Amazingly, SS7 does not employ the basic means of protection against hacks: the traffic is not encrypted and the equipment is unable to distinguish between legitimate and rogue commands. The system would process any command it would get regardless of the source. The reason is very simple: as presupposed by those who elaborated on the protocol 40 years ago, in SS7, the signalling layer is separated from the voice layer, and, consequently, no one apart from the staff at the phone switch would be able to access this channel.
Even if someone would, there was no practical use in it: no commands, except those telling to connect to a subscriber, were transmitted through the network, so there was no need to think about faux packets being transported across the layer. However, the situation changed as soon as the procedure of processing SS7 commands over IP was introduced in , essentially exposing the SS7 layer to outside access. One would need a special device — a SS7 hub.
Now, let us review the options a criminal or a hacker could leverage. Using these parameters, the open database can to the nearest hundred meters show where the victim is currently located.
No additional actions are required for this attack. USSD commands allow organizing a conversational interaction of subscriber and telecom operator in the mode of sending short messages.
Attacker has the power to influence the voice call routing mechanism by redirecting the incoming call to an arbitrary number. With an established fraud scheme, this number, for example, can serve as an expensive international route, the traffic of which is put up for sale.
In this way a huge connection fee will be charged from the unsuspecting caller. At the same time transmission of IMSI occurs that is also necessary for message routing. The same method allows for a hacker to eavesdrop on outbound phone calls, with a little more effort applied: the forwarding path could be established for the phone the victim calls to. The number is discovered when the outbound call issues a request containing an intended phone number and forwards it to a billing system so it applies certain call charge rate and then bills the call to the caller.
It is inherent from day one since the protocol has been around. Only a fundamental change in the way cellular communications work might provide an opportunity to eliminate the issue completely. There is another means of solving the problem, which is bound to deploying complex subscriber activity monitoring systems to spot allegedly malicious subscriber activities. A number of IT companies offer automated systems, which, in essence, remind of anti-fraud platforms widely used by banks.
The carriers are in no particular rush to deploy such systems, leaving the subscribers wondering whether or not they are protected from such attacks. Some mobile network globally are applying the following protection methods to SIM cards it issues:. Sign in. Privacy Policy. For instance, a fraudster might request the identifier of the cellular base station currently serving the target subscriber. Armed with this unique identifier and any of numerous subscriber databases available on the Internet, one can find out the exact location of the subscriber, with high precision of some dozens of meters.
A number of simple programs are able to fully automate the process, conveniently requesting only to input the mobile number and get a dot of the map. One might request HLR to reconnect to another VLR and input the wrong value, thus blocking incoming calls and messages.
This opens further opportunities to stealthily hijack calls and messages. SMS hijacking is a perfect method to intercept one-time verification codes used by various two-factor authentication systems. The same method allows for eavesdropping on outbound phone calls, with a little more effort applied: the forwarding path could be established for the phone the victim calls to.
The number is discovered when the outbound call issues a request containing an intended phone number and forwards it to a billing system so it applies certain call charge rate and then bills the call to the caller. The impact this method might have on a more ordinary people is mostly limited to petty theft of a couple of dollars from the mobile plan: it can be achieved through sending bogus USSD commands to enable small money transfers or redirecting the calls to paid numbers and generating traffic.
It is inherent from day one since the protocol has been around. Only a fundamental change in the way cellular communications work might provide an opportunity to eliminate the issue completely.
There is another means of solving the problem, which is bound to deploying complex subscriber activity monitoring system to spot allegedly malicious subscriber activities. A number of IT companies offer automated systems, which, in essence, remind of anti-fraud platforms widely used by banks. The carriers are in no particular rush to deploy such systems, leaving the subscribers wondering whether or not they are protected from such attacks.
Most of these mobile hacking devices are capable of penetrating wireless or cellular networks and standalone devices with improperly configured network options. Many hackers are also able to access networks and standalone devices with zero to minimal security appliances and programs. Now that you know the top mobile threats this , you can better prepare your mobile devices and home or office networks against these malicious applications and hacking devices.
You should also prepare yourself against possible social hacking tactics. Here are some things to remember:. You should properly configure your built-in network security and Web privacy options.
Deploy network security appliances like a firewall for your router and offline storage devices for your confidential data. Install and properly configure system security applications.
Do this even for your mobile device. Keep in mind that the most vulnerable security links as recently reported by the CyberEdge Group are mobile devices. This means hackers are out to exploit this vulnerability so as to be able to hack into your wireless or cellular network and standalone devices. You should also properly configure the security settings and content sharing options of your online social media accounts.
The CyberEdge Group also stated in their recent report that the second weakest security links today are social media accounts. Remember, most of your social media account details are stored in the social apps of your mobile device, making it easier for cyber criminals to access your device, personal details, confidential data and home or office networks without your consent.
Practice due diligence when opening and activating downloaded content from the Web. These can be disguised as legitimate downloads. Be wary of calls and social media requests from strangers. Also keep in mind to carefully review the URLs of links and the email addresses of familiar senders before clicking those links or replying to those emails.
Many hackers deploy phishing scams to steal your private data, financial information and other personally identifiable details. They use domains and email addresses that can be mistaken by many as the legitimate domains and email addresses of their service providers, companies, family, friends, and colleagues. By following these techniques, you can fortify the security of your mobile device and home or office networks against these mobile hacking tools and malicious applications.
So, share these tips with your mobile contacts, and help them avoid becoming one of those poor victims whose records are now part of the 1,,, reported compromised records globally since in the Breach Level Index. A new tab for your requested boot camp pricing will open in 5 seconds. If it doesn't open, click here. Ifeanyi Egede is an experienced and versatile freelance writer and researcher on security related issues with tons of published works both online and in the print media.
He has close to a decade of writing experience. When he is not writing, he spends time with his lovely wife and kids. Learn more about how Ifeanyi Egede could be of help to your business at ifeanyi2excel gmail.
0コメント