What is the SS7 system and why can it be used to eavesdrop on iPhone by Donald Trump?

This SS7 system is the place to connect global telecom operators together, and sadly, the vulnerabilities that exist in it for more than 20 years could be exploited to eavesdrop on anyone.

On Wednesday, a report in the New York Times reported that US President Donald Trump often used a personal iPhone, no security modifications to communicate with friends, as well as two other iPhones. modifying security by NSA.

According to the Times report, unnamed White House officials said Mr. Trump had been repeatedly warned about calls on his device that were not secure and that 'Chinese spies regularly eavesdrop. them. '

Last year, the US Department of Homeland Security discovered that mobile devices create a serious weakness in the information security of government employees. In particular, the report saw SS7 (Signaling System 7), a protocol used by telecommunications companies to coordinate how they route smartphone data and calls around the world, as a potential threat. .

Picture 1 of What is the SS7 system and why can it be used to eavesdrop on iPhone by Donald Trump?

Although the Times report did not tell about the mechanism of eavesdropping on Mr. Trump's calls, there was a strong reason to believe that it was related to SS7, which was used many times to spy on people. America and overseas government officials in the past.

So what is SS7?

In 1980, the International Telecommunication Union ITU established the Signaling System 7 system as the standard international protocol for telephone signals. Signaling is the technical term for putting information to the network to route that call, for example, phone dialing is a way of signaling. When SS7 was approved as a standard protocol for phone call routing, it marked a revolution in calling.

Before SS7, the signal information was sent on the same channel as the call: the user dialed a certain number (signaled) and talked to each other on the same channel. Meanwhile, SS7 set up separate channels for real signal and call. This not only greatly increases the data transfer rate, but also allows the signal to be broadcast at any point during a call, instead of being made from the beginning of the call, improving the quality and stability. of the call.

Picture 2 of What is the SS7 system and why can it be used to eavesdrop on iPhone by Donald Trump?
Signal exchange points on SS7 protocol.

But in the new era, the unlocking of SS7 protocol began to appear. The main problem with the SS7 network is that it considers all information sent via the network to be valid. Therefore, if bad guys gain access to the network, they can take advantage of the system's trust to manipulate or interfere with the signal information sent.

In 1999, the Third Generation Partnership Project (3GPP), which standardized telecommunications network technologies, issued a warning about vulnerabilities in SS7.

'The problem with the current SS7 system is that messages can be changed, added or deleted in an uncontrolled way in the global SS7 network. 'The 3GPP organization also emphasized that in the past SS7 signals were oriented between a relatively small number of telecom operators, making it more feasible to control access to this channel.

SS7 designers did not anticipate the explosive growth of the internet and mobile, leading to the emergence of small operators to connect to the pillar of this telecommunications network.

Picture 3 of What is the SS7 system and why can it be used to eavesdrop on iPhone by Donald Trump?

Instead of just a few large companies and telecommunications organizations to carefully guard their SS7 entrances, now there are tens of thousands of entrances for network operators, including organizations with the ability to Poor security. This poses risks for the entire system.

The 3GPP organization concluded in its report: 'When there is no adequate security measure in SS7. Mobile operators need to protect themselves from hacker attacks and reckless actions that can make the network work wrong or stop working. '

What can hackers and spies take advantage of SS7 to do?

Although SS7 security issues were discovered for the first time more than two decades ago, very little effort has been made to correct them. In fact, the telecommunications industry has done everything possible to avoid having to address SS7's vulnerabilities, despite the fact that the system has expanded to monitor the use of transceiver columns to Perform roaming when users leave the network of mobile signal providers.

According to an article in Wired, the reason why the telecoms industry does not fix SS7's vulnerabilities is because many network operators 'assume that those risks are theoretical.' In fact, according to the 3GPP report, until 2000, there was no intentional attack on SS7.

Picture 4 of What is the SS7 system and why can it be used to eavesdrop on iPhone by Donald Trump?

But in 2008, at the Chaos Communication Conference hacker conference in Germany, security researcher Tobias Engel demonstrated an individual's mobile positioning with SS7. In 2014, he performed another performance, suggesting that SS7 could be used to locate, track and manipulate mobile users' calls. And Engel also emphasized that it is easy to do.

That same year, Assistant Secretary of State, Victoria Nuland was recorded during a call with the US Ambassador in Ukraine. In a report by Ukrainian telecommunications network, the call took place on a regular telecommunications network and was intervened to navigate to a telephone line in St. Petersburg. Petersburg, Russia. Although there is no claim that the SS7 vulnerability has been used to interfere with the call, its details indicate that it is highly likely.

At this point, it is clear that the risk of an SS7 attack is no longer a theory. But despite that fact, the telecommunications industry is still delaying the implementation of the necessary security measures to solve the holes in SS7.

Is it possible to fix vulnerabilities in SS7?

In the 60 Minutes program in 2016, two German hackers demonstrated the attack on SS7 by eavesdropping on Senator Ted Lieu's call on an iPhone (which was authorized by him). Moreover, they could identify the Mr. Lieu hotel which was the night before, even if he turned off the GPS navigation on the phone.

Picture 5 of What is the SS7 system and why can it be used to eavesdrop on iPhone by Donald Trump?

Given the risks associated with national security and personal privacy due to the increasing number of SS7 vulnerabilities, in 2016 the Federal Communications Commission of the United States established a research team. This issue and release their report in early 2017.

Accordingly, a possible solution is to abandon the SS7 network to switch to an updated signaling protocol. One such protocol is Diameter, developed in the late 90s to authenticate information sent through computer networks.

While the FCC admits, the 'Diameter has certain capabilities to make it harder to attack,' but cannot ignore the fact that it 'could lead to new vulnerabilities.' Indeed, many researchers have found a way to exploit the same Diameter as on SS7.

Another solution is that telecommunications networks develop a 'circle of trust', a system that evaluates the reliability of incoming messages, based on the type of information it carries. follow and where the message originated. Finally, the FCC recommends that telecom operators support encryption for their users.

When you make a call, whether it is on a fixed or mobile phone, it is not encrypted end-to-end two heads. Signals are usually only encoded at many points on its journey, but they are not protected on most networks. Therefore, FCC recommends that mobile users should use commercial encryption services such as Signal, WhatsApp or Tor.

Perhaps we will never know for sure whether the SS7 network will be exploited to eavesdrop on Mr. Trump, but certainly, with an iPhone that has not been modified securely and used on commercial telecommunications networks. Usually, this device is potentially a good bait for hackers or spies around the world.