A new technique that can hack into mobile phones simply with their number has made headlines worldwide, but is the threat overblown?
60 Minutes, the CBS news programme, sent an off-the-shelf iPhone to Californian congressman Ted Lieu, and German computer engineer Karsten Nohl from Security Research Labs was able to track his movements and access his personal communications.
Having simply been told the device’s number, the hacker was able to listen in on a call between Lieu and the show’s presenter Sharyn Alfonsi.
The hack exploits a little-known network interchange service called Signalling System No. 7, or SS7, which acts as a broker between different international networks, providing number translation and local number portability. Mobile operators have access to this network.
Nohl’s hack reveals that over a year since he first demonstrated it at a hacking conference, the vulnerability has not been addressed.
Worryingly, since it is a network issue, the vulnerability applies equally to any mobile phone connected to the network. Since the attacks are based on legitimate SS7 messages, filtering these could impact the quality of service of the network.
A report by Positive Technologies about SS7 security noted that the infrastructure could be used for other purposes, not just collecting information. An attacker could use the procedure of generating a roaming number when a voice call comes in to deny service to a handset.
Of course, for most people, the headline statement that somebody can hack into your phone by simply knowing your number is perhaps more scary than the reality.
The risk of a person being hacked of course correlates to the value of the information that is hosted on their mobile device. So while people might be concerned for their privacy, the average person is unlikely to be a target.
Enterprise mobile phone users should be more concerned. It is hardly difficult to get hold of a C-level executive’s phone number, and they may conduct secure calls using this device.
The Positive Technologies report shows that this is not a low-cost, high-volume attack like phishing but nor would the attacker require sophisticated equipment or expert knowledge.
To access an SS7 network, they might need to acquire an existing provider’s connection on the black market and obtain authorisation to operate as a mobile carrier in a country with lax communications laws.
Hackers working as a technical specialist at a telecoms operator could also connect their hacking equipment to the SS7 network.
There are signs that people are aware of the risk: the Intelligence Annual Industry Survey from HAUD found that 84 percent of industry experts think SS7 security is important. However, 31 per cent do not understand the individual risks it poses to their organisation.
Bob Tarzey, Principal Analyst at Quocirca, told CBR that since the bug only applies to operator infrastructure, using Voice over IP services such as wi-fi calls, which travel as IP traffic, would not go over this infrastructure and would hence be safe.
He added that "anything that is encrypted should be safe, so for example a WhatsApp message would not be interceptable regardless of the network it is sent over."
He said that operators needed to address this concern quickly and effectively" if over-the-top services were not to gain the upper hand.
Gemalto‘s Data Protection CTO Jason Hart told CBR that patching up the vulnerability was important, but he also emphasised that for organisations encryption should be the priority.
"Encryption is not enough on its own though and organisations must use private keys and certificates to further protect it."
