View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
April 19, 2016updated 05 Sep 2016 11:09am

Hackers can access your phone with just your number: but how scared should your business be?

News: Steps that you can take to protect against a SS7 hack.

By Alexander Sword

A new technique that can hack into mobile phones simply with their number has made headlines worldwide, but is the threat overblown?

60 Minutes, the CBS news programme, sent an off-the-shelf iPhone to Californian congressman Ted Lieu, and German computer engineer Karsten Nohl from Security Research Labs was able to track his movements and access his personal communications.

Having simply been told the device’s number, the hacker was able to listen in on a call between Lieu and the show’s presenter Sharyn Alfonsi.

The hack exploits a little-known network interchange service called Signalling System No. 7, or SS7, which acts as a broker between different international networks, providing number translation and local number portability. Mobile operators have access to this network.

Nohl’s hack reveals that over a year since he first demonstrated it at a hacking conference, the vulnerability has not been addressed.

Worryingly, since it is a network issue, the vulnerability applies equally to any mobile phone connected to the network. Since the attacks are based on legitimate SS7 messages, filtering these could impact the quality of service of the network.

A report by Positive Technologies about SS7 security noted that the infrastructure could be used for other purposes, not just collecting information. An attacker could use the procedure of generating a roaming number when a voice call comes in to deny service to a handset.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

Of course, for most people, the headline statement that somebody can hack into your phone by simply knowing your number is perhaps more scary than the reality.

The risk of a person being hacked of course correlates to the value of the information that is hosted on their mobile device. So while people might be concerned for their privacy, the average person is unlikely to be a target.

Enterprise mobile phone users should be more concerned. It is hardly difficult to get hold of a C-level executive’s phone number, and they may conduct secure calls using this device.

The Positive Technologies report shows that this is not a low-cost, high-volume attack like phishing but nor would the attacker require sophisticated equipment or expert knowledge.

To access an SS7 network, they might need to acquire an existing provider’s connection on the black market and obtain authorisation to operate as a mobile carrier in a country with lax communications laws.

Hackers working as a technical specialist at a telecoms operator could also connect their hacking equipment to the SS7 network.

There are signs that people are aware of the risk: the Intelligence Annual Industry Survey from HAUD found that 84 percent of industry experts think SS7 security is important. However, 31 per cent do not understand the individual risks it poses to their organisation.

Bob Tarzey, Principal Analyst at Quocirca, told CBR that since the bug only applies to operator infrastructure, using Voice over IP services such as wi-fi calls, which travel as IP traffic, would not go over this infrastructure and would hence be safe.

He added that "anything that is encrypted should be safe, so for example a WhatsApp message would not be interceptable regardless of the network it is sent over."

He said that operators needed to address this concern quickly and effectively" if over-the-top services were not to gain the upper hand.

Gemalto‘s Data Protection CTO Jason Hart told CBR that patching up the vulnerability was important, but he also emphasised that for organisations encryption should be the priority.

"Encryption is not enough on its own though and organisations must use private keys and certificates to further protect it."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU