Hackers have been known to use all manner of remote access tools to break into mobile phones, often by finding vulnerabilities in an operating system like Android or even in SIM cards. It’s more rare to try and tap into the network infrastructure that routes these calls for mobile operators themselves. Yet new research shows that one nefarious kind of network surveillance is happening too, across the world.
A survey of a handful of large mobile operators on each continent showed that hackers have been exploiting a key signalling protocol for routing cellular calls known as SS7, to track the location of certain mobile users and in some cases, listen in on calls.
Across a range of operators, 0.08% of SS7 packets being sent across a network in Africa were deemed suspicious. In Asia the rate was 0.04% and in the Americas it was 0.025%, according to research by Dublin based research firm Adaptive Mobile.
While these are low percentages they relate to the millions of SS7 packets being sent every day.
“That can add up to tens of thousands a day which can mean someone being tracked or some fraud transactions,” says Cathal Mc Daid, head of Adaptive Mobile’s cyber security unit. “These are low-volume, high-impact events.”
Location tracking is the most popular reason for exploiting the SS7 protocol, says Mc Daid. His team recorded 1,140 separate SS7 requests to track 23 unique subscribers over a two-day period, with some subscribers tracked many hundreds of times.
There are a handful of known players in the market for selling SS7 vulnerabilities.
One three-person startup called CleverSig was recently selling access to their “remote SS7 control system” for $14,000 to $16,000 a month. Their price was divulged when emails from the Italian information surveillance company Hacking Team were posted on the web.
Other network surveillance companies with names Circles (based in Bulgaria, according to Adaptive Mobile) and the Rayzone group, also operate within the grey area of selling access to their SS7 exploitation platforms to governments and other surveillance companies like Hacking Team.
The going rate for looking up someone’s physical location through the SS7 network, as advertised on the dark web, was about $150 about two years ago, according to Mc Daid. He expects that price hasn’t changed much since. “A lot of those offers have gone underground.” That is partly due to relatively recent press on SS7.
In late 2014 security researchers were reported by the Washington Post to have initially discovered the security flaws that could let hackers, governments and criminals intercept calls through the global SS7 network. Adaptive Mobile conducted its research through 2015 to show that the exploit wasn’t just theoretical but actually being carried out by hackers.
“The news is yes, we are seeing exploits in every operator in every part of the world,” says Mc Daid – though it should be stressed that his team partnered with just one operator per continent to get a representative sample.
Africa and the Middle East seemed to have to highest rates of exploitation, Mc Daid says, adding that he couldn’t name the operators who took part in the research due to agreements with the carriers. Mobile operators have been “surprised this is actually occurring within their networks,” he adds.
“It’s very serious,” says Mc Daid. “The SS7 networks is the cornerstone of how carrier operators work and tens of billions of dollars have been invested in network architecture around the world. It’s not going to be replaced overnight.”