It’s impossible to imagine life without smartphones. Everything about our lives can now be contained in the palm of our hand. Personal details, professional contacts, banking details, photos, medical data, it’s all there, so you’d expect your smartphone to be secure. But in this special investigation Ross Coulthart discovers, we are facing the biggest threat to our privacy that the world has ever seen. The sensitive data contained on our phones is in fact open for anyone to see. Anyone in the know can bug or track your phone, from anywhere in the world. It’s long been the dirty little secret of international espionage, but now, organised crime, commercial spies and potential terrorists are exploiting this security loophole for their own gain. How it’s done has never been revealed before. In a world exclusive 60 Minutes goes inside the world of hackers and spies to expose just how vulnerable we all are. This is the end of privacy as we know it.
Reporter: Ross Coulthart
Producer: Stephen Rice
by Ross Coulthart, reporter, 60 Minutes, @rosscoulthart
A massive security hole in modern telecommunications is exposing billions of mobile phone users in the world to covert theft of their data, bugging of their voice calls, and geo-tracking of their location from by hackers, fraudsters, rogue governments and unscrupulous commercial operators using hundreds of online portals across the planet.
In a world-first, 60 Minutes has proven the worst nightmares of privacy advocates around the world: that mobile phone calls and data are wide open to interception because of flaws in the architecture of the signalling system – known as SS7 - used to enable mobile phone roaming across telecommunications providers. Despite this concern, the Australian Government’s own Cyber Security Threat Report, published in June, makes no mention of what is probably the biggest threat to this country’s commercial secrets and individual privacy.
60 Minutes’ story shows how German hackers working from Berlin, given legal access to SS7 for the purposes of the demonstration, were able to intercept and record a mobile phone conversation between 60 Minutes reporter Ross Coulthart while he was speaking from Germany to Independent Australian Senator Nick Xenophon in Australia’s Parliament House. As further proof of the hack, Coulthart then made another phone call from London, England, to the Senator in Australia which the Berlin hackers were also able to intercept and record, even though they were in Germany 1000 kilometres distant. The Berlin hackers from SR Labs, who first warned of the vulnerability in SS7 in 2008, were also able to intercept and read the Senator’s SMS’ from Australia to Coulthart in London. The hackers were also then able to geo-track the Senator as he travelled to Japan on official business, mapping his movements around Tokyo and Narita down to the nearest cell tower (within a few hundred metres), and later precisely tracking around the streets of his South Australian home suburb when he returned to Australia.
The demonstration also shows how the key fraud protection relied on by banks to protect banking transactions from fraud – verification by SMS message – is useless against a determined hacker with access to the SS7 portal because they can intercept and use the SMS code before it gets to the bank customer. The same technique can also be used to take over someone’s online email account. The call-forwarding capacity of SS7 also allows any mobile to be forcibly redirected to call hugely expensive premium numbers, the cost of which is then billed to that customer’s account. SS7 also allows any number to be blocked, raising the fearful possibility that the vulnerability could be used by criminals or terrorists to stop a victim from calling police or emergency services. Cellular telephony is also used to remotely manage large industrial equipment, to send instructions to gas, electricity and other utililities and factories over 2G and 3G mobile communications. It is not inconceivable that an SS7 hack could be used to change settings or shut down a power station.
The German hacker who did the demonstration, Luca Melette, from SR Labs, told 60 Minutes after the demonstration hack: ‘This is quite shocking for me also that SS7 is not secure.’ It was another hacker, Tobias Engel, who first warned of the vulnerabilities in SS7 and he demonstrated how it might be done at a Chaos Computer Club conference in Germany in December last year. [The December 2014 Chaos Communications Congress videos on the security vulnerability can be viewed here: SS7: Locate. Track. Manipulate., SS7map: Mapping Vulnerability of the International Mobile Roaming Infrastructure, and Mobile Self-Defense]
When shown the extent of the vulnerability in mobile phone telephony, Senator Xenophon was outraged and called for an immediate full public inquiry: ‘This is actually quite shocking because it affects everyone. It means anyone with a mobile phone can be hacked, can be bugged, can be harassed. The implications of it are enormous and what we find is shocking is that the security services, the intelligence services, they know about this vulnerability,’ he told 60 Minutes.
