[VoiceOps] SS7

Paul Timmins paul at timmins.net
Thu Apr 21 14:13:28 EDT 2016


You could do it by saying "hey, this handset is roaming on me" then 
directing the call back to the handset in question, I figure. It would 
be inbound only intercept, but i could see that working.

-Paul

On 04/21/2016 02:12 PM, Matthew Yaklin wrote:
>
>
> The part I was curious about and perhaps someone can clarify who has 
> more knowledge than I is...
>
>
> It appears in order to record calls the attacker has to be in very 
> close proximity to the target. Like radio/tower range.
>
> You cannot record a conversation half way across the world.
>
>
> Matt
>
>
>
> ------------------------------------------------------------------------
> *From:* VoiceOps <voiceops-bounces at voiceops.org> on behalf of Matthew 
> Yaklin <myaklin at firstlight.net>
> *Sent:* Thursday, April 21, 2016 2:09 PM
> *To:* Kidd Filby; Chris Aloi
> *Cc:* voiceops at voiceops.org
> *Subject:* Re: [VoiceOps] SS7
>
>
> Here is a paper that may shed some light on the discussion for the 
> curious.
>
>
> https://www.sans.org/reading-room/whitepapers/critical/fall-ss7--critical-security-controls-help-36225
>
> SANS Institute InfoSec Reading Room 
> <https://www.sans.org/reading-room/whitepapers/critical/fall-ss7--critical-security-controls-help-36225>
> www.sans.org
> The Fall of SS7 Ð How Can the Critical Security Controls Help? 4 " 
> #$$#%!&'()#*+!"#$$#%,-')#*./-#01,2'-! area notices this registration 
> and transfers to a Visitor ...
>
>
>
>
>
> ------------------------------------------------------------------------
> *From:* Kidd Filby <kiddfilby at gmail.com>
> *Sent:* Thursday, April 21, 2016 2:01 PM
> *To:* Chris Aloi
> *Cc:* Matthew Yaklin; voiceops at voiceops.org
> *Subject:* Re: [VoiceOps] SS7
> In a strictly TDM world, or conversation... having access to the SS7 
> network gets you nothing but what and where the call traversed.  NO 
> audio is carried and without End Office controlling software for call 
> routing, just dropping it into some IP connection is not going to 
> afford you anything other than what you already have.  You still need 
> access to the audio carrying infrastructure of the network to get the 
> audio.
>
> I cannot comment on CALEA
>
> Kidd
>
> On Thu, Apr 21, 2016 at 10:56 AM, Chris Aloi <ctaloi at gmail.com 
> <mailto:ctaloi at gmail.com>> wrote:
>
>     It looked like they had access to SS7 links (likely A links
>     terminated to a physical server) and were using FreeSWITCH to
>     somehow fork the media from the call and record it.  Just a guess
>     based on  the quick console recording.
>
>     Correct, SS7 doesn't carry the actual voice it handles the
>     signaling to bring up the voice channels (by identifying be point
>     code and CICs) and various other signaling bits.  Not sure if
>     there are provisions for CALEA in SS7 that could fork a media
>     stream or exactly how that would work.
>
>     So I guess the barrier to entry would be access to the SS7
>     network, not as easy as hopping on the Internet, but certainly not
>     much of a challenge.
>
>     ---
>     Christopher Aloi
>     Sent from my iPhone
>
>     On Apr 21, 2016, at 11:52 AM, Kidd Filby <kiddfilby at gmail.com
>     <mailto:kiddfilby at gmail.com>> wrote:
>
>>     There is no VOICE traversing the SS7 network, so you cannot
>>     possibly record a conversation by having access to the SS7
>>     network only.
>>
>>     On Thu, Apr 21, 2016 at 9:36 AM, Matthew Yaklin
>>     <myaklin at firstlight.net <mailto:myaklin at firstlight.net>> wrote:
>>
>>
>>         In other words the hacker has to have working SS7 trunks or
>>         access to someone who does? That is how I understood it.
>>
>>         Not exactly a remote hack from mom's basement sort of thing.
>>
>>         Matt
>>
>>         ________________________________________
>>         From: VoiceOps <voiceops-bounces at voiceops.org
>>         <mailto:voiceops-bounces at voiceops.org>> on behalf of Peter
>>         Rad. <peter at 4isps.com <mailto:peter at 4isps.com>>
>>         Sent: Thursday, April 21, 2016 11:25 AM
>>         To: voiceops at voiceops.org <mailto:voiceops at voiceops.org>
>>         Subject: [VoiceOps] SS7
>>
>>         FYI...
>>
>>           U.S. carriers mum on 60 Minutes report on vulnerability in
>>         SS7 -
>>         http://www.fiercewireless.com/story/us-carriers-mum-60-minutes-report-vulnerability-ss7/2016-04-19
>>
>>         Regards,
>>
>>         Peter Radizeski
>>         RAD-INFO, Inc.
>>         813.963.5884 <tel:813.963.5884>
>>         http://rad-info.net
>>         * Need bandwidth or colocation? call me
>>         _______________________________________________
>>         VoiceOps mailing list
>>         VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>
>>         https://puck.nether.net/mailman/listinfo/voiceops
>>         _______________________________________________
>>         VoiceOps mailing list
>>         VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>
>>         https://puck.nether.net/mailman/listinfo/voiceops
>>
>>
>>
>>
>>     -- 
>>     Kidd Filby
>>     661.557.5640 <tel:661.557.5640> (C)
>>     http://www.linkedin.com/in/kiddfilby
>>     _______________________________________________
>>     VoiceOps mailing list
>>     VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>
>>     https://puck.nether.net/mailman/listinfo/voiceops
>
>
>
>
> -- 
> Kidd Filby
> 661.557.5640 (C)
> http://www.linkedin.com/in/kiddfilby
>
>
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20160421/6fe52a9b/attachment.html>


More information about the VoiceOps mailing list