Exposing The Flaw In Our Phone System

00:31:54
https://www.youtube.com/watch?v=wVyu7NB7W6Y

Summary

TLDRIn this episode, Linus from Linus Tech Tips is surprisingly hacked through a vulnerability in the SS7 network, highlighting critical security issues within global telecommunications systems. The hackers intercepted his phone communications remotely without physical contact, showcasing that similar actions could be taken against anyone. The discussion stems from historical hacking methods, such as those employed in the 1970s by Steve Jobs and Steve Wozniak with their 'blue box' devices, and progresses into modern methods using SS7. These vulnerabilities can be exploited to intercept calls, texts, and even track someone's location. The episode warns about the widespread use of SS7 in communications and encourages individuals to protect themselves by moving away from SMS-based two-factor authentication to more secure methods, such as using authentication apps or hardware tokens.

Takeaways

  • πŸ” SS7 vulnerabilities can be exploited for phone hacking.
  • πŸ“ž Linus Tech Tips demonstrated an SS7-based attack.
  • πŸ”‘ Steve Jobs used blue box devices for phone hacking historically.
  • 🌐 SS7 is still widely used, despite its security flaws.
  • πŸ“± Hackers can intercept calls and messages using SS7.
  • πŸ” Move away from SMS-based 2FA for better security.
  • 🚨 SS7 can be used for tracking individual locations.
  • πŸ”— Changing SS7 is difficult due to infrastructure reliance.
  • πŸ’¬ Use encrypted messaging apps to avoid interception.
  • πŸ“ˆ Millions of SS7-based attacks occur annually.

Timeline

  • 00:00:00 - 00:05:00

    Linus from Linus Tech Tips discusses how phone networks can be hacked to intercept phone calls without touching the phone or sending any direct messages, highlighting the possibility of remote interception. This taps into the history of phone hacking, referencing Steve Jobs and Steve Wozniak's creation of a blue box that tricked telephone companies for free calls, including the famous prank call to the Pope.

  • 00:05:00 - 00:10:00

    Explanation of how traditional rotary dial telephones worked, and how phone companies shifted to automated systems through touch tone phones that used specific frequencies for different numbers. Jobs and Wozniak exploited this technology to bypass tolls by mimicking certain tones, leading to the creation of a more secure signaling system called SS7.

  • 00:10:00 - 00:15:00

    SS7, a signaling protocol still in use today, was developed to improve upon vulnerabilities in previous systems by separating control signals. However, it has weaknesses. It was exploited in the case of Princess Latifa using SS7 to track her location. The video discusses how hackers can now attack this system by infiltrating, gaining trust, and launching attacks, including intercepting phone calls and messages or tracking locations.

  • 00:15:00 - 00:20:00

    The process of hacking using SS7 involves accessing the global SS7 network via Global Titles, then gaining trust by acquiring key subscriber information such as the IMSI. With this information, hackers can intercept calls and messages remotely without alerting the target. Derek from Veritasium demonstrates this by intercepting and recording a phone call intended for Linus.

  • 00:20:00 - 00:25:00

    Security experts explain how hackers exploit SS7 vulnerabilities to intercept SMS messages and gain unauthorized access or track someone's location. It highlights concerns about using SMS for two-factor authentication due to such vulnerabilities. The video discusses how networks have begun improving firewall security but notes that SS7 remains a critical vulnerability.

  • 00:25:00 - 00:31:54

    The conversation shifts to the persistence of SS7 due to legacy mobile networks like 2G/3G and the complexity of transitioning to 5G's more secure protocols. It stresses the challenges of replacing old systems due to network inertia. The video closes by advising viewers on securing communications by avoiding SMS-based authentication and using encrypted messengers.

Show more

Mind Map

Video Q&A

  • What is SS7?

    SS7 is Signaling System No. 7, a protocol used to connect and control phone calls in global telecommunications networks.

  • How did Linus get hacked?

    Linus's calls and messages were intercepted by exploiting vulnerabilities in the SS7 network, which allowed attackers to reroute communications.

  • Is SS7 still in use?

    Yes, SS7 is still widely used in 2G and 3G networks, and for international roaming in 4G networks.

  • Can SS7 vulnerabilities be used for tracking?

    Yes, SS7 vulnerabilities can be exploited to track an individual's location based on cell tower connections.

  • What can be done to protect against SS7 attacks?

    Individuals should use encrypted communications and avoid SMS-based two-factor authentication, opting for Authenticator apps or hardware tokens instead.

  • What's a blue box?

    A blue box was an illicit device used in the '70s to hack phone networks for free long-distance calls, exploiting a flaw similar to SS7 vulnerabilities.

  • Can SS7 attacks be used to intercept 2FA codes?

    Yes, attackers can intercept SMS-based two-factor authentication codes using SS7 vulnerabilities.

  • Why hasn't SS7 been replaced?

    SS7 hasn't been replaced due to its deep integration into existing telecommunications infrastructure and the lack of incentives for early adoption of alternatives.

  • What historical event was mentioned in relation to SS7 attacks?

    The abduction of Princess Latifa was mentioned, where SS7 attacks were reportedly used to help locate her.

  • What is a potential downside of replacing SS7?

    Replacing SS7 could lead to issues with legacy systems and devices, such as emergency systems in cars that use 2G or 3G connections.