SS7 is the signalling system between phone companies which allows a mobile phone to roam from one country to another. Under international agreements all telecommunications providers have to provide details of their subscribers automatically via the SS7 system on request from another provider. An SS7 request on a phone number instantly provides the phone handset’s unique IMEI number, the name and contact details of the phone account subscriber, whether their phone is allowed to roam internationally, what kind of account they use – post or pre-paid? – and, perhaps most disturbingly of all, it shows the nearest cell phone tower to which that mobile phone is currently connected. Using this information, a determined hacker with access to the SS7 system can actually listen in to any mobile phone conversation by forwarding all calls on a particular number to an online recording device and then re-routing the call on to its intended recipient with the man-in-the-middle attack undetected. It also allows the movements of a mobile phone user to be geo-tracked on an application like Google Maps.
Historically, only large telecommunications providers were given allowed access to query SS7 for subscriber data but in recent years VOIP (Internet Phone) providers, smaller phone companies and numerous third-party SMS messaging services are now gaining access. There are also fears that some providers with SS7 access are illicitly sub-leasing their portal to third parties. The global body representing mobile phone users – the GSMA (Groupe Speciale Mobile Association ) – lists 800 members from 220 countries with full authority to run mobile phone networks, including access to the SS7 signalling system which has the gaping security flaw. [Full membership list here: http://www.gsma.com/membership/who-are-our-gsma-members/full-membership/ ] Those GSMA country members include mobile phone providers from many poor and unstable war-stricken nations including Iraq, Syria and Afghanistan, countries with ongoing insurgencies; it raises the fearsome possibility that terrorists or criminals who seize a local phone company with SS7 access could misuse SS7 to cause havoc or commit crimes across the telecommunications system. 60 Minutes is aware of a recent analysis done by a French Telco which revealed a huge spike in SS7 queries from Africa and the Middle East which far exceeded the number of phones roaming in those regions; this suggests the SS7 ‘Any-Time-Interrogation’ (ATI) queries for subscriber information and location were done for illicit purposes such as espionage or criminal fraud. ‘SS7 attacks are a reality,’ a telecommunications conference was told two weeks ago.
In August last year the Washington Post published a story alleging that makers of surveillance systems are offering government and other clients around the world access to SS7 to track the movements of anyone who carries a cell phone; a use that goes far beyond the original intentions of system, and which raises substantial privacy and commercial espionage concerns. It is no revelation of course that intelligence agencies such as the US National Security Agency or the Australian Signals Directorate, part of the so-called five-eyes communications spying alliance, have such powers. But the Post story raised legitimate concerns at the time that a rogue government could access the SS7 portal to track political dissidents or to gather economic espionage on a competitor country. What the story did not detail was that SS7 access can also allow remote bugging of any mobile phone user’s calls, which is the hack 60 Minutes has now demonstrated is possible.
