<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div></div><div>It's been a decade since I've touched SS7, and I barely remember what I had for breakfast, so it's like it's all new to me again.</div><div><br></div><div>From what I read, it sounds like there may be a "proxy" function that can be injected which would bring both endpoints back to you so you can record both legs. The 60 Minutes piece shows exactly that. And, while it was done in seconds for TV, we all know there was a lot of prep work required ahead of time to make it that simple.</div><div><br></div><div>Question, though: does the proliferation of SMS gateway services open a security risk since they may be bridging IP to SS7?</div><div><br>On Apr 21, 2016, at 14:13, Paul Timmins <<a href="mailto:paul@timmins.net">paul@timmins.net</a>> wrote:<br><br></div><div>
  
    <meta content="text/html; charset=windows-1252" http-equiv="Content-Type">
  
  
    <div class="moz-cite-prefix">You could do it by saying "hey, this
      handset is roaming on me" then directing the call back to the
      handset in question, I figure. It would be inbound only intercept,
      but i could see that working.<br>
      <br>
      -Paul<br>
      <br>
      On 04/21/2016 02:12 PM, Matthew Yaklin wrote:<br>
    </div>
    <blockquote cite="mid:BLUPR0401MB17303D2F53AF656AAFC9BCEFDA6E0@BLUPR0401MB1730.namprd04.prod.outlook.com" type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      
      <div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
        <p><br>
        </p>
        <p>The part I was curious about and perhaps someone can clarify
          who has more knowledge than I is...</p>
        <p><br>
        </p>
        <p>It appears in order to record calls the attacker has to be in
          very close proximity to the target. Like radio/tower range.</p>
        <p>You cannot record a conversation half way across the world.</p>
        <p><br>
        </p>
        <p>Matt</p>
        <br>
        <br>
        <div style="color: rgb(0, 0, 0);">
          <hr tabindex="-1" style="display:inline-block; width:98%">
          <div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b>
              VoiceOps <a class="moz-txt-link-rfc2396E" href="mailto:voiceops-bounces@voiceops.org"><voiceops-bounces@voiceops.org></a> on behalf
              of Matthew Yaklin <a class="moz-txt-link-rfc2396E" href="mailto:myaklin@firstlight.net"><myaklin@firstlight.net></a><br>
              <b>Sent:</b> Thursday, April 21, 2016 2:09 PM<br>
              <b>To:</b> Kidd Filby; Chris Aloi<br>
              <b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:voiceops@voiceops.org">voiceops@voiceops.org</a><br>
              <b>Subject:</b> Re: [VoiceOps] SS7</font>
            <div> </div>
          </div>
          <div>
            <div id="divtagdefaultwrapper" style="font-size:12pt;
              color:#000000; background-color:#FFFFFF;
              font-family:Calibri,Arial,Helvetica,sans-serif">
              <p><br>
              </p>
              <p>Here is a paper that may shed some light on the
                discussion for the curious.</p>
              <p><br>
              </p>
              <p><a moz-do-not-send="true" href="https://www.sans.org/reading-room/whitepapers/critical/fall-ss7--critical-security-controls-help-36225" id="LPlnk600737" title="https://www.sans.org/reading-room/whitepapers/critical/fall-ss7--critical-security-controls-help-36225
Ctrl+Click
                  or tap to follow the link">https://www.sans.org/reading-room/whitepapers/critical/fall-ss7--critical-security-controls-help-36225</a></p>
              <div id="LPBorder_GT_14612622330100.08664621482711832" style="margin-bottom:20px; overflow:auto; width:100%;
                text-indent:0px">
                <table id="LPContainer_14612622330100.5279016636855465" style="width:90%; overflow:auto; padding-top:20px;
                  padding-bottom:20px; margin-top:20px;
                  border-top-width:1px; border-top-style:dotted;
                  border-top-color:rgb(200,200,200);
                  border-bottom-width:1px; border-bottom-style:dotted;
                  border-bottom-color:rgb(200,200,200);
                  background-color:rgb(255,255,255)" cellspacing="0">
                  <tbody>
                    <tr style="border-spacing:0px" valign="top">
                      <td id="TextCell_14612622330100.06806716700400739" colspan="2" style="vertical-align: top; padding:
                        0px; display: table-cell; position: relative;">
                        <div id="LPTitle_14612622330100.18504616592032286" style="top:0px; color:rgb(0,120,215);
                          font-weight:normal; font-size:21px;
                          font-family:wf_segoe-ui_light,'Segoe UI
                          Light','Segoe WP Light','Segoe UI','Segoe
                          WP',Tahoma,Arial,sans-serif; line-height:21px">
