[VoiceOps] SS7

Peter E peeip989 at gmail.com
Thu Apr 21 14:52:09 EDT 2016


It's been a decade since I've touched SS7, and I barely remember what I had for breakfast, so it's like it's all new to me again.

From what I read, it sounds like there may be a "proxy" function that can be injected which would bring both endpoints back to you so you can record both legs. The 60 Minutes piece shows exactly that. And, while it was done in seconds for TV, we all know there was a lot of prep work required ahead of time to make it that simple.

Question, though: does the proliferation of SMS gateway services open a security risk since they may be bridging IP to SS7?

On Apr 21, 2016, at 14:13, Paul Timmins <paul at timmins.net> wrote:

You could do it by saying "hey, this handset is roaming on me" then directing the call back to the       handset in question, I figure. It would be inbound only intercept, but i could see that working.

-Paul

> On 04/21/2016 02:12 PM, Matthew Yaklin wrote:
> 
> The part I was curious about and perhaps someone can clarify who has more knowledge than I is...
> 
> 
> It appears in order to record calls the attacker has to be in very close proximity to the target. Like radio/tower range.
> 
> You cannot record a conversation half way across the world.
> 
> 
> Matt
> 
> 
> 
>            
> From: VoiceOps <voiceops-bounces at voiceops.org> on behalf of Matthew Yaklin <myaklin at firstlight.net>
> Sent: Thursday, April 21, 2016 2:09 PM
> To: Kidd Filby; Chris Aloi
> Cc: voiceops at voiceops.org
> Subject: Re: [VoiceOps] SS7
>  
> 
> Here is a paper that may shed some light on the discussion for the curious.
> 
> 
> https://www.sans.org/reading-room/whitepapers/critical/fall-ss7--critical-security-controls-help-36225
> 
> SANS Institute InfoSec Reading Room
> www.sans.org
> The Fall of SS7 Ð How Can the Critical Security Controls Help? 4 " #$$#%!&'()#*+!"#$$#%,-')#*./-#01,2'-! area notices this registration and transfers to a Visitor ...
> 
> 
> 
> 
>                  
> From: Kidd Filby <kiddfilby at gmail.com>
> Sent: Thursday, April 21, 2016 2:01 PM
> To: Chris Aloi
> Cc: Matthew Yaklin; voiceops at voiceops.org
> Subject: Re: [VoiceOps] SS7
>  
> In a strictly TDM world, or conversation... having access to the SS7 network gets you nothing but what and where the call traversed.  NO audio is carried and without End Office controlling software for call routing, just dropping it into some IP connection is not going to afford you anything other than what you already have.  You still need access to the audio carrying infrastructure of the network to get the audio.
> 
> I cannot comment on CALEA
> 
> Kidd
> 
>> On Thu, Apr 21, 2016 at 10:56 AM, Chris Aloi <ctaloi at gmail.com> wrote:
>> It looked like they had access to SS7                             links (likely A links terminated to a physical server) and were using FreeSWITCH to somehow fork the media from the call and record it.  Just a guess based on  the quick console recording. 
>> 
>> Correct, SS7 doesn't carry the actual                             voice it handles the signaling to bring up the voice channels (by identifying be point code and CICs) and various other signaling bits.  Not sure if there are provisions for CALEA in SS7 that could fork a media stream or exactly how that would work.
>> 
>> So I guess the barrier to entry would be access to the SS7 network, not as easy as hopping on the Internet, but certainly not much of a challenge. 
>> 
>> ---
>> Christopher Aloi
>> Sent from my iPhone
>> 
>> On Apr 21, 2016, at 11:52 AM, Kidd Filby <kiddfilby at gmail.com> wrote:
>> 
>>> There is no VOICE traversing the SS7 network, so you cannot possibly record a conversation by having access to the SS7 network only.
>>> 
>>>> On Thu, Apr 21, 2016 at 9:36 AM, Matthew Yaklin <myaklin at firstlight.net> wrote:
>>>> 
>>>> In other words the hacker has to have working SS7 trunks or access to someone who does? That is how I understood it.
>>>> 
>>>> Not exactly a remote hack from mom's basement sort of thing.
>>>> 
>>>> Matt
>>>> 
>>>> ________________________________________
>>>> From: VoiceOps <voiceops-bounces at voiceops.org> on behalf of Peter Rad. <peter at 4isps.com>
>>>> Sent: Thursday, April 21, 2016 11:25 AM
>>>> To: voiceops at voiceops.org
>>>> Subject: [VoiceOps] SS7
>>>> 
>>>> FYI...
>>>> 
>>>>   U.S. carriers mum on 60 Minutes report on vulnerability in SS7 -
>>>> http://www.fiercewireless.com/story/us-carriers-mum-60-minutes-report-vulnerability-ss7/2016-04-19
>>>> 
>>>> Regards,
>>>> 
>>>> Peter Radizeski
>>>> RAD-INFO, Inc.
>>>> 813.963.5884
>>>> http://rad-info.net
>>>> * Need bandwidth or colocation? call me
>>>> _______________________________________________
>>>> VoiceOps mailing list
>>>> VoiceOps at voiceops.org
>>>> https://puck.nether.net/mailman/listinfo/voiceops
>>>> _______________________________________________
>>>> VoiceOps mailing list
>>>> VoiceOps at voiceops.org
>>>> https://puck.nether.net/mailman/listinfo/voiceops
>>> 
>>> 
>>> 
>>> -- 
>>> Kidd Filby
>>> 661.557.5640 (C)
>>> http://www.linkedin.com/in/kiddfilby
>>> _______________________________________________
>>> VoiceOps mailing list
>>> VoiceOps at voiceops.org
>>> https://puck.nether.net/mailman/listinfo/voiceops
> 
> 
> 
> -- 
> Kidd Filby
> 661.557.5640 (C)
> http://www.linkedin.com/in/kiddfilby
> 
> 
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops

_______________________________________________
VoiceOps mailing list
VoiceOps at voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20160421/b0c55a88/attachment-0001.html>


More information about the VoiceOps mailing list