The SS7 Flaw: What it is, and How Hackers Abuse It

By on Apr 26, 2016

Users don’t always have it easy when it comes to online security. Beyond the plethora of passwords, usernames, security questions and websites to remember, you still have to be on guard for malicious application and programs. Now you can add the security of obscure, but critical, technologies to that list.

60 Minutes recently published a segment on the security worries around an obscure, but important, backend technology for mobile networks. The technology in question is called Signaling System Seven, or SS7. It’s a critical part of the overall security posture for mobile phone. Let me put it this way: if mobile security were a Jenga tower, then SS7 would be the one peg the entire tower balances on.

In this case, the peg is a global network connecting carriers with phone users. SS7 is a critical piece of the mobile puzzle, allowing phone networks to exchange data, phone calls, messages and more. It’s also the technology that allows travelers to roam on other networks while traveling abroad, and helps banks to confirm mobile payments via geolocation. For today’s mobile world, it’s a critical, but quiet, part of our daily lives.

The problem, however, is that anyone with their hands on someone’s phone number (and a lot of know-how) can use SS7 to intercept calls and record messages with relatively little work. What’s more, it’s very difficult to stop an SS7 attack; it can happen even if you follow security best practices.

It’s unsettling, but it’s not all bad news. For one, you likely don’t have to worry about someone surveilling you with SS7. That’s largely because SS7’s potential security dangers have been known since 2014 and also because such a powerful technique would probably be utilized to spy on individuals in positions of power. For another, we’re talking openly about SS7 vulnerabilities, which means industry associations, companies and networks want to see the vulnerabilities fixed.

Over the coming years, SS7 will be patched, if not outright replaced (as Ars Technica reports), for your protection. You can expect the same sort of treatment for many of the outdated, or insecure, industrial technologies we use day to day.

So, what can you do in the meantime? Well, there’s little you or I could do to defend against SS7 attacks at this time, but it still pays to stick to mobile security best practices. So keep these tips in mind as you use your mobile devices:

  • Watch what you download. Applications make mobile phones what they are: our go-to resource for pretty much everything. Which is why you need to keep an eye out for malicious mobile apps. Always check the developer behind a mobile application before you purchase it. There are a lot of imitation applications that could be after more than your screen time.
  • Don’t jailbreak your phone. Jailbreaking — the process of gaining access to the underlying system on your phone — is dangerous by nature. While it may be tempting to control every aspect of your device, you’re still tempting fate by using unlicensed app stores and potentially malicious developers.
  • Use comprehensive security. A comprehensive security solution, like McAfee LiveSafe™, can help you to secure all of your devices. Not only do such solutions scan for malicious activity, but they can help track and protect your data if it gets lost.

gary

About the Author

Gary Davis

Gary Davis was previously McAfee's Consumer Security Evangelist providing security education and advice to businesses and consumers. He is a sought-after speaker on trends in digital security, appearing at conferences and events, as well as security and consumer lifestyle broadcast outlets and publications such as ABC, NBC, FOX, the Wall Street Journal, USA Today, Money ...

Read more posts from Gary Davis

Subscribe to McAfee Securing Tomorrow Blogs