Network-based Attacks

Network-based attacks utilize known weaknesses in network infrastructure or protocols. These weaknesses often persist in order for separate networks to to maintain backwards-compatability with older systems. Third party attackers exploit these vulnerabilities to intercept your data as it is transmitted over the network.

Man-in-the-Middle (MITM) Atttack

An individual manages to insert himself between a call originator and recipient, and manages, as well, to fool each party into believing they are communicating directly with the other desired party, when, in fact, they are each communicating with the attacker. Having thus convinced each party that they are taking part in a legitimate and secure conversation, the attacker then has access to both parties’ IMSI numbers, physical locations, and all of the contents of their conversation, which can, in turn, be eavesdropped on or recorded for other nefarious purposes.

The most common methodology for achieving a MITM voice attack is the Baseband Attack described in the Vysk Threat Brief of that name. The baseband attack methodology requires creating a fake cellular “tower” that tricks nearby mobile phones into linking to it rather than a legitimate cell tower. Once connected, the fake tower typically reduces or completely disables the native tower-to-phone encryption and then captures the phone’s IMSI number while forwarding the call on to its desired recipient, with neither party being aware that their call has been compromised. Once inserted into a call in this way, the attacker can even modify the contents of text messages before forwarding them on to the recipient. This sort of interception technology is commonly used by law enforcement (e.g., the Stingray system), but it can also be easily purchased online or built from scratch for typically less than $2000. Other variants on this attack methodology exist, including the creation of bogus Wi-Fi networks/gateways.

Creation of a strongly encrypted voice call requires the passing of encryption keys between the call parties. Only when both parties utilize the same secret encryption key is the call truly secure. But a MITM fraudster will intercept the public key of the originating caller with a matching key (creating a unique secure encryption key with the originator). He will then relay the public key to the call recipient and establish a second unique secure key with that recipient. In such an attack, the third party effectively impersonates the other party, and relays the data back and forth on behalf of each user. Because the fraudulent third party has established two secure encryption keys, they are able to intercept and decode any voice/data before reencrypting it and passing it along to the call recipient.

CCS7/SS7 Vulnerability

The CCS7 network was developed in the mid seventies to control the routing of phone calls using out-of-band signaling. The data packets transmitted on the network control not only the initiation and completion of calls, but also numerous billing functions and the activation of advanced features that are today taken for granted (call forwarding, call waiting, etc.). Because the data packets transmitted via CCS7 are unencrypted, it has become relatively easy to gain access to this network and to use it to perform numerous nefarious activities, most notable of which are locating a cell phone with an accuracy of a few meters and intercepting and eavesdropping on calls.

The weaknesses of the CCS7 network came to the fore in mid 2014 with the publication of several technical articles describing ways of gaining access to the network and the various actions that such access could facilitate. Much has since been written on this issue, and it has even attracted the attention of U.S. government officials. In April 2016, Congressman Ted Lieu called for an oversight committee investigation, saying:

“The applications for this vulnerability are seemingly limitless, from criminals monitoring individual targets to foreign entities conducting economic espionage on American companies to nation states monitoring US government officials. ... The vulnerability has serious ramifications not only for individual privacy, but also for American innovation, competitiveness and national security.”

On the plus side, it is not possible to initiate such an attack by accessing a carrier network using an everyday computer and the Internet. However, the SS7 hub hardware that is required is easily accessible to anyone who acquires a telecom carrier license, something that is remarkably easy to accomplish in many countries.

The only piece of information required by the attacker is the target’s unique SIM card identifier, the International Mobile Subscriber Identity (IMSI). The actual attack is then carried out using SMS text messages, which are carried over the CCS7 network. With this information and a copy of the readily available “SS7 for Linux” software package, the fraudster has all he needs to intercept and eavesdrop on calls.

It is worth noting that setting up this sort of attack typically results in the target’s first call failing, which forces them to initiate a second. Most people think little of this occurrence, but if you regularly have to make two attempts to get a mobile call to complete, this is almost certain evidence that your calls are being eavesdropped on.

Find out more about the QS1 case and how it protects against network attacks.

The Vysk QS1 Case

Looking for more information?

Request Info