What is the SS7 protocol?
SS7 stands for Signalling System Number 7.
SS7 is a set of protocols that mobile phone networks use to exchange data for processing voice calls and text messages.
It is also used to ensure that the customer is billed the correct amount according to their specific tariff.
SS7 allows users on a network in their home country to roam on another network when visiting a foreign country.
Although it was used in the US since the mid-70s, SS7 became the international standard in 1998 and the latest version was released as long ago as the early 90s. It’s still the same standard that mobile phone networks use today.
SS7 vulnerable to attack
SS7 has come under intense criticism as it remains vulnerable to attacks by fraudsters and criminal gangs.
This security weakness potentially allows hackers to listen to voice calls and read text messages, including accessing SMS OPTP codes.
The flaw which could allow security forces to snoop on conversations and texts could also provide access to location data and the ability to forward and record voice calls.
How do cyber criminals hack SS7?
The tools needed to hack SS7 are alarmingly simple and easy to access.
To successfully hack SS7, criminals would need a computer running Linux and a free to download copy of the SS7 SDK.
Armed with these simple tools hackers can exploit SS7 by convincing mobile networks that they are a network subscriber and intercept voice and data.
With access to text messages, bank security and other 2fa codes (2 factor authentication) can be intercepted which can be used to access victims’ bank accounts.
What are the risks of my phone being hacked?
The risk of your phone being hacked is very small indeed. There are billions of phones worldwide and the chances of you being targeted are tiny.
Even if your phone was targeted, it’s extremely unlikely that the data could be used to access your bank account or other valuable details.
Criminals are likely to attempt to hack high profile or wealthy individuals where the potential gains of a successful hack are greatest.
Is the SS7 weakness going to be fixed?
Since the weaknesses in ss7 security were highlighted, mobile phone networks and The GSMA have set up monitoring services to try and detect unusual activity that might predict hacking attempts.
Contractors have also been deployed to help in the battle against ss7 hacking. The contractors being used include security expert Karsten Noh who originally discovered and exposed the whole issue in 2014.
Fixing the issue would be technically and logistically very challenging, so networks are choosing to focus on customer education.
The onus, it seems, is on the consumer to pay more attention to how they are using their phone, rather than the networks to fix a service that is not currently fit for purpose.
Is SMS encrypted? Is SMS safe to use? Can it be hacked? What are the risks?
A guide to 2fa SMS (two-factor authentication) Most companies use 2fa, this guide explains all.
SMS OTP - A guide for 2022 - One time passwords by text - here's all you need to know