One of the companies offering commercial access to SS7 for the purpose of location tracking is Verint, a company with Israeli origins, based in New York, with offices across the world, including Australia. 60 Minutes has obtained a copy of Verint’s confidential brochure for a product named SkyLock, a cellular tracking system, with the subtitled catchphrase: ‘Locate. Track, Manipulate’. Verint pledges in its marketing material that it does not use Skylock against US or Israeli phone users but its marketing pitch does not exclude the possibility that it is offering access to Australian phone subscriber data to its clients. Indeed, if those clients have access to SS7’s ‘Any Time Interrogation’ (ATI) query capacity then there would be nothing stopping them from using SS7 to query the details and to track phone subscribers anywhere in the world. (Australian Federal Government procurement records show Verint’s Australian office provided $795,000 of ‘software’, ‘computer services’ and ‘software maintenance and support’ to the Australian Crime Commission from 2005 to 2012. Verint did not respond to questions from 60 Minutes asking whether they had sold Skylock to Australian customers or whether there were any protections to stop Skylock customers from mis-using Skylock for illicit purposes such as corporate espionage or fraud)
Australia’s telecommunications companies are currently fighting proposed legislation that would give the Government powers to force them to fix security weaknesses in their fixed-line and mobile networks. The coalition of telecoms industry groups, including John Stanton of the Communications Alliance, has attacked the reforms saying the legislation goes too far in requiring telco’s to hand over confidential information about their networks. The draft legislation would grant new powers to the Attorney General’s department allowing it to direct service providers to alter or abandon procurements for telecommunications equipment if such deals were found to pose national security risks, laws directed at companies like Chinese telecommunications giant Huawei – which is perceived as having close links to the Chinese Government. In an interview with 60 Minutes, the Communications Alliance spokesman, John Stanton, admitted he was not aware of the concerns about SS7’s security vulnerabilities but he agreed: ‘Anything that compromises a network and impinges on people’s privacy – yes, you know – should be a concern.’
It has long been speculated in security industry circles that the reason why countries like Australia and the US have not rushed to ensure the SS7 vulnerability is fixed is because the location tracking and call bugging capacity has been widely exploited by intelligence services for espionage. In December 2013 the Australian newspaper detailed how US diplomatic cables leaked by NSA whistleblower Edward Snowden revealed that in 2009 Australia’s then Defence Signals Directorate (now ASD) had targeted the mobile phone of Kristiani Herawati the wife of the then Indonesian President Susilo Bambang Yudhuyono. How that bugging was done has never been explained but it seems the use – or mis-use perhaps – of SS7 is the most likely explanation. A simple query of the signalling system would have provided the Indonesian First Lady’s unique cell-phone IMEI number, then enabling tracking and call-forwarding to a recording device.
The 60 Minutes investigation also revealed how, using a GSMK Cryptophone, the program has detected IMSI catchers – rogue cell-towers – in use in Australia. The Cryptophone has a baseband firewall that detects when a rogue cell tower is trying to force the phone to connect to it, and it warns if the IMSI catcher is attempting to force its 3G or 4G encryption down to 2G – a weak encryption level that is easily cracked. Over the past few months 60 Minutes reporter Ross Coulthart detected suspected IMSI catchers in operation around central Sydney, including outside the Australian Stock Exchange building in Bridge Street. Each time the rogue cell tower was attempting to force the phone to connect with it unencrypted, which would have allowed access to any of the data on a normal mobile phone. He also recorded multiple detections in an undisclosed eastern suburbs Sydney location, filming the alerts in real time as they were detected on the Cryptophone. Clearly there is a possibility the IMSI’s detected were part of a legitimate law enforcement operation but experience in the United States suggests at least some of those rogue cell towers are being used illegally by criminals and corporate spies for fraud and espionage.
ESD America is a company based in Las Vegas which markets the Cryptophone and specialises in counter-surveillance technology. Its CEO Les Goldsmith told 60 Minutes that his company has detected 68 IMSI catchers in locations across the US, including at sensitive Government hearings and military installations. As he explained, IMSI catchers are now widely in use by criminals because ‘An IMSI catcher in criminal hands is going to mean that they have the ability to target an apartment building where they can listen to the phone calls and pick up and record all the calls and hope to pick up somebody calling their bank and giving their passwords or suchlike vital private transactions.’