View more video summaries

Get instant access to free YouTube video summaries powered by AI!
Subtitles
en
Auto Scroll:
  • 00:00:00
    - This is Linus from Linus Tech Tips
  • 00:00:02
    and we hacked the phone network in order to spy on him.
  • 00:00:05
    - That's pretty messed up Derek.
  • 00:00:07
    I slept easier not knowing that.
  • 00:00:09
    - We intercepted his phone calls
  • 00:00:11
    and stole his two-factor passcodes.
  • 00:00:14
    Is that your number Linus?
  • 00:00:15
    - Yeah, but I didn't get, mine didn't even ring.
  • 00:00:19
    - We didn't touch his phone.
  • 00:00:21
    We didn't send him an email or a text, nothing.
  • 00:00:24
    We did it all remotely and the worst part is
  • 00:00:27
    it could happen to you.
  • 00:00:28
    - I think I'm really surprised that, no offense,
  • 00:00:32
    but like you guys did it.
  • 00:00:33
    (Derek Laughing)
  • 00:00:35
    Well, you're not a career criminal hacker mastermind,
  • 00:00:38
    necessarily. - No, indeed.
  • 00:00:40
    - But here it is, a normal looking
  • 00:00:42
    and feeling device with no, you know, obvious problem
  • 00:00:46
    with it and you just receive my call
  • 00:00:50
    instead of me receiving it.
  • 00:00:52
    Just what, like on command?
  • 00:00:53
    You just, it's an app on your computer or what?
  • 00:00:55
    I don't even know.
  • 00:00:56
    - But before we explain how we did all that,
  • 00:00:59
    (upbeat music) (crowd clapping)
  • 00:01:03
    the first startup that Steve Jobs
  • 00:01:05
    and Steve Wozniak made wasn't Apple?
  • 00:01:07
    No, they were tackling a different problem.
  • 00:01:10
    One where their product was actually illegal.
  • 00:01:13
    So back in the 1970s,
  • 00:01:15
    long distance phone calls were really expensive.
  • 00:01:17
    Adjusted for inflation,
  • 00:01:19
    a call from New York to London could run you $25 a minute.
  • 00:01:23
    So these two entrepreneurs created a little blue box
  • 00:01:26
    and what it did was it hacked the telephone network.
  • 00:01:30
    They could trick the telephone company into connecting
  • 00:01:32
    the calls for free among other things.
  • 00:01:35
    - We were young and what we learned
  • 00:01:38
    was that we could build something ourselves
  • 00:01:44
    that could control billions of dollars worth
  • 00:01:49
    of infrastructure in the world.
  • 00:01:51
    I don't think there would've ever been an Apple computer
  • 00:01:54
    had there not been Blue Box.
  • 00:01:56
    - [Interviewer] Woz said you called the Pope.
  • 00:01:57
    - Yeah, we did call the pope.
  • 00:01:58
    Woz pretended to be Henry Kissinger
  • 00:02:01
    and we got the number of the Vatican
  • 00:02:02
    and we called the Pope and they started waking people up
  • 00:02:04
    in the hierarchy, you know, I don't know, cardinals
  • 00:02:07
    and they actually sent someone
  • 00:02:09
    to wake up the Pope when finally we just burst out laughing
  • 00:02:13
    and they realized that we weren't Henry Kissinger.
  • 00:02:16
    - But how were they able to do all of this
  • 00:02:18
    with one electronic box made from Radio Shack parts?
  • 00:02:23
    (telephone ringing)
  • 00:02:24
    Until the mid-1920s, most phones had no way of dialing.
  • 00:02:29
    When your phone was on the hook,
  • 00:02:30
    about 48 volts was connected
  • 00:02:32
    from the exchange to your phone.
  • 00:02:34
    Then when you lifted the receiver,
  • 00:02:36
    an internal circuit connected the speaker
  • 00:02:38
    and microphone drawing power
  • 00:02:40
    and that caused the voltage to drop to around 10 volts.
  • 00:02:43
    And at the telephone exchange this drop turned on
  • 00:02:46
    a light bulb alerting the operator who would then pick up
  • 00:02:49
    and ask who you're calling.
  • 00:02:51
    - [Sarah] Boston.
  • 00:02:52
    - Sarah, get me the Bluebird Diner.
  • 00:02:54
    - And after consulting a directory,
  • 00:02:56
    they would connect a wire between your line
  • 00:02:58
    and your friends.
  • 00:02:59
    Manually connecting calls was labor intensive.
  • 00:03:03
    Operators had to handle hundreds of connections per hour.
  • 00:03:06
    In 1910, one pundit said,
  • 00:03:08
    "Soon the telephone system will need
  • 00:03:09
    to employ every working age woman
  • 00:03:11
    in the country as an operator."
  • 00:03:14
    By 1950, there were more than a million
  • 00:03:16
    of them in the US alone.
  • 00:03:19
    To reduce costs, companies sought
  • 00:03:21
    to automate the call connection process
  • 00:03:23
    and one solution was the rotary dial telephone.
  • 00:03:26
    To use it, you place your finger in a number hole,
  • 00:03:29
    rotate it to the end and the dial rotates back
  • 00:03:33
    and on the inside a metal disc with ridge's turns,
  • 00:03:37
    each ridge pushes two metal plates into contact
  • 00:03:40
    completing the circuit to the exchange.
  • 00:03:43
    The dial sends pulses to match each number.
  • 00:03:46
    For the number two, it sends two pulses.
  • 00:03:49
    For the number three it sends three pulses.
  • 00:03:53
    This goes on up to 10 pulses for the number zero,
  • 00:03:56
    which is why zero is at the far end of the dial
  • 00:03:58
    instead of beside the one.
  • 00:04:01
    Those pulses that travel down the phone line, they determine
  • 00:04:04
    how your line is connected.
  • 00:04:06
    So they're known as control signals,
  • 00:04:08
    but as the length of the transmission line was increased,
  • 00:04:11
    so did its capacitance and resistance
  • 00:04:13
    and this caused the clear input signals to become distorted,
  • 00:04:16
    smoothing out voltage changes.
  • 00:04:18
    So now the pulses couldn't trigger