                          <a moz-do-not-send="true" id="LPUrlAnchor_14612622330100.32622934630536204" href="https://www.sans.org/reading-room/whitepapers/critical/fall-ss7--critical-security-controls-help-36225" target="_blank" style="text-decoration:none">SANS
                            Institute InfoSec Reading Room</a></div>
                        <div id="LPMetadata_14612622330100.8726144158506068" style="margin:10px 0px 16px;
                          color:rgb(102,102,102); font-weight:normal;
                          font-family:wf_segoe-ui_normal,'Segoe
                          UI','Segoe WP',Tahoma,Arial,sans-serif;
                          font-size:14px; line-height:14px">
                          <a class="moz-txt-link-abbreviated" href="http://www.sans.org">www.sans.org</a></div>
                        <div id="LPDescription_14612622330100.7165319842741722" style="display:block; color:rgb(102,102,102);
                          font-weight:normal;
                          font-family:wf_segoe-ui_normal,'Segoe
                          UI','Segoe WP',Tahoma,Arial,sans-serif;
                          font-size:14px; line-height:20px;
                          max-height:100px; overflow:hidden">
                          The Fall of SS7 Ð How Can the Critical
                          Security Controls Help? 4 "
                          #$$#%!&'()#*+!"#$$#%,-')#*./-#01,2'-! area
                          notices this registration and transfers to a
                          Visitor ...</div>
                      </td>
                    </tr>
                  </tbody>
                </table>
              </div>
              <br>
              <br>
              <br>
              <br>
              <div style="color:rgb(0,0,0)">
                <hr tabindex="-1" style="display:inline-block;
                  width:98%">
                <div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> Kidd Filby
                    <a class="moz-txt-link-rfc2396E" href="mailto:kiddfilby@gmail.com"><kiddfilby@gmail.com></a><br>
                    <b>Sent:</b> Thursday, April 21, 2016 2:01 PM<br>
                    <b>To:</b> Chris Aloi<br>
                    <b>Cc:</b> Matthew Yaklin; <a class="moz-txt-link-abbreviated" href="mailto:voiceops@voiceops.org">voiceops@voiceops.org</a><br>
                    <b>Subject:</b> Re: [VoiceOps] SS7</font>
                  <div> </div>
                </div>
                <div>
                  <div dir="ltr">
                    <div class="gmail_default" style="font-family:comic
                      sans ms,sans-serif">In a strictly TDM world, or
                      conversation... having access to the SS7 network
                      gets you nothing but what and where the call
                      traversed.  NO audio is carried and without End
                      Office controlling software for call routing, just
                      dropping it into some IP connection is not going
                      to afford you anything other than what you already
                      have.  You still need access to the audio carrying
                      infrastructure of the network to get the audio.<br>
                      <br>
                    </div>
                    <div class="gmail_default" style="font-family:comic
                      sans ms,sans-serif">I cannot comment on CALEA<br>
                      <br>
                    </div>
                    <div class="gmail_default" style="font-family:comic
                      sans ms,sans-serif">Kidd<br>
                    </div>
                  </div>
                  <div class="gmail_extra"><br>
                    <div class="gmail_quote">On Thu, Apr 21, 2016 at
                      10:56 AM, Chris Aloi <span dir="ltr">
                        <<a moz-do-not-send="true" href="mailto:ctaloi@gmail.com" target="_blank">ctaloi@gmail.com</a>></span>
                      wrote:<br>
                      <blockquote class="gmail_quote" style="margin:0 0
                        0 .8ex; border-left:1px #ccc solid;
                        padding-left:1ex">
                        <div dir="auto">
                          <div>It looked like they had access to SS7
                            links (likely A links terminated to a
                            physical server) and were using FreeSWITCH
                            to somehow fork the media from the call and
                            record it.  Just a guess based on  the quick
                            console recording. </div>
                          <div><br>
                          </div>
                          <div>Correct, SS7 doesn't carry the actual
                            voice it handles the signaling to bring up
                            the voice channels (by identifying be point
