’s called an Anytime Interrogation request to your carrier to get the unique ID of your phone and identify which mobile switching center (MSC) your phone uses—usually one MSC covers an entire city. Carriers use this information to determine your location to route your calls and messages through the cell tower closest to you. By sending repeated Anytime Interrogation requests to get this and your GPS coordinates, an attacker can track your phone, and you, to the street block where you are standing, using Google maps.


Carriers could thwart this by blocking Anytime Interrogation requests coming from outside their boundaries, Nohl says. But there are other ways to get location information using different queries via SS7, and these are not as easily blocked, he says.




In Depth


In mobile networks, subscribers are identified by the international mobile subscriber identity (IMSI), which is considered confidential information.


This attack is based on requesting the Mobile Switching Center (MSC) Visitor Location Register (VLR) address, and the IMSI. The request is part of the SMS delivery protocol, which allows the source network to receive information about the subscriber’s location for further routing of the message. The initial data includes the target subscriber number.


In case of successful exploitation, an attacker obtains the following data:

+ Subscriber’s IMSI

+ Servicing MSC/VLR address

+ Home Location Register (HLR) address where the subscriber’s account data is located


The MSC/VLR address will determine the subscriber’s location down to the regional level. Moreover, the intruder can use the obtained data in more complex attacks.



Screenshot from 2016-04-30 00:12:46




Discovering a subscriber’s location


Received data is commonly used for real-time tariffing of the subscriber’s incoming calls. The initial data is the IMSI and current MSC/VLR address.


The intruder obtains the CGI, which consists of:


+ Mobile Country Code (MCC)

+ MNCMobile Network Code (MNC)

+ Location Area Code (LAC)

+ Cell Identity (CID)



There are a number of services available on the Web that allow determining a base station’s location using these identifiers. In cities and urban areas, the accuracy of a subscriber’s location can be determined within a few hundred meters.


Screenshot from 2016-04-30 00:31:19


Intercepting incoming SMS messages


After registering the subscriber with the fake MSC/VLR, SMS messages intended for the subscriber are instead sent to the attacker’s host.

The attacker is able to:


+ send a confirmation that the message was received (it will look to the sender as if the message was delivered)

+ re-register the subscriber to the previous switch so that he/she also gets the message.

+ send a confirmation to the sender, re-register the subscriber to the previous switch and send him/her an altered message



The attack can be used to:


+ steal one-time mobile banking passwords delivered as SMS messages

+ Intercept or recover passwords used for various internet services (email, social networks, etc.)



Screenshot from 2016-04-30 00:16:06


Intercepting outgoing calls


An attacker substitutes a billing platform address with their equipment address, in the subscriber’s profile. When the subscriber makes a call, the billing request along with the number of the destination subscriber are sent to the attacker’s equipment. The attacker can then redirect the call and create a three-way (destination subscriber, calling subscriber and an attacker) conference call.


Screenshot from 2016-04-30 00:30:16





What Can Be Done?


That kind of attack should be easy to thwart with an algorithm that knows it’s illogical for a subscriber to move back and forth between the US and Germany every five minutes. “But, again, nobody has implemented these smart checks,” Nohl says.


There’s not much you can personally do. You could try to protect your communications by using an encrypted service like Signal, WhatsApp or Skype, but McDaid says an attacker could send a request to your carrier to disable data use for your phone, preventing you from using these services.


“So all you’re left with then is text messages and phone calls if you’re in an area with no Wi-Fi,” he says, leaving you vulnerable to an SS7 interception attack.