  • 00:04:21
    the switching at the exchange.
  • 00:04:22
    While this wasn't a problem for local calls,
  • 00:04:24
    it made automating long distance almost impossible.
  • 00:04:28
    Now all phone lines including long distance ones were built
  • 00:04:31
    to carry sounds in the human voice
  • 00:04:33
    and hearing range, mainly from 300 to 3,400 Hertz.
  • 00:04:38
    So why not use this built-in capability
  • 00:04:40
    to carry control signals.
  • 00:04:42
    To do this, phone companies introduced the touch tone
  • 00:04:46
    or push button telephone.
  • 00:04:48
    On a keypad,
  • 00:04:49
    specific frequencies were assigned to the horizontal axis
  • 00:04:53
    and the vertical axis
  • 00:04:55
    so that each button was uniquely identifiable
  • 00:04:58
    by the combination of two tones.
  • 00:05:00
    (buttons beeping)
  • 00:05:06
    By sending control signals within the voice band,
  • 00:05:09
    all telephone networks could receive it
  • 00:05:11
    using their existing systems independent of distance.
  • 00:05:15
    But with this innovation came an opportunity for jobs
  • 00:05:18
    and Wozniak to exploit.
  • 00:05:21
    When you made a long distance call, it was first routed
  • 00:05:24
    to a central node.
  • 00:05:25
    This node communicated with a remote node
  • 00:05:28
    and they determined if a line was free,
  • 00:05:30
    by checking whether both sides
  • 00:05:32
    were sending a 2600 Hertz tone.
  • 00:05:36
    So Jobs and Woz exploited this.
  • 00:05:39
    First, they would dial a toll free 1-800 number
  • 00:05:42
    which would get them into a local node
  • 00:05:44
    and then they would send a 2600 hertz tone into the phone.
  • 00:05:49
    This would trick the remote node
  • 00:05:51
    into thinking the call had been disconnected.
  • 00:05:54
    So the remote node would start playing the 2600 hertz tone
  • 00:05:57
    again, but Jobs and Woz were still on the line.
  • 00:06:01
    And when they stopped playing the tone on their side,
  • 00:06:03
    the remote node assumed a new call was being placed.
  • 00:06:06
    By sending a key pulse tone
  • 00:06:09
    followed by the desired phone number
  • 00:06:10
    and ending with a start tone, they could connect
  • 00:06:14
    to any long distance number for free
  • 00:06:17
    as the home node still believed it was connected
  • 00:06:19
    to a toll-free number.
  • 00:06:23
    The vulnerabilities in the signaling system were obvious
  • 00:06:26
    to mimic the 2600 hertz tone.
  • 00:06:28
    Some people would even use a toy whistle
  • 00:06:31
    from a Cap'n Crunch cereal box.
  • 00:06:33
    It just happened to make that frequency.
  • 00:06:36
    (whistle blowing)
  • 00:06:38
    The telephone companies clearly needed
  • 00:06:40
    to develop a new signaling protocol
  • 00:06:43
    and their solution was to use a separate digital line
  • 00:06:46
    for carrying control signals.
  • 00:06:48
    That way no one could control the network
  • 00:06:50
    by sending tones down the voice line
  • 00:06:53
    because it no longer controlled how the call was connected.
  • 00:06:57
    This new protocol was called Signaling System no. 7
  • 00:07:00
    or SS7 for short.
  • 00:07:02
    And it's still broadly in use today,
  • 00:07:05
    but it may not be as secure as people thought.
  • 00:07:10
    - Hello, my name is Latifa Al Maktoum.
  • 00:07:12
    I was born- - Princess Latifa
  • 00:07:13
    of Dubai claimed that her father Sheikh Mohammed,
  • 00:07:16
    the ruling emir had held her in solitary confinement
  • 00:07:18
    in the dark, beaten and sedated for several years.
  • 00:07:22
    In late February, 2018,
  • 00:07:24
    her Finnish martial arts instructor Tiina helped her escape.
  • 00:07:29
    They fled to a yacht captain
  • 00:07:30
    by former French intelligence officer, HervΓ© Jaubert.
  • 00:07:34
    And for eight days they sailed toward India.
  • 00:07:37
    Latifa was hopeful but it wasn't to last.
  • 00:07:41
    Late on the night of March 4th a dark boat pulled up
  • 00:07:44
    alongside it was sent by her father.
  • 00:07:48
    Laser cites pierced the smoke as agents boarded the yacht,
  • 00:07:51
    abducting Latifa and taking her back to Dubai.
  • 00:07:58
    But how did they find her?
  • 00:08:00
    Well the captain had been the victim
  • 00:08:02
    of a coordinated SS7 attack,
  • 00:08:05
    one aiming to pinpoint his location
  • 00:08:07
    and by extension the whereabouts of the princess.
  • 00:08:11
    And I'm going to show you how using the exact same steps
  • 00:08:15
    to spy on my friends with their permission of course.
  • 00:08:19
    This is Karsten Nohl and Alexandre De Oliveira.
  • 00:08:23
    They are cybersecurity specialists
  • 00:08:25
    who are helping me spy on Linus.
  • 00:08:27
    We took three steps to spy on him.
  • 00:08:30
    First you have to infiltrate SS7,
  • 00:08:32
    second gain trust and third attack.
  • 00:08:37
    Of course, the main reason any of this is possible
  • 00:08:39
    is step one.
  • 00:08:42
    When SS7 was introduced in 1980,
  • 00:08:44
    mobile phones barely existed.
  • 00:08:46
    They were so big that they were mainly just used
  • 00:08:49
    as car phones but things changed quickly
  • 00:08:52
    and the number of mobile phones in the world exploded.
  • 00:08:59
    - Roaming is one of the main use cases of SS7.
  • 00:09:02
    Say Derek, you visit me over here.
  • 00:09:05
    Your phone would try to connect to a network that's foreign
  • 00:09:09
    and that network would then have to reach out
  • 00:09:12
    to your home network in Australia asking,
  • 00:09:15
    is this a valid customer?
  • 00:09:17
    Are you willing to pay for the charges
  • 00:09:19
