With clandestine cell phone inquiries and silent SMS, attackers can determine the location of hundreds of millions of cell phones. At the remote Chaos Communication Congress (rC3), security researcher Cathal Mc Daid from AdaptiveMobile Security reported on the fight against secret surveillance.

The attacks on the cellular networks have been under surveillance by the CCC for years. Already 2014 Karsten Nohl presented on the 31 C3, how open the SS7 cellular protocol for Abuse of all kinds up to the interception of SMS and the redirection of calls was. Some of the same problems exist with the successor version of the SS7 protocol for 4G networks called Diameter. The core assumption is still that in principle only authorized companies have access to the system and only use it for regular purposes. In practice, however, surveillance companies, criminals and governments use access points for the purpose of espionage.

Indirect attacks via Cell-ID or IMEI After all: Many providers are now using technology against abuse, for example provided by AdaptiveMobile Security. In practice, abuse is still commonplace, but only accounts for a tiny fraction of SS7 traffic, said Mc Daid. In order to avoid detection by cell phone providers, the attackers tried more and more often an indirect attack in which they first request information about the cell phone of a surveillance target such as the cell ID or the IMEI (International Mobile Equipment Identity). The information that is actually desired, such as the location of the cell phone, is only skimmed off later.

The attackers have set up a complex infrastructure for this purpose. Mc Daid reported on a case in which an attempt was made to determine the location of a former French secret service employee with inquiries from Great Britain, Cameroon, Israel and Laos. But because of the provider’s countermeasures, none of the attacks was successful. The black market for SS7 queries shows that the fight against commercial espionage is successful. The price rises the more SS7 inquiries are made, since the providers fear that they will lose their access if their business is exposed.

Vulnerability in the S @ T browser A relatively new attack actually made this complex procedure unnecessary. The Simjacker attack published last year managed without interfering with cell phone systems: a specially prepared SMS was able to instruct a victim’s cell phone to send its own location back to the attacker. A weak point of the so-called S @ T Browser (SIMalliance Toolbox Browser) is used for this, which is installed directly on the SIM card by cell phone providers in many countries. As with cellular network attacks, the victim does not even notice the query, as the SMS is not displayed, but processed and answered directly on the SIM card. The attackers only need the phone number of their target. You can find out whether you can be affected by the attack yourself using the SIMtester tool from SRLabs.

After a year of observation, Mc Daid joined the group Convinced that so far only a single surveillance company uses this technology. She does that to a large extent, however. Many simjacker attacks are concentrated on a few providers on the American continent. At one provider, the security researcher even counted 400 attacks per 100. 000 customers within one year. Before the vulnerability is published, the number should even be used for 1300 queries per 100. 000 customers. This suggests that this method was used for broad and continuous monitoring.

After the discovery, mobile phone providers were also able to ward off these SMS attacks. Therefore, the attackers try to hide their interventions better. In practice, Mc Daid is now observing queries that combine Simjacker and SS7 attacks. For the 5G network, Mc Daid sees great advances in security design. However, the technology is also much more complex than 4G, so new weak points are to be expected. “Providers must expect to be the target of attacks – and must therefore work on their defense mechanisms,” warns the security researcher.

(pbe)