The CCS7 network was developed in the mid seventies to control the routing of phone calls using out-of-band signaling. The data packets transmitted on the network control not only the initiation and completion of calls, but also numerous billing functions and the activation of advanced features that are today taken for granted (call forwarding, call waiting, etc.). Because the data packets transmitted via CCS7 are unencrypted, it has become relatively easy to gain access to this network and to use it to perform numerous nefarious activities, most notable of which are locating a cell phone with an accuracy of a few meters and intercepting and eavesdropping on calls.
The weaknesses of the CCS7 network came to the fore in mid 2014 with the publication of several technical articles describing ways of gaining access to the network and the various actions that such access could facilitate. Much has since been written on this issue, and it has even attracted the attention of U.S. government officials. In April 2016, Congressman Ted Lieu called for an oversight committee investigation, saying:
“The applications for this vulnerability are seemingly limitless, from criminals monitoring individual targets to foreign entities conducting economic espionage on American companies to nation states monitoring US government officials. ... The vulnerability has serious ramifications not only for individual privacy, but also for American innovation, competitiveness and national security.”
On the plus side, it is not possible to initiate such an attack by accessing a carrier network using an everyday computer and the Internet. However, the SS7 hub hardware that is required is easily accessible to anyone who acquires a telecom carrier license, something that is remarkably easy to accomplish in many countries.
The only piece of information required by the attacker is the target’s unique SIM card identifier, the International Mobile Subscriber Identity (IMSI). The actual attack is then carried out using SMS text messages, which are carried over the CCS7 network. With this information and a copy of the readily available “SS7 for Linux” software package, the fraudster has all he needs to intercept and eavesdrop on calls.
It is worth noting that setting up this sort of attack typically results in the target’s first call failing, which forces them to initiate a second. Most people think little of this occurrence, but if you regularly have to make two attempts to get a mobile call to complete, this is almost certain evidence that your calls are being eavesdropped on.