    that they'll incur on my network?
  • 00:09:21
    And all of that information is exchanged over SS7.
  • 00:09:26
    - For this to work,
  • 00:09:27
    telcos need to communicate with each other.
  • 00:09:30
    So the way they do that is by making sure they're part
  • 00:09:32
    of the same club.
  • 00:09:34
    The way they share membership to this club
  • 00:09:36
    is by using unique addresses to identify
  • 00:09:39
    where requests are coming from.
  • 00:09:41
    - SS7 is a global network, just like the internet
  • 00:09:44
    and like on the internet you need some addressing scheme.
  • 00:09:47
    So you need some way of saying this is me and this is you.
  • 00:09:50
    And on the internet we use IP addresses.
  • 00:09:53
    On SS7 we use what's called Global Titles, GTs.
  • 00:09:57
    - [Derek] So to provide global roaming coverage,
  • 00:09:59
    telcos typically establish agreements
  • 00:10:01
    with two providers in each country they serve.
  • 00:10:04
    One primary and one backup.
  • 00:10:06
    Telcos generally accept messages only from Global Titles
  • 00:10:09
    with which they have agreements.
  • 00:10:11
    And the whole system is designed to be a closed network
  • 00:10:14
    with few barriers once inside,
  • 00:10:17
    this is known as the walled garden approach.
  • 00:10:20
    So this system seems pretty secure and it was.
  • 00:10:26
    When SS7 was developed in the '80s,
  • 00:10:28
    the telecommunications landscape was dominated
  • 00:10:30
    by a few large reputable operators.
  • 00:10:33
    These operators had established relationships
  • 00:10:35
    and mutual interest in maintaining
  • 00:10:37
    the integrity of the network.
  • 00:10:39
    But 45 years on the landscape has shifted dramatically.
  • 00:10:43
    Now there are over 1200 operators
  • 00:10:46
    and 4,500 networks,
  • 00:10:48
    many of which need SS7 access from virtual network operators
  • 00:10:53
    to mass-text services sending Uber Eats notifications.
  • 00:10:57
    There are so many more players in the garden that not all
  • 00:11:00
    of them are trustworthy.
  • 00:11:04
    - Those companies, some of them
  • 00:11:07
    sell services onto third parties,
  • 00:11:10
    some of them can be bribed, some of them can be hacked.
  • 00:11:12
    So there's probably thousands
  • 00:11:14
    of ways into SS7 at reasonable effort or cost.
  • 00:11:18
    - How much are we talking like how much would it cost
  • 00:11:21
    to buy access to SS7?
  • 00:11:24
    - Buying a single SS7 connection isn't that expensive?
  • 00:11:27
    We're talking a few thousand dollars per month.
  • 00:11:30
    - The people who do sell access,
  • 00:11:32
    I mean, why would they do it?
  • 00:11:34
    - People sell SS7 for one reason money.
  • 00:11:37
    - And thanks to global agreements
  • 00:11:39
    between providers accessing a trusted GT
  • 00:11:42
    is like gaining access to all the GTs
  • 00:11:44
    they have partnerships with.
  • 00:11:46
    We even saw the invoice
  • 00:11:47
    of a valuable US-based GT being leased illegally
  • 00:11:51
    for $13,000 a month.
  • 00:11:54
    Are you buying access to SS7?
  • 00:11:56
    - I'm paying for access to SS7. Yes.
  • 00:11:57
    And we do that because we do SS7 security tests.
  • 00:12:02
    So we need to be in a similar position as real hackers
  • 00:12:06
    to get near real results.
  • 00:12:09
    - So step one, infiltrate SS7 is complete.
  • 00:12:13
    Onto step two, gain trust.
  • 00:12:15
    Hackers today can try many different things
  • 00:12:17
    once they've scaled the wall into the garden.
  • 00:12:20
    But you need more than just SS7 access
  • 00:12:23
    and a phone number to attack.
  • 00:12:25
    Even a trusted GT and the phone number of the target
  • 00:12:28
    isn't enough to uniquely identify them.
  • 00:12:31
    Now you need something from the SIM card.
  • 00:12:34
    The real key in a mobile network
  • 00:12:36
    is a unique 15 digit identifier which belongs exclusively
  • 00:12:40
    to the SIM card on the phone.
  • 00:12:42
    It's called an international mobile subscriber identity
  • 00:12:45
    or IMSI for short.
  • 00:12:47
    And it is very important.
  • 00:12:50
    - Basically to be able to collect the IMSI
  • 00:12:52
    from a subscriber,
  • 00:12:55
    we would launch some of the messages
  • 00:12:57
    such as send routing info
  • 00:12:59
    or send routing info for SM.
  • 00:13:01
    These messages are normally used to collect the IMSI.
  • 00:13:07
    - Networks have firewalls in place
  • 00:13:08
    that will deny some requests if they look suspicious.
  • 00:13:11
    Getting an IMSI is crucial to appear trusted.
  • 00:13:15
    So let's move on to the critical step three, attack.
  • 00:13:19
    Do you wanna just like try the phone?
  • 00:13:20
    Is there anything you can try to see if it works?
  • 00:13:22
    Like call someone. - Sure.
  • 00:13:23
    - [Derek] Or text someone? - Sure. I'll call my wife.
  • 00:13:27
    - She normally pick up.
  • 00:13:28
    - Yeah, she'll probably pick up.
  • 00:13:31
    - [Yvonne] Hello?
  • 00:13:32
    - Hello Yvonne, this is the voice of your husband.
  • 00:13:37
    I would like to talk to you about the payment.
  • 00:13:42
    - Okay, thanks.
  • 00:13:44
    - No, no, it's me. It's me.(laughs)
  • 00:13:47
    - Did she hang up on you? - Yeah, yeah, she did.
  • 00:13:49
    So we've established the phone works
  • 00:13:51
    as a completely normal phone.
  • 00:13:52
    - Do you have any important calls coming up?
  • 00:13:54
    - I don't know if I'd say it's important,
  • 00:13:56
    but I'm on my way to Creator Summit tonight
  • 00:13:58
    and James from Hacksmith was gonna call me
  • 00:14:00
    when we're gonna kind of make some plans.
