SS7: Locate. Track. Manipulate [video]
streaming.media.ccc.deTobias Engel demonstrates (amongst other things):
* How to find out the phone numbers of nearby cellphones
* How to track the location of a cellphone that you only know the phone number of
* How intercept outgoing calls of nearby cellphones
Actual talk starts at 00:16:00 into the video.
Tobias Engel demonstrates (amongst other things):
* How to find out the phone numbers of nearby cellphones
* How to track the location of any cellphone worldwide that you only know the phone number of
* How intercept outgoing calls of nearby cellphones (to record and/or re-route to a different number)
I've learned more about how to efficiently seat people in an auditorium than I ever needed to know.
But on a serious note, conference organizers should play close attention to how CCC does stuff and replicate it. The pre-talk on screen information is amazing and useful.
The streaming set up is world class, they have a freaking DECT setup for live translation inside the hall and the NOC is second to none. I'm very jealous of those attending.
They have a GSM network too: http://events.ccc.de/congress/2014/wiki/Static:GSM
I've only attended two talks today - could you explain what you mean?
All TDM and Sigtran signaling links of world-wide SS7 network are configured manually peer-to-peer. The signaling traffic including SMS texts travels mostly unencrypted. Hence it's next to impossible to get a real SS7 Pcap log (requires an NDA), let alone access to the SS7 network, unless you work with a network operator.
it's next to impossible to get access to the SS7 network
Tobias claims the opposite in the video. He says you can easily rent access from a Carrier (e.g. Verizon) or buy a Femtocell[1][2].
Both approaches seem rather affordable ("hundreds of dollars").
[1] http://en.wikipedia.org/wiki/Femtocell
[2] http://www.thinksmallcell.com/Examples/where-can-i-buy-a-fem...
Apparently the attack vector is pretty small considering:
http://www.digitaltrends.com/mobile/femtocell-verizon-hack/
Fortunately for Verizon customers, the company has since issued a patch to all affected femtocells. Sprint currently offers a femtocell that is similar to the vulnerable models from Verizon, but the company has said it plans to discontinue the device. And while AT&T also offers femtocells, it requires an extra level of authentication that makes much of the iSEC Partner’s findings irrelevant. Still, says Ritter, the femtocell vulnerability is a major problem.
And
Ritter suggests that all carriers that offer femtocells require owners to provide a list of approved devices that are allowed to connect to their femtocell. And also prevent customers’ cell phones from connecting to any unauthorized femtocell.
Pretty small?
Verizon was just used as an example here, the same attack vector applies to every mobile carrier in the world.
The Verizon vuln referenced above seems has nothing to do with SS7. Femtocell is rooted, and only cell phones in a close proximity are vulnerable. I thought the presentation in Hannover deals with a much broader issue. And yes, femtocell may be potentially a gateway to the remote hacking of MSC, HLR, etc. Unfortunately I have not seen the presentation, so I can't be sure what it's about.
I finally found the way to watch the presentation (BTW it's good), and the author mentions femtocell hacking as "if you hack femtocells you _may_ have a chance to have access to SS7", or something like that, i.e. very uncertain. He emphasizes a different method -- getting a "global title". That's what I meant in my original comment -- you have to join the telco club, and that is not trivial.
The traditional way to dealing with this from a computer crime perspective is to bribe a few officials in a third-world country, buy one basestation, and become a mobile operator there.
Yep. I tried to avoid mentioning this in a polite company :).
Should be easy to transcode using VLC and post on YouTube, anyone not on Comcast able to do that for the rest of us?
This will happen after the conference
What's the issue with comcast (with respect to these videos?)
On Comcast. Can't see anything either.
On Youtube you can watch the videos in HTML5 and 1.25/1.5/2.0x speed.
Yes - please elaborate as to how access is different coming from comcast ?
This appears to be the same video: https://www.youtube.com/watch?v=lQ0I5tl0YLY
It's now available to download: http://media.ccc.de/browse/congress/2014/31c3_-_6249_-_en_-_...
This is pretty shocking. Shame it is technical enough that it will probably not become mainstream news.
It has already been getting news coverage for the last week or two, including Washington Post:
http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/18...
It has. 4 out of 4 network operators in Germany closed (some of) the gapping holes already.
One brave network engineer even came forward to complete that list (2/4 -> 4/4) after the talk of Karsten Nohl.