SS7 is challenging to find info about, so I'll ask here:
How hard are these attacks to actually execute?
* Can someone with an SDR and no credentials start an attack?
* Do you need a femtocell registered with a carrier to attack SS7?
* Do you need to be a registered carrier to have the access required to attack a user?
The attacks described in the article assume the attacker is a nation-state, but is it possible for any random person with the right hardware to gain access to sensitive info via SS7?
That's far beyond, keys to server room is access to basically every phone on the network. For nearly a decade or so any kid in a mall kiosk can pull off sim cloning attacks. Yet we still use sms as a second factor.
The attacks are trivially easy. You need almost nothing. These are digital protocols on the wire so a SIP trunk would give you the same access as a cellular modem. An SDR would overly complicate things. It's almost as if the SS7 protocol was designed to support use by governments for collection and cyber-warfare.
Neither a SIP trunk nor a cellular modem confer access to SS7, which is used internally between telcos and is limited to access only by those telcos. The majority of VoIP providers, SMS aggregators, and other telephone-adjacent companies do not have SS7 access either as it is traditionally limited to wireline telcos, so they must contract a telco to perform those services for them. SS7 routing is strictly static and addresses are statically assigned, meaning that gaining unauthorized access to the network with a new device is usually not feasible (there would be no routes for traffic to reach it).
Instead, SS7 access is usually gained by either locating a crooked telco, or compromising a device within a telco.
While SS7 has essentially no security features, the primary security measure is the difficulty of accessing the SS7 network since it is entirely based on address management and routing by central authorities. This has been sufficient to slow the pace of SS7 vulnerabilities but not at all to stop them, as both crooked telcos and telcos with poor security practices can be found throughout the world.
SS7 is an old legacy standard that can be viewed in the same vain as DNS and it's associated legacy and subsequent mitigations and improvements over the years. For more perspective, 2G came along decades later and that had more thought, why it used cutting edge 56bit encryption, which today is akin to plain text.
I did not mean to imply that there was a conscious effort to enable cyber-warfare when developing the SS7 protocols. What I meant was that it's so damn easy to do all of the mischievous things needed for cyber, that it sure seems like SS7 was made for that!
If you look at anything from the 70's, very very few stand the test of time security wise and the ethos of security has become more mainstream at a technology level which see's today's technology that surpassed the wildest dreams of technology back then. Making many attack vectors non-viable to even state players back then, consumer accessible today.
Might be why I've grown to love and appreciate analogue systems that just work.
> For more perspective, 2G came along decades later and that had more thought, why it used cutting edge 56bit encryption, which today is akin to plain text.
It was not 56-bit, but 54-bit, not cutting edge even in the 80s. Remember that GSM's encryption was designed under the restriction of crypto regulations, weak security was deliberately used, just like how SSL had weak export ciphers thanks to the NSA. A few cryptographers behind GSM [0] have accused the GCHQ and the NSA for sabotaging GSM's security, or at least acknowledged the security was weakened due to political pressure.
> Jan Arild Audestad has been an employee of Telenor in many years and has also been a professor at Gjøvik Universty College and the Norwegian University of Science and Technology.
> — Originally we proposed that the encryption key length should be 128 bit, because we knew little about cryptographic systems, and how secure they were. The request was that the keys and algorithms should be secure at least for 15 years after the installation, Audestad tells.
> Audestad says that the British were not very interested in having a strong encryption. And after a few years, they protested against the high security level that was proposed.— They wanted a key length of 48 bit. We were very surprised. The West Germans protested because they wanted a stronger encryption to prevent spying from East Germany. The compromise was a key length of 64 bit – where the ten last bits were set to zero. The result was an effective key length of 54 bit.
> Aftenposten has spoken to several people who together with Audestad co-operated on building the GSM network.
> One of them is Peter van der Arend from Netherlands. He tells Aftenposten how he «fought» with the British about this case – especially in a meeting in Portugal.
> - The British argued that the key length had to be reduced. Among other things they wanted to make sure that a specified Asian country should not have the opportunity to escape surveillance.
> Van der Arend was very opposed to the British proposal.
> — The length was increased by the British – two bits at the time. They did not want to go further than 54 bits. And even though I argued against it, I eventually lost support from the others. And from that moment we had weaker security, and I am still angry about this.
> Thomas Haug, who was one of the most central persons in the making of GSM, also says that he was put pressure on by the British.
> — I was told by a British delegate that the British secret services wanted to weaken the security so they could eavesdrop more easily.
> Michel Mouly from France was one of the other central people in the making of GSM. He cannot confirm that the British were pushing for weaker encryption. But he confirms that the encryption was not as strong as planned, due to political pressure. Mouly also confirms that it would have been technological possible to have a much stronger encryption than what the result became.
Or have connections / bribery access to someone who does. In places where corruption is endemic, one can imagine this as a regular side biz for telco employees.
ss7 is only one access vektor of killchain.this comapny and thier solutions is infect iphone and android telephone.the cirkles solution is put at telekom headquarters thanks to autocratic goverment for spying. cirkles become authorised SS7 sender or recipient because acting like telco at telco access point{no need rogue access if u are telco}SS7 can tell target is in country or target is in other county but on national telekom network {in instanse, german company t-mobile has network in france}. once confirm target is in country, attacker has many option - most common is ask target phone where is located (baseband processor: not detect by target}, intercept phone call {not detect}, intercept text message {not detect -- uses for two faktor authroisation intersept}, send target message that looks like friend sent it {with viruss link}.[1]telekom in western country do not accept SS7 from eastern country where target does not currently travel.this is old SS7 attack and many commercial SS7 firewall to prevent attack[2]. femtocell is other cirkles product when close access require becaus no telekom access or for secret polise unit. same funktion. when attacker cant use cell network{because target is opsec} cirkles use information leak from many secure message platform. message is encrypt, but target metadata is not encrpyt, and can enumerated from secure message provider {e2e platforms is good encrypt, but bad privacy opsec.} cirkles know when target online, if target read message, when target typing, etc etc etc. more this information good for more targeting for NS0 grupo {email virus, secure message virus, sexy girl, new job, parcel delivery, etc etc etc}
How hard are these attacks to actually execute?
* Can someone with an SDR and no credentials start an attack?
* Do you need a femtocell registered with a carrier to attack SS7?
* Do you need to be a registered carrier to have the access required to attack a user?
The attacks described in the article assume the attacker is a nation-state, but is it possible for any random person with the right hardware to gain access to sensitive info via SS7?