  • 00:14:02
    (phone rings)
  • 00:14:03
    - I'm getting a call right now. Are you getting a call?
  • 00:14:06
    - No.
  • 00:14:08
    - Hello, this is Linus.
  • 00:14:10
    - [James] Hey Linas, it's James. How's it going?
  • 00:14:13
    - It's going really well. How are you?
  • 00:14:15
    - [James] Pretty good. Am I gonna see the YouTube summit?
  • 00:14:19
    - Yes, I'm really looking forward to that.
  • 00:14:21
    And man, do I hate Macs?
  • 00:14:24
    So I feel like that's your persona man.
  • 00:14:26
    You can't game on a Mac. Linus, you wanna talk?
  • 00:14:30
    - I would like to talk but I never got the call, so...
  • 00:14:36
    - What number did you dial?
  • 00:14:39
    - [James] 4473.(beep) - Is that your number, Linus?
  • 00:14:43
    - Yeah, but I didn't get, mine didn't even ring.
  • 00:14:47
    I heard it ring but I heard it
  • 00:14:49
    through my speakers on my computer.
  • 00:14:50
    'Cause I assume it went to your phone then.
  • 00:14:53
    - That's right. - [Linas] Or did it go
  • 00:14:54
    to your computer?
  • 00:14:55
    - No. Yeah, it went to everything of mine.
  • 00:14:57
    So yeah, James, I don't know.
  • 00:15:00
    You called Linus and it went to me.
  • 00:15:02
    Thank you for taking part in this weird demonstration.
  • 00:15:06
    - There is absolutely nothing here to indicate
  • 00:15:10
    that I was supposed to receive a call.
  • 00:15:12
    - Yeah, and I mean the crazy thing
  • 00:15:14
    is that's like a regular Canadian SIM card in there.
  • 00:15:17
    So any Canadian SIM card in theory could be vulnerable
  • 00:15:21
    to such an attack where you know, someone dials your number
  • 00:15:24
    and it just doesn't go to you.
  • 00:15:26
    - This is like phreaking but on a completely different level.
  • 00:15:30
    - That's exactly it.
  • 00:15:32
    - Now I'm familiar already with the concept of SIM swapping
  • 00:15:36
    where you social engineer a way to get a SIM
  • 00:15:40
    that is registered to someone else's account.
  • 00:15:42
    We've actually had accounts stolen that way in the past,
  • 00:15:44
    but in this case my phone still works.
  • 00:15:49
    - [Yvonne] Hello?
  • 00:15:49
    - Hey, so the demo we're doing is pretty trippy hun.
  • 00:15:54
    Basically they had Hacksmith call me,
  • 00:15:57
    my phone didn't ring at all
  • 00:15:58
    and instead Derek from Veritasium picked up the phone call
  • 00:16:02
    and was able to talk to him and Hacksmith had no idea
  • 00:16:07
    that he called me and then- - [Yvonne] Sorry,
  • 00:16:08
    I'm with Cindy.
  • 00:16:09
    - Oh. Oh, hi Cindy.
  • 00:16:12
    - [Yvonne] Oh, you're not on speaker.
  • 00:16:13
    - Okay, that's fine. Just tell Cindy hi for me.
  • 00:16:15
    - [Yvonne] Okay.
  • 00:16:16
    Okay, goodbye.
  • 00:16:18
    - [Derek] So how are we able to seize control
  • 00:16:20
    of Linus number like that?
  • 00:16:22
    - When you put a phone number in your address book,
  • 00:16:25
    you often don't put the country code,
  • 00:16:27
    but then if you're in a roaming scenario,
  • 00:16:29
    that phone number would connect
  • 00:16:30
    to a completely different person
  • 00:16:32
    in the country you're currently in.
  • 00:16:33
    So it does make sense to basically overrule people's choices
  • 00:16:38
    as to whom they're trying to dial
  • 00:16:40
    because they're not gonna triple check each time
  • 00:16:42
    whether the address book entries
  • 00:16:44
    have country codes in them.
  • 00:16:46
    - This is a powerful function
  • 00:16:49
    by tricking the network into thinking his phone is roaming,
  • 00:16:52
    we can rewrite the number he is calling to a number
  • 00:16:55
    that we control.
  • 00:16:57
    - And so what I did at the end was when I received
  • 00:16:59
    this message, I sent back your number that you can see here
  • 00:17:05
    was your US based number.
  • 00:17:09
    So even if you were located in Australia,
  • 00:17:12
    I was still able to forward the call to you
  • 00:17:16
    on your US number in Australia.
  • 00:17:19
    - That's amazing.
  • 00:17:20
    You just try a few times and then it works, right?
  • 00:17:22
    - Yes, it's not always that simple,(laughs)
  • 00:17:27
    but this time it was quite difficult.
  • 00:17:30
    - So the most important question I have now then is
  • 00:17:34
    what did you need to steal from me
  • 00:17:36
    in order to become me?
  • 00:17:39
    Like is this something you can social engineer
  • 00:17:41
    out of my carrier?
  • 00:17:42
    Is this something that I would need
  • 00:17:44
    to accidentally leak a screenshot of my IMEI.
  • 00:17:48
    - At the very simplest, all we would need
  • 00:17:50
    is your phone number.
  • 00:17:51
    That's it.
  • 00:17:52
    You could even do something where I could act
  • 00:17:55
    as a middleman where I would reroute the call to me,
  • 00:17:59
    but also simultaneously I would dial for you the real number
  • 00:18:03
    and I would send you through to them
  • 00:18:04
    and then I can sit on the line and just record that call.
  • 00:18:09
    - Yikes.
  • 00:18:10
    - But this isn't the only attack.
  • 00:18:12
    We can do a lot more with SS7.
  • 00:18:15
    We can also intercept text messages as part of our suite
  • 00:18:18
    of attacks.
  • 00:18:19
    Similar to phone calls,
  • 00:18:20
    we can trick the network into thinking the target
  • 00:18:22
    is roaming, which reroutes their messages to our GT.
  • 00:18:26
    We can then steal one time passwords
  • 00:18:28
    used in two factor authentication.
  • 00:18:31
    This type of attack works until the subscriber interacts
  • 00:18:34
    with their phone network,
  • 00:18:35