ESD has developed a new product in conjunction with the German firm GSMK called Overwatch which, for the first time, allows real-time detection of rogue cell phone towers to distinguish them from the real ones. GSMK principal Bjoern Rupp demonstrated the technology for the first time on-camera, showing how Overwatch allows rogue cell towers to be pinpointed on a map using triangulation from sensors placed around a city. The purpose of Overwatch is to provide Governments and telecommunications providers with the first ever warning system that can alert them to the presence and location of an illegal IMSI catcher. The technology break-through potentially threatens the efficacy of one of the most powerful tools used by intelligence agencies for the past few decades of mobile phone telephony – IMSI catchers are a primary tool of modern espionage. GSMK and ESD have also developed another product called Oversight, a system which detects suspicious SS7 activity. Oversight is already being installed by a number of Telco’s in Europe and reports suggest they are already noticing extensive suspicious use of SS7 which they are then able to block.
The ramifications of the Oversight and Overwatch technological breakthroughs are enormous; they potentially spell the end to rampant easy-access by a host of governments and rogue criminal elements internationally to undetected misuse of the SS7 hack and IMSI catchers. However, for the moment, the huge security hole in SS7 remains unfixed. In an amusing twist, when Hacking Team, an Italian based seller of privacy intrusive surveillance hacking technology, suffered a major leak of its emails in July, the leaked email traffic revealed their knowledge of how the leak was likely perpetrated. ‘This is BLATANT privacy violation!,’ complained Hacking Team CEO David Vincenzetti, ‘HOW did they collect such information?’ The answer back from his technical experts was that whoever it was who did the hack had likely accessed their data using SS7 via a contact in Italian phone company Telecom Italia. Intriguingly, the leaked emails also disclosed that Hacking Team had previously been approached by a company called CleverSig, which claimed to have online access to SS7 tracking via another operator at a cost of US$14,000 to 16,000 per month*. It suggests, as many security operators are beginning to fear, that the SS7 system’s frightening capabilities are now wide-open to unscrupulous commercial operators … for a fee. (*When 60 Minutes contacted CleverSig’s founder Eitan Keren in Israel for comment about the leaked emails he said ‘not all the data you see there is valid. Take the data you read with caution’. He then went on to disclaim any knowledge of or involvement in SS7 tracking)
60 Minutes approached Australia’s major telecommunications companies: Telstra, Vodafone and Optus for comment.
· Telstra takes the security and privacy of our customers seriously, constantly monitoring our networks for suspicious activity. Where Telstra detects malicious network activity we act quickly to address any impact on the privacy of our customers and to maintain the security of our networks.
· System Signalling Number 7 (SS7) is a protocol used by telecommunication providers to direct calls and text messages between providers. Like any protocol, SS7 is vulnerable to exploitation by sophisticated and well funded third parties with criminal intentions. In recognition of this we have network monitoring in place, not just with reference to SS7, and where we detect unusual or suspected illegal activity, we take action and report this to the relevant authorities where appropriate.
· Where we detect suspected illegal activity on our mobile network, for which we constantly monitor, we report the suspected illegal activity to the AFP for investigation as part of our consistent practice. Unlawful access to our network and interception of customer calls is illegal and there is legislation in place which prohibits possession of the equipment for, and the undertaking of, unlawful interception.
· Telstra won't speculate on the alleged capabilities or intentions of foreign intelligence agencies or national security services.
· Optus takes privacy very seriously, however we don’t comment on security matters in detail. As a provider of national telecommunications infrastructure, Optus takes its responsibility for network and information security seriously. We regularly liaise with law enforcement and national security agencies and review our systems to assess risks and ensure the integrity of our security processes and information.”
· The protection of our customers’ personal data and information is our highest priority. At Vodafone, we have security measures in place to protect our customers against unauthorised access to customer communications or data.
· We are continually reviewing and upgrading our systems and processes, including using global best practices, to minimise the possibility of any unauthorised access. Vodafone is fully aware of its legal responsibilities to protect customer communications and data and complies with those obligations.
· We are not aware of any use of SS7 signalling to gain unauthorised access to Vodafone customer communications or data.
Questions were also sent to Verint, the makers of SKYLOCK surveillance technology. They did not respond.
Keep Out (Update)