                            code and CICs) and various other signaling
                            bits.  Not sure if there are provisions for
                            CALEA in SS7 that could fork a media stream
                            or exactly how that would work.</div>
                          <div><br>
                          </div>
                          <div>So I guess the barrier to entry would be
                            access to the SS7 network, not as easy as
                            hopping on the Internet, but certainly not
                            much of a challenge. </div>
                          <div><br>
                          </div>
                          <div>
                            <div>---</div>
                            <div>Christopher Aloi</div>
                            Sent from my iPhone</div>
                          <div>
                            <div class="h5">
                              <div><br>
                                On Apr 21, 2016, at 11:52 AM, Kidd Filby
                                <<a moz-do-not-send="true" href="mailto:kiddfilby@gmail.com" target="_blank">kiddfilby@gmail.com</a>>
                                wrote:<br>
                                <br>
                              </div>
                              <blockquote type="cite">
                                <div>
                                  <div dir="ltr">
                                    <div class="gmail_default" style="font-family:comic sans
                                      ms,sans-serif">There is no VOICE
                                      traversing the SS7 network, so you
                                      cannot possibly record a
                                      conversation by having access to
                                      the SS7 network only.<br>
                                    </div>
                                  </div>
                                  <div class="gmail_extra"><br>
                                    <div class="gmail_quote">On Thu, Apr
                                      21, 2016 at 9:36 AM, Matthew
                                      Yaklin <span dir="ltr">
                                        <<a moz-do-not-send="true" href="mailto:myaklin@firstlight.net" target="_blank">myaklin@firstlight.net</a>></span>
                                      wrote:<br>
                                      <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;
                                        border-left:1px #ccc solid;
                                        padding-left:1ex">
                                        <br>
                                        In other words the hacker has to
                                        have working SS7 trunks or
                                        access to someone who does? That
                                        is how I understood it.<br>
                                        <br>
                                        Not exactly a remote hack from
                                        mom's basement sort of thing.<br>
                                        <br>
                                        Matt<br>
                                        <br>
________________________________________<br>
                                        From: VoiceOps <<a moz-do-not-send="true" href="mailto:voiceops-bounces@voiceops.org" target="_blank"></a><a class="moz-txt-link-abbreviated" href="mailto:voiceops-bounces@voiceops.org">voiceops-bounces@voiceops.org</a>>
                                        on behalf of Peter Rad. <<a moz-do-not-send="true" href="mailto:peter@4isps.com" target="_blank"></a><a class="moz-txt-link-abbreviated" href="mailto:peter@4isps.com">peter@4isps.com</a>><br>
                                        Sent: Thursday, April 21, 2016
                                        11:25 AM<br>
                                        To: <a moz-do-not-send="true" href="mailto:voiceops@voiceops.org" target="_blank">voiceops@voiceops.org</a><br>
                                        Subject: [VoiceOps] SS7<br>
                                        <div>
                                          <div><br>
                                            FYI...<br>
                                            <br>
                                              U.S. carriers mum on 60
                                            Minutes report on
                                            vulnerability in SS7 -<br>
                                            <a moz-do-not-send="true" href="http://www.fiercewireless.com/story/us-carriers-mum-60-minutes-report-vulnerability-ss7/2016-04-19" rel="noreferrer" target="_blank">http://www.fiercewireless.com/story/us-carriers-mum-60-minutes-report-vulnerability-ss7/2016-04-19</a><br>