    at which point the phone reconnects to the correct GT.
  • 00:18:39
    - But you need a few seconds
  • 00:18:40
    only to hack into somebody's account.
  • 00:18:42
    Of course you need that few second window
  • 00:18:44
    to receive the one time password.
  • 00:18:46
    - So we actually set up a new Linus YouTube channel.
  • 00:18:50
    - Okay, so theoretically he could get this username
  • 00:18:53
    and password via a dump because I'm a butthead
  • 00:18:58
    and I use the same username
  • 00:18:59
    and password across different accounts
  • 00:19:01
    or he could install a key logger on my system.
  • 00:19:04
    He could get it that way when I'm typing it in.
  • 00:19:06
    So then I verify my number.
  • 00:19:09
    But of course he has my number
  • 00:19:10
    because that's realistically not that hard to find.
  • 00:19:13
    And theoretically I'm supposed
  • 00:19:15
    to get a two factor code right now except...
  • 00:19:18
    - I got it, 820299, I'm in.
  • 00:19:25
    - [Linas] He's in. He hacked the mainframe. Wild hey.
  • 00:19:28
    - Yep, we could hack your YouTube account.
  • 00:19:31
    I'm gonna put, I'm gonna start posting science videos
  • 00:19:33
    on Linus Tech Tips.
  • 00:19:35
    - Oh, that's okay.
  • 00:19:36
    I'm sure they'll get like 30 million views or whatever.
  • 00:19:38
    So I'll be fine with it. Thanks for the AdSense
  • 00:19:40
    (Derek laughing)
  • 00:19:41
    - [Derek] Deal.
  • 00:19:43
    And you could see the code right there.
  • 00:19:45
    - [Alexandre] Exactly.
  • 00:19:46
    So you could see that at the at the bottom. 820299.
  • 00:19:51
    So basically once the interception is running,
  • 00:19:54
    then I would receive any SMS sent.
  • 00:19:58
    - He would never have known that he missed those messages
  • 00:20:01
    or that they were intercepts. - Exact, exact.
  • 00:20:04
    - Wow. Yeah, this seems pretty serious.
  • 00:20:08
    I mean, SMS two-factor authentication
  • 00:20:10
    is almost the default, right?
  • 00:20:11
    - Unfortunately, yes, it's not only the default
  • 00:20:15
    but in some cases it is the only available option
  • 00:20:18
    and sometimes that can even be for accounts
  • 00:20:20
    that should be treated with the utmost
  • 00:20:23
    of care like a bank account.
  • 00:20:25
    - [Derek] There's a third method of attack
  • 00:20:27
    that we weren't able to show Linus.
  • 00:20:29
    Lucky for him,
  • 00:20:29
    his network blocked the requests.
  • 00:20:32
    On many networks,
  • 00:20:33
    you can use the IMSI number in the switching center info
  • 00:20:35
    we harvested in step two
  • 00:20:37
    to send a command deeper into the network.
  • 00:20:39
    By targeting the switching center where the device
  • 00:20:41
    with the IMSI is connected,
  • 00:20:42
    we can issue a command routinely used
  • 00:20:45
    for legitimate purposes such as routing and forwarding calls
  • 00:20:48
    or providing emergency services based
  • 00:20:50
    on the device's location.
  • 00:20:52
    Using this request we can track a target's location.
  • 00:20:55
    It's not as hard as you'd think.
  • 00:20:57
    SS7 doesn't even rely on GPS to locate someone.
  • 00:21:00
    In fact, it was invented before GPS was even in public use.
  • 00:21:06
    One way to do this is if a target is in range
  • 00:21:09
    of multiple cell towers, their location can be narrowed down
  • 00:21:12
    to where the signals overlap.
  • 00:21:13
    The more towers in range, the more precise the location.
  • 00:21:17
    A more accurate method measures the time it takes
  • 00:21:20
    for signals to reach a phone from three towers.
  • 00:21:23
    By calculating the distance based on transmission speed,
  • 00:21:26
    we can pinpoint an exact location on a 2D plane,
  • 00:21:29
    but SS7 attacks don't use either of these methods.
  • 00:21:33
    They try to be subtle.
  • 00:21:34
    An SS7 location request simply identifies the cell tower
  • 00:21:38
    the target is connected to.
  • 00:21:40
    In an urban area with many towers,
  • 00:21:42
    this can place them to within a hundred meters.
  • 00:21:45
    - You'll definitely know which city block somebody is in
  • 00:21:47
    and if you wanted to, for instance find out was it at home
  • 00:21:51
    and or at work, this is a great way to do it.
  • 00:21:54
    - Yeah, it's a little bit scary.
  • 00:21:58
    In 2016, Karsten and his team used this method
  • 00:22:01
    to track US Congressman Ted Lieu.
  • 00:22:03
    - The congressman has been in California,
  • 00:22:07
    more specifically the LA area.
  • 00:22:09
    Let's zoom in here a little bit.
  • 00:22:11
    - So that is how we did it. We executed three steps.
  • 00:22:15
    We infiltrated SS7, gained trust and attacked.
  • 00:22:19
    We intercepted Linus phone calls and text messages.
  • 00:22:22
    I'm not sure he was as excited about it as I was.
  • 00:22:25
    - This is why we can't have nice things.
  • 00:22:28
    - Up until now, this has just been a bit of fun.
  • 00:22:30
    I've demonstrated these attacks on a friend of mine,
  • 00:22:33
    but the threats are real
  • 00:22:35
    and they can have devastating consequences.
  • 00:22:38
    "They will kill her."
  • 00:22:39
    The captain texted shortly before Latifa was abducted.
  • 00:22:42
    His phone was the target of an SS7 attack
  • 00:22:45
    that involved all three of the steps we explored.
  • 00:22:48
    To start, the attackers had leased multiple GTs
  • 00:22:50
    in different countries
  • 00:22:52
    then the following all happened in a five minute window.
  • 00:22:55
    First they sent at least seven separate requests aiming
  • 00:22:58
    to get the captain's IMSI from his US based operator.
  • 00:23:02
