I hate to tell them this…

Hackers use Congressman’s iPhone to demo ability to listen into calls, monitor texts, track location [Updated]
Apple may take iOS security so seriously that it’s willing to do battle with the FBI over it, but German hackers have demonstrated that all phones – even iPhones – are susceptible to a mobile network vulnerability that requires nothing more than knowing your phone number. Armed with just that, hackers can listen to your calls, read your texts and track your position.

…but that’s essentially the same thing as the mandated CALEA phone tapping capability that they forced on the industry. The only difference is that the Feds are provided their own channel into the network. This “hack” (which isn’t a hack) just uses a standard SS7 channel for access.

Sid Scriptkiddy isn’t going to sit in his mom’s basement and tap President Barrycade’s phone (unfortunately). This requires direct access to the SS7 network. You have to be part of the network. So you either build an SS7 server and get a contract with a common carrier to connect, or you have to find some open line into the SS7 system; the latter would be a hack.

SS7 providers should make sure access to their network is secure; no open dialups (believe me, it happens), no unsecured SCADA links. But “fixing” this “flaw” in the SS7 protocol itself…

…is impossible without either 1) eliminating much of the functionality that allows cell networks to operate, or 2) breaking CALEA. I’m all for the second option.

BTW, the articles make a big deal about this affecting iPhones, but read the fine print and you’ll realize that it affects all phones. Not all smartphones, but all telephones including that dinosaur wired to the wall in your kitchen. They won’t get the location data that a cell network has, but everything else is a go. They’re exploiting standard SS7 functions like Caller ID and call forwarding.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s