Signaling System 7 (SS7) is a big security problem. It's the packet-switched control network for the phone system, and it has very little security. It was designed in 1980 to be run only internally between phone switches.
The main function of SS7 is call setup. All the switches along the route get their switching commands over SS7, not over the circuit-switched channel. (That went out with SS5, the old audio-tone based system). Call setup is preceded by "translation", turning a destination phone number into a route. That's done with query messages over SS7.
This allows outsourced wiretapping. Verisign offers this as a service for telcos, so they don't have to deal with law enforcement themselves.
Verisign, which also runs much of the US SS7 network (http://www.verisign.com/stellent/groups/public/documents/dat...) is well placed to do this. All they have to do for a wiretap is to have the translations for a source or destination number reroute to a wiretap point, which then records while forwarding to the desired destination. As an SS7 provider, they already have all the call metadata.
Vulnerabilities come in because more parties now have SS7 access. Cellular roaming and VoIP to landline routing are managed over SS7. So a large number of computers other than dedicated telco switches now have SS7 connections. A break-in at any of those points has wiretapping potential.
A bit of a plug. If anyone is interested in playing with (doing research on) SS7 vulnerabilities, a few years back (five) I've participated in building a pretty cute test toolkit that allows one to sent/receive/parse/play scenarios using SS7/C7/3G/CDMA/.../SCTP/SS7 over IP/... packets on any level of the network. The list of supported protocols is available here: http://www.linkbit.com/platforms It follows standards and usually implements 100% of the protocol (including conditional constraints, etc). But also allows one to 'break' stuff and send custom/unsupported/broken fields.
It is pretty cute, you can do most of the stuff just in the visual packet editors / flow editors and where necessary revert to python snippets.
edit: and basically yes. as a protocol engineer and somebody very familiar with SS7/C7/GSM/.., once you have the access to the network (which can be done over IP!) I wouldn't be at all surprised, you could misuse it.
As someone that used to be more interested in this stuff, it seems I missed the part where SS7 access became generally available. The first I saw mention of it, I think, was on an SMS provider's web site under a "Contact Us" type banner. Which makes me wonder, what changed to allow more businesses access and more importantly where do I sign up? :)
SS7 is one of those revered buzzphrases from my teen years, even getting to play with it for a weekend would really sweeten my Christmas.
If I understand correctly, all of the femtocell products that consumers can purchase and deploy are little SS7 gateways that you can have right in your home...
It's funny because some developing countries still use the now ancient R2 signalling and wouldn't be directly affected by this (just in connecting networks I'd assume). IIRC Brazil is still a big user of R2, unfortunately for those working with VoIP. Also China.
The main function of SS7 is call setup. All the switches along the route get their switching commands over SS7, not over the circuit-switched channel. (That went out with SS5, the old audio-tone based system). Call setup is preceded by "translation", turning a destination phone number into a route. That's done with query messages over SS7.
This allows outsourced wiretapping. Verisign offers this as a service for telcos, so they don't have to deal with law enforcement themselves.
http://www.verisign.com/static/001927.pdf
Verisign, which also runs much of the US SS7 network (http://www.verisign.com/stellent/groups/public/documents/dat...) is well placed to do this. All they have to do for a wiretap is to have the translations for a source or destination number reroute to a wiretap point, which then records while forwarding to the desired destination. As an SS7 provider, they already have all the call metadata.
Vulnerabilities come in because more parties now have SS7 access. Cellular roaming and VoIP to landline routing are managed over SS7. So a large number of computers other than dedicated telco switches now have SS7 connections. A break-in at any of those points has wiretapping potential.