    When that didn't seem to work, they followed up
  • 00:23:04
    with at least four location requests.
  • 00:23:07
    So did it work?
  • 00:23:10
    Well, all of these requests were blocked by firewalls.
  • 00:23:12
    That's why we have all the details.
  • 00:23:15
    But there was a sixth GT we haven't shown.
  • 00:23:18
    This one nearby in the US,
  • 00:23:20
    we have no information about the requests on this GT
  • 00:23:23
    because they likely weren't stopped.
  • 00:23:27
    We spoke with Crofton Black, the investigative journalist
  • 00:23:30
    who revealed the SS7 exploits in this story
  • 00:23:33
    and this is what he told us.
  • 00:23:35
    "It's a brilliant example of SS7 involvement
  • 00:23:38
    because it illustrates a classic sophisticated pattern
  • 00:23:41
    of attack, multiple GTs and multiple countries.
  • 00:23:44
    It's a textbook example of telco penetration risks."
  • 00:23:48
    Though, because the Emiratis were also using other software
  • 00:23:51
    like Pegasus and other hardware like spotter planes.
  • 00:23:54
    We can't say that any single one of these was the thing
  • 00:23:58
    that led to her being found.
  • 00:24:00
    But the evidence is damning
  • 00:24:03
    and SS7 is used pretty widely.
  • 00:24:06
    Criminals have used SS7
  • 00:24:07
    to intercept SMS two-factor authentication codes
  • 00:24:10
    and empty millions of dollars from bank accounts.
  • 00:24:13
    For some SS7 is just the first step.
  • 00:24:16
    The NSO Group,
  • 00:24:17
    a notorious Israeli cyber surveillance firm acquired
  • 00:24:20
    an SS7 tracking company in 2014.
  • 00:24:24
    NSO is the company behind Pegasus, a spyware tool
  • 00:24:27
    that gains complete access
  • 00:24:28
    to targeted phones without a user clicking anything
  • 00:24:31
    embedding itself and erasing traces of entry.
  • 00:24:34
    Such zero click hacks are costly.
  • 00:24:37
    They can cost more than $4 million per exploit.
  • 00:24:40
    Before NSO commits resources targeting specific software
  • 00:24:43
    or vulnerabilities on a phone,
  • 00:24:45
    first they gather basic data like device type
  • 00:24:48
    and software version to make their lives easier.
  • 00:24:51
    And as you've seen with SS7, this isn't hard.
  • 00:24:55
    One expert we spoke to tested a foreign network
  • 00:24:57
    and found 20
  • 00:24:58
    to 30 VIPs were constantly under surveillance there,
  • 00:25:02
    including the country's chief of cybersecurity.
  • 00:25:06
    Accurate data on tracking is difficult to come by,
  • 00:25:08
    but another expert provided evidence of more than two
  • 00:25:11
    and a half million tracking attempts per year.
  • 00:25:15
    Though they reminded us that the people being targeted
  • 00:25:17
    are generally those of interest to state agencies.
  • 00:25:21
    Now we couldn't find data on interception attempts,
  • 00:25:23
    but luckily experts told us this is far less common.
  • 00:25:28
    So millions of malicious SS7 requests are sent each year,
  • 00:25:32
    but it used to be even worse.
  • 00:25:35
    To request location over SS7,
  • 00:25:37
    you used to be able to send a command without even knowing
  • 00:25:40
    the IMSI and the network would just provide it to you.
  • 00:25:43
    No questions asked.
  • 00:25:44
    - The classical example is the anytime interrogation
  • 00:25:47
    request, which as the name already suggest
  • 00:25:50
    is have a creepy command.
  • 00:25:53
    I don't believe there's ever legitimate purpose
  • 00:25:55
    for one network to send this command
  • 00:25:58
    to another network interrogating about their customers.
  • 00:26:02
    - [Derek] Karsten Nohl
  • 00:26:03
    and fellow security researcher Tobias Engel
  • 00:26:05
    exposed these vulnerabilities publicly in 2014.
  • 00:26:09
    - The SS7 research that was disclosed in 2014
  • 00:26:13
    was a wake up call to the industry.
  • 00:26:15
    Most people had heard rumors that SS7 tracking
  • 00:26:18
    and spying was possible,
  • 00:26:20
    but they hadn't really seen hard evidence of it
  • 00:26:22
    and especially how easy it is that ragtag gang
  • 00:26:26
    of hackers from Berlin
  • 00:26:27
    with very amateur means can do any type
  • 00:26:31
    of SS7 hacking that they want.
  • 00:26:33
    - [Derek] After their conference,
  • 00:26:34
    all of the German telcos immediately started
  • 00:26:37
    refusing these requests.
  • 00:26:38
    - Anytime integration is the first SS7 command,
  • 00:26:41
    everyone stopped because it was abused a lot
  • 00:26:45
    and never used constructively.
  • 00:26:47
    But there is over 150 other messages that need to be stopped
  • 00:26:52
    as well to make SS7 be completely secure.
  • 00:26:56
    - So if there are so many ways to abuse SS7,
  • 00:26:59
    why haven't we gotten rid of it?
  • 00:27:01
    Well, because it's the backbone of 2G
  • 00:27:03
    and 3G communications.
  • 00:27:05
    So what if we phase out 2G and 3G?
  • 00:27:08
    Well, that has caused problems.
  • 00:27:10
    Since 2018 cars in the EU are equipped
  • 00:27:13
    with mandatory emergency call buttons
  • 00:27:15
    that trigger in an accident.
  • 00:27:17
    They need a SIM card to work and to cut costs,
  • 00:27:20
    guess what auto manufacturers are using.
  • 00:27:22
    That's right.
  • 00:27:23
    2G and 3G SIM cards using SS7.
  • 00:27:27
    - You have to have that legacy support
  • 00:27:29
    or when 4G connectivity drops,
  • 00:27:32
    you have absolutely nothing left.
  • 00:27:33
    Dude, the number of times that I'm on 3G, not insignificant.
  • 00:27:38
    And I'm in a metropolitan area.
  • 00:27:41
    - What's surprising, of course,
  • 00:27:42
