[VoiceOps] SS7
Paul Timmins
paul at timmins.net
Thu Apr 21 14:13:28 EDT 2016
You could do it by saying "hey, this handset is roaming on me" then
directing the call back to the handset in question, I figure. It would
be inbound only intercept, but i could see that working.
-Paul
On 04/21/2016 02:12 PM, Matthew Yaklin wrote:
>
>
> The part I was curious about and perhaps someone can clarify who has
> more knowledge than I is...
>
>
> It appears in order to record calls the attacker has to be in very
> close proximity to the target. Like radio/tower range.
>
> You cannot record a conversation half way across the world.
>
>
> Matt
>
>
>
> ------------------------------------------------------------------------
> *From:* VoiceOps <voiceops-bounces at voiceops.org> on behalf of Matthew
> Yaklin <myaklin at firstlight.net>
> *Sent:* Thursday, April 21, 2016 2:09 PM
> *To:* Kidd Filby; Chris Aloi
> *Cc:* voiceops at voiceops.org
> *Subject:* Re: [VoiceOps] SS7
>
>
> Here is a paper that may shed some light on the discussion for the
> curious.
>
>
> https://www.sans.org/reading-room/whitepapers/critical/fall-ss7--critical-security-controls-help-36225
>
> SANS Institute InfoSec Reading Room
> <https://www.sans.org/reading-room/whitepapers/critical/fall-ss7--critical-security-controls-help-36225>
> www.sans.org
> The Fall of SS7 Ð How Can the Critical Security Controls Help? 4 "
> #$$#%!&'()#*+!"#$$#%,-')#*./-#01,2'-! area notices this registration
> and transfers to a Visitor ...
>
>
>
>
>
> ------------------------------------------------------------------------
> *From:* Kidd Filby <kiddfilby at gmail.com>
> *Sent:* Thursday, April 21, 2016 2:01 PM
> *To:* Chris Aloi
> *Cc:* Matthew Yaklin; voiceops at voiceops.org
> *Subject:* Re: [VoiceOps] SS7
> In a strictly TDM world, or conversation... having access to the SS7
> network gets you nothing but what and where the call traversed. NO
> audio is carried and without End Office controlling software for call
> routing, just dropping it into some IP connection is not going to
> afford you anything other than what you already have. You still need
> access to the audio carrying infrastructure of the network to get the
> audio.
>
> I cannot comment on CALEA
>
> Kidd
>
> On Thu, Apr 21, 2016 at 10:56 AM, Chris Aloi <ctaloi at gmail.com
> <mailto:ctaloi at gmail.com>> wrote:
>
> It looked like they had access to SS7 links (likely A links
> terminated to a physical server) and were using FreeSWITCH to
> somehow fork the media from the call and record it. Just a guess
> based on the quick console recording.
>
> Correct, SS7 doesn't carry the actual voice it handles the
> signaling to bring up the voice channels (by identifying be point
> code and CICs) and various other signaling bits. Not sure if
> there are provisions for CALEA in SS7 that could fork a media
> stream or exactly how that would work.
>
> So I guess the barrier to entry would be access to the SS7
> network, not as easy as hopping on the Internet, but certainly not
> much of a challenge.
>
> ---
> Christopher Aloi
> Sent from my iPhone
>
> On Apr 21, 2016, at 11:52 AM, Kidd Filby <kiddfilby at gmail.com
> <mailto:kiddfilby at gmail.com>> wrote:
>
>> There is no VOICE traversing the SS7 network, so you cannot
>> possibly record a conversation by having access to the SS7
>> network only.
>>
>> On Thu, Apr 21, 2016 at 9:36 AM, Matthew Yaklin
>> <myaklin at firstlight.net <mailto:myaklin at firstlight.net>> wrote:
>>
>>
>> In other words the hacker has to have working SS7 trunks or
>> access to someone who does? That is how I understood it.
>>
>> Not exactly a remote hack from mom's basement sort of thing.
>>
>> Matt
>>
>> ________________________________________
>> From: VoiceOps <voiceops-bounces at voiceops.org
>> <mailto:voiceops-bounces at voiceops.org>> on behalf of Peter
>> Rad. <peter at 4isps.com <mailto:peter at 4isps.com>>
>> Sent: Thursday, April 21, 2016 11:25 AM
>> To: voiceops at voiceops.org <mailto:voiceops at voiceops.org>
>> Subject: [VoiceOps] SS7
>>
>> FYI...
>>
>> U.S. carriers mum on 60 Minutes report on vulnerability in
>> SS7 -
>> http://www.fiercewireless.com/story/us-carriers-mum-60-minutes-report-vulnerability-ss7/2016-04-19
>>
>> Regards,
>>
>> Peter Radizeski
>> RAD-INFO, Inc.
>> 813.963.5884 <tel:813.963.5884>
>> http://rad-info.net
>> * Need bandwidth or colocation? call me
>> _______________________________________________
>> VoiceOps mailing list
>> VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>
>> https://puck.nether.net/mailman/listinfo/voiceops
>> _______________________________________________
>> VoiceOps mailing list
>> VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>
>> https://puck.nether.net/mailman/listinfo/voiceops
>>
>>
>>
>>
>> --
>> Kidd Filby
>> 661.557.5640 <tel:661.557.5640> (C)
>> http://www.linkedin.com/in/kiddfilby
>> _______________________________________________
>> VoiceOps mailing list
>> VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>
>> https://puck.nether.net/mailman/listinfo/voiceops
>
>
>
>
> --
> Kidd Filby
> 661.557.5640 (C)
> http://www.linkedin.com/in/kiddfilby
>
>
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20160421/6fe52a9b/attachment.html>
More information about the VoiceOps
mailing list