The BBC recently released an article regarding an announcement by the FBI pertaining to cyber attacks, which contained recommendations for athletes that would be attending the Beijing Olympics.
The article, https://www.bbc.co.uk/news/technology-60215250 strangely though doesn’t cover the main reason why this is being suggested.
A sizeable chunk of my technology and security career was spent in one of the major mobile telecommunications companies in the UK and for a period of time chaired the industry group looking at this exact subject. What subject is that I hear you ask? That would be mobile signalling: especially a protocol called SS7 (Signalling System No.7).
What is SS7?
When you make a phone call, your voice travels over something called the ‘User Plane’. The way the networks are able to route your voice calls and SMS messages is by using signalling that travels over the ‘Control Plane’, which is invisible to you. One of the protocols used is called SS7 and this is completely ubiquitous among all telecoms networks. Whilst there are newer protocols which are used in 4G/5G, to maintain connectivity with the entire world, a network must support SS7 signalling. I say this upfront right now because I suspect someone will read this as “well just upgrade to X” – and it’s just not that simple.
The signalling protocol SS7 is now over 40 years old, and created at a time where it was expected that a handful of telecoms networks would be connected and all of these would implicitly trust one another. The upshot is that messages exchanged between networks often contain sensitive information which, in today’s world we’d never permit. Commands in the protocol also allow for doing things that we’d never want a remote network to do!
SS7 attacks have had some coverage in the mainstream media, as they have led to some individuals having their bank accounts cleared out. In this instance an attacker already has sufficient information to access a victim bank account, but needs to get a “One Time Passcode” (OTP) to complete a wire transfer. To achieve this, the attacker has purchased access to an Interconnect and, using SS7 MAP messages, convinced the home network that the victim phone is somewhere else – routing SMS messages to the attacker controlled device.
The attack requires some information that a remote network really shouldn’t be able to see. Our friendly SS7 protocol allows us to get that data all too easily though. The command “SRI_for_SM” (Send Routing Information for Short Message) is used to query information about a subscriber. On receipt of such a message the home network will reply to the remote network with sensitive data such as a subscribers IMSI (International Mobile Subscriber Identity). This 64-bit value uniquely identifies every user on the telecommunications network. Once in possession of this value, a remote network can perform all kinds of attacks – including telling the network that a subscriber is actually elsewhere.
There are a number of controls that a network can implement to prevent this type of attack. Two of those (which are implemented as a pair) are called IMSI scrambling and Home Routing. In simple terms, this means your home network takes charge of the ‘last-mile’ delivery of a message itself rather than permitting the remote network to have sensitive information about you to do it itself. It works by providing the remote network with a fake-IMSI, which upon receipt of the message, onwardly routes to the correct subscriber.
What attacks exist?
The possibilities are pretty horrific, if I’m honest. Everything from being able to reroute voice and SMS messages, to being able to listen into calls, to finding out the actual location of a user. That last one is possibly the one that people would get most uncomfortable about. All of these attacks – every one – starts with knowing the IMSI. Once you have a users IMSI, thats it – game over.
So what does all this fit in with advice about a temporary phone?
Let’s be clear, it’s not just a temporary phone. Its a temporary phone deal too. If you put your usual SIM card into a cheap phone and take that with you – you’ve done little to protect yourself.
When you travel to a foreign country, the network which you connect to immediately has all of the same information as your home network. Including the IMSI. And if you’ve been paying attention, thats very bad news as now a company outside of your own trusted network has information that they can use to target you. If we assume the Chinese Government has full access to all the data on their mobile networks – you can quickly see how this goes wrong for people very quickly.
Nobody is suggesting, directly, that the Chinese would target athletes. It would be fair to assume the worst though.
Why can’t my network protect me?
Chances are your home network already has some level of protection in place to defend against the most common attacks. Messages that fall into “Category 1” attacks by the GSMA (messages which should never be expected from a remote network) are largely blocked by the operators these days. Home Routing and IMSI scrambling are also common.
Protecting against more sophisticated attacks, (Cat 2 and Cat 3) though is extremely tricky. Some of the messages sent between networks are valid but only at certain times for example, and it requires a subscribers current context to be fully understood by the home network. These were things that were not considered when 3G networks were built and retrofitting is problematic and expensive.
What should I do?
This all depends on your threat model. If you are likely to be targeted by a foreign nation, you should never take your phone abroad. You should travel with a burner phone and contract which you do not activate anywhere near where you live.
If you work in the local Primark and have no reason to suspect a criminal gang would target you, then for the most part I’d say travelling with your usual device is not a problem.
Only you can know what is right for you.
SS7 isn’t going anywhere soon, so it’s something we’ll be dealing with for many years come. Stay safe!