    is that there hasn't been a global push yet to replace SS7
  • 00:27:46
    with one of the two newer versions of the technology.
  • 00:27:50
    The latest of which that was introduced
  • 00:27:52
    with 5G seems pretty secure,
  • 00:27:54
    but that's now a problem of first mover disadvantage.
  • 00:27:59
    So because of the network effects you get nothing
  • 00:28:01
    out of adopting a technology as the first guy.
  • 00:28:05
    You wanna be the last one when everyone else
  • 00:28:07
    is already connected and you get the full benefit
  • 00:28:10
    from also joining the club.
  • 00:28:12
    - [Derek] So even though the 5G signaling protocol
  • 00:28:14
    can stop the attacks completely and many networks
  • 00:28:17
    are using 5G technology on their networks,
  • 00:28:19
    when routing calls between networks,
  • 00:28:22
    SS7 is still the de facto standard.
  • 00:28:25
    - You create a tremendous amount of inertia to use a term
  • 00:28:29
    that's probably more your channel than my channel.
  • 00:28:31
    That makes moving on extremely difficult.
  • 00:28:35
    - So unless there are some new major events
  • 00:28:38
    that put this back on the public radar,
  • 00:28:41
    it could be another 10, 15, maybe even 20 years
  • 00:28:44
    until SS7 networks are finally switched off.
  • 00:28:48
    - What's crazy is that we exploited these vulnerabilities
  • 00:28:51
    and I'm just a YouTuber.
  • 00:28:52
    I did have the help of some excellent security researchers,
  • 00:28:56
    but I'm surprised at how easy it all is.
  • 00:28:58
    Now imagine if I had the backing of a government.
  • 00:29:01
    This is a real problem.
  • 00:29:03
    So what can you do to protect yourself on the personal side
  • 00:29:06
    as long as you have a SIM card?
  • 00:29:08
    Unfortunately there's not much you can do
  • 00:29:10
    about location tracking.
  • 00:29:11
    If possible, choose alternatives
  • 00:29:13
    to SMS based two-factor authentication.
  • 00:29:15
    So messages can't be intercepted.
  • 00:29:18
    Use an Authenticator app or hardware tokens.
  • 00:29:21
    And if you're worried about phone tapping,
  • 00:29:22
    use encrypted internet based calling services
  • 00:29:25
    like Signal or WhatsApp.
  • 00:29:27
    We've been told this is mainly used on people of interest.
  • 00:29:30
    So should it really matter to you?
  • 00:29:32
    - SS7 is a huge privacy intrusion
  • 00:29:34
    and there's this millions of abuse cases every single month.
  • 00:29:38
    Whether privacy intrusion is a problem for individually,
  • 00:29:41
    of course as almost a philosophical question, right?
  • 00:29:44
    Somebody who grew up more in the Berlin tradition
  • 00:29:47
    of the Chaos Computer Club like myself,
  • 00:29:50
    strongly beliefs that privacy
  • 00:29:52
    and the ability to kind of form your own thoughts
  • 00:29:57
    without being observed is a prerequisite for democracy.
  • 00:30:00
    But many other people would argue nothing
  • 00:30:04
    to hide, nothing to fear.
  • 00:30:07
    (scrappy music)
  • 00:30:11
    - Our technological world will never be perfect.
  • 00:30:14
    By the time we secure or replace SS7,
  • 00:30:16
    vulnerabilities will already have been found
  • 00:30:19
    in the new system,
  • 00:30:20
    but luckily there's an easy way to be ready
  • 00:30:22
    for whatever the future holds, build your knowledge
  • 00:30:25
    and problem solving skills a little bit every day.
  • 00:30:28
    And you can start doing that right now for free
  • 00:30:31
    with this video sponsor, Brilliant.
  • 00:30:33
    Brilliant has thousands of interactive lessons
  • 00:30:35
    where you can learn by doing, making you a better thinker
  • 00:30:39
    and problem solver.
  • 00:30:40
    You build real skills in everything from math
  • 00:30:43
    and data analysis to technology and programming.
  • 00:30:46
    You name it.
  • 00:30:47
    Brilliant, is designed to be uniquely effective.
  • 00:30:50
    Their first principles approach helps you build
  • 00:30:52
    understanding from the ground up.
  • 00:30:53
    So you'll not only gain knowledge of key concepts,
  • 00:30:56
    you'll learn to apply them
  • 00:30:57
    to real world situations all while building your intuition,
  • 00:31:00
    giving you the tools to solve whatever problems
  • 00:31:02
    come your way.
  • 00:31:04
    Brilliant's new course on data clustering, for example,
  • 00:31:06
    equips you with the same tools,
  • 00:31:08
    security researchers like Karsten used to spot trends
  • 00:31:11
    among the billions of SS7 messages.
  • 00:31:13
    This is really helpful when hunting hackers,
  • 00:31:15
    but the concepts you'll learn also help navigating a world
  • 00:31:18
    where data influences everything,
  • 00:31:20
    from what movies are being recommended to national politics.
  • 00:31:23
    And one of the best things about Brilliant is
  • 00:31:26
    since every lesson is bite sized, you can build your skills
  • 00:31:28
    and sharpen your mind whenever
  • 00:31:30
    and wherever you have a few minutes helping you build
  • 00:31:33
    a daily learning habit that sticks the opposite
  • 00:31:35
    of mindless scrolling.
  • 00:31:36
    To try everything Brilliant has to offer for free
  • 00:31:39
    for 30 days, visit brilliant.org/veritasium
  • 00:31:42
    or you can scan the QR code
  • 00:31:43
    or click that link in the description.
  • 00:31:45
    You'll also get 20% off an annual premium subscription.
  • 00:31:49
    So I wanna thank Brilliant for sponsoring this video
  • 00:31:51
    and I wanna thank you for watching.
Tags
  • SS7
  • telecommunications
  • security
  • hacking
  • Linus Tech Tips
  • blue box
  • 2FA
  • Steve Jobs
  • phone hacking
  • privacy