The problem with an important component of the telephone network, allowing a person’s remote location can be traced, is never completely resolve. That allows the chief security officer of KPN, Jaya Baloo. “It’s not a bug, but a feature”, said Baloo.
“We’re going to nevernooit close completely can get,” said Baloo. “We’re going to slowly close the tap to try to run, but that can only really on the longer term,” says the head of security of KPN opposite Tweakers on the CCC security conference in Hamburg.
The problem is in the Signaling System No. 7, the system that mobile providers use to connect with other telecommunications providers to communicate, for example, for the handling of calls, send and receive text messages and to settle the roaming charges. The system turns out to abuse to remote a person’s location to find out, so told beveiligingsonderzoeker Tobias Angel Saturday night at the CCC conference. Baloo (KPN wants to emphasize that the problem is not on KPN, but also that other providers are affected.
The ss7 system was never designed with security in mind. Attackers therefore a number of tricks to retrieve which cell tower a user is connected. There are commercial databases that the identification numbers of cell towers linking to locations, which roughly can be derived where someone is located. “Especially in cities, where cell towers are often close to, you can someone at street level to follow”, says researcher Angel. It is also possible to make calls to forward to other numbers or sms messages to be intercepted, as was mentioned earlier.
An attacker must itself provide access to the ss7 system, where officially only providers have access to. However, there are companies which fee-based access offer. Also, a femtocell is hacked or attackers can gain access to poorly secured network equipment.
According to Baloo the problem is difficult to solve because it is not a bug, but a feature that is built in. In some cases, other providers, the disputed functionality is needed, for example, if a customer is abroad. “The exchange of users’ data with other providers is necessary to drive traffic to be able to handle. You can never know for sure, or a ss7-request is legitimate, that you know afterwards,” said Baloo. “Our philosophy is not that we all want to avoid, I don’t think that’s possible,” she says. “This applies not only to ss7, but also for other protocols, for example internet. There is no completely secure protocol.”
However, KPN will do its best to prevent abuse, set Baloo. One of the ways that attackers could use to locations to find out, by sending a so-called anytime interrogation message, is all boarded up. Many other providers have already done. Baloo admits that KPN will better filter on abuse of the system. So would the systems of KPN suspicious requests should be able to recognize. “But we are also dependent on suppliers of our hardware,” says the head of security.
Beveiligingsonderzoeker Karsten Nohl, who together with Angel, did research to ss7 waves for the concerns of the provider road. “These problems can be solved. It will only not be easy,” said the hacker opposite Tweakers. “Companies can always do their best problems to somewhat prevent. But is it even possible to do this entirely to solve, for example, with improved filtering and plausibility checks.” According to Nohl, is one German provider already managed to the security researchers is completely outside the door.