                                            <br>
                                            Regards,<br>
                                            <br>
                                            Peter Radizeski<br>
                                            RAD-INFO, Inc.<br>
                                            <a moz-do-not-send="true" href="tel:813.963.5884" value="+18139635884" target="_blank">813.963.5884</a><br>
                                            <a moz-do-not-send="true" href="http://rad-info.net" rel="noreferrer" target="_blank">http://rad-info.net</a><br>
                                            * Need bandwidth or
                                            colocation? call me<br>
_______________________________________________<br>
                                            VoiceOps mailing list<br>
                                            <a moz-do-not-send="true" href="mailto:VoiceOps@voiceops.org" target="_blank">VoiceOps@voiceops.org</a><br>
                                            <a moz-do-not-send="true" href="https://puck.nether.net/mailman/listinfo/voiceops" rel="noreferrer" target="_blank">https://puck.nether.net/mailman/listinfo/voiceops</a><br>
_______________________________________________<br>
                                            VoiceOps mailing list<br>
                                            <a moz-do-not-send="true" href="mailto:VoiceOps@voiceops.org" target="_blank">VoiceOps@voiceops.org</a><br>
                                            <a moz-do-not-send="true" href="https://puck.nether.net/mailman/listinfo/voiceops" rel="noreferrer" target="_blank">https://puck.nether.net/mailman/listinfo/voiceops</a><br>
                                          </div>
                                        </div>
                                      </blockquote>
                                    </div>
                                    <br>
                                    <br clear="all">
                                    <br>
                                    -- <br>
                                    <div>
                                      <div dir="ltr">Kidd Filby<br>
                                        <a moz-do-not-send="true" href="tel:661.557.5640" value="+16615575640" target="_blank">661.557.5640</a>
                                        (C)<br>
                                        <a moz-do-not-send="true" href="http://www.linkedin.com/in/kiddfilby" title="View public profile" name="m_6600178105790939021_UNIQUE_ID_SafeHtmlFilter_SafeHtmlFilter_webProfileURL" target="_blank">http://www.linkedin.com/in/kiddfilby</a><br>
                                      </div>
                                    </div>
                                  </div>
                                </div>
                              </blockquote>
                              <blockquote type="cite">
                                <div><span>_______________________________________________</span><br>
                                  <span>VoiceOps mailing list</span><br>
                                  <span><a moz-do-not-send="true" href="mailto:VoiceOps@voiceops.org" target="_blank">VoiceOps@voiceops.org</a></span><br>
                                  <span><a moz-do-not-send="true" href="https://puck.nether.net/mailman/listinfo/voiceops" target="_blank">https://puck.nether.net/mailman/listinfo/voiceops</a></span><br>
                                </div>
                              </blockquote>
                            </div>
                          </div>
                        </div>
                      </blockquote>
                    </div>
                    <br>
                    <br clear="all">
                    <br>
                    -- <br>
                    <div class="gmail_signature">
                      <div dir="ltr">Kidd Filby<br>
                        661.557.5640 (C)<br>
                        <a moz-do-not-send="true" href="http://www.linkedin.com/in/kiddfilby" title="View public profile" name="UNIQUE_ID_SafeHtmlFilter_SafeHtmlFilter_webProfileURL" target="_blank">http://www.linkedin.com/in/kiddfilby</a><br>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
VoiceOps mailing list
<a class="moz-txt-link-abbreviated" href="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</a>
<a class="moz-txt-link-freetext" href="https://puck.nether.net/mailman/listinfo/voiceops">https://puck.nether.net/mailman/listinfo/voiceops</a>
</pre>
    </blockquote>
    <br>
  

</div><div><span>_______________________________________________</span><br><span>VoiceOps mailing list</span><br><span><a href="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</a></span><br><span><a href="https://puck.nether.net/mailman/listinfo/voiceops">https://puck.nether.net/mailman/listinfo/voiceops</a></span><br></div></body></html>