00:00:00
- This is Linus from Linus Tech Tips
00:00:02
and we hacked the phone
network in order to spy on him.
00:00:05
- That's pretty messed up Derek.
00:00:07
I slept easier not knowing that.
00:00:09
- We intercepted his phone calls
00:00:11
and stole his two-factor passcodes.
00:00:14
Is that your number Linus?
00:00:15
- Yeah, but I didn't get,
mine didn't even ring.
00:00:19
- We didn't touch his phone.
00:00:21
We didn't send him an
email or a text, nothing.
00:00:24
We did it all remotely
and the worst part is
00:00:27
it could happen to you.
00:00:28
- I think I'm really
surprised that, no offense,
00:00:32
but like you guys did it.
00:00:33
(Derek Laughing)
00:00:35
Well, you're not a career
criminal hacker mastermind,
00:00:38
necessarily.
- No, indeed.
00:00:40
- But here it is, a normal looking
00:00:42
and feeling device with no,
you know, obvious problem
00:00:46
with it and you just receive my call
00:00:50
instead of me receiving it.
00:00:52
Just what, like on command?
00:00:53
You just, it's an app on
your computer or what?
00:00:55
I don't even know.
00:00:56
- But before we explain
how we did all that,
00:00:59
(upbeat music)
(crowd clapping)
00:01:03
the first startup that Steve Jobs
00:01:05
and Steve Wozniak made wasn't Apple?
00:01:07
No, they were tackling
a different problem.
00:01:10
One where their product
was actually illegal.
00:01:13
So back in the 1970s,
00:01:15
long distance phone calls
were really expensive.
00:01:17
Adjusted for inflation,
00:01:19
a call from New York to London
could run you $25 a minute.
00:01:23
So these two entrepreneurs
created a little blue box
00:01:26
and what it did was it
hacked the telephone network.
00:01:30
They could trick the telephone
company into connecting
00:01:32
the calls for free among other things.
00:01:35
- We were young and what we learned
00:01:38
was that we could build
something ourselves
00:01:44
that could control
billions of dollars worth
00:01:49
of infrastructure in the world.
00:01:51
I don't think there would've
ever been an Apple computer
00:01:54
had there not been Blue Box.
00:01:56
- [Interviewer] Woz said
you called the Pope.
00:01:57
- Yeah, we did call the pope.
00:01:58
Woz pretended to be Henry Kissinger
00:02:01
and we got the number of the Vatican
00:02:02
and we called the Pope and
they started waking people up
00:02:04
in the hierarchy, you know,
I don't know, cardinals
00:02:07
and they actually sent someone
00:02:09
to wake up the Pope when finally
we just burst out laughing
00:02:13
and they realized that we
weren't Henry Kissinger.
00:02:16
- But how were they able to do all of this
00:02:18
with one electronic box
made from Radio Shack parts?
00:02:23
(telephone ringing)
00:02:24
Until the mid-1920s, most
phones had no way of dialing.
00:02:29
When your phone was on the hook,
00:02:30
about 48 volts was connected
00:02:32
from the exchange to your phone.
00:02:34
Then when you lifted the receiver,
00:02:36
an internal circuit connected the speaker
00:02:38
and microphone drawing power
00:02:40
and that caused the voltage
to drop to around 10 volts.
00:02:43
And at the telephone
exchange this drop turned on
00:02:46
a light bulb alerting the
operator who would then pick up
00:02:49
and ask who you're calling.
00:02:51
- [Sarah] Boston.
00:02:52
- Sarah, get me the Bluebird Diner.
00:02:54
- And after consulting a directory,
00:02:56
they would connect a
wire between your line
00:02:58
and your friends.
00:02:59
Manually connecting calls
was labor intensive.
00:03:03
Operators had to handle hundreds
of connections per hour.
00:03:06
In 1910, one pundit said,
00:03:08
"Soon the telephone system will need
00:03:09
to employ every working age woman
00:03:11
in the country as an operator."
00:03:14
By 1950, there were more than a million
00:03:16
of them in the US alone.
00:03:19
To reduce costs, companies sought
00:03:21
to automate the call connection process
00:03:23
and one solution was the
rotary dial telephone.
00:03:26
To use it, you place your
finger in a number hole,
00:03:29
rotate it to the end and
the dial rotates back
00:03:33
and on the inside a metal
disc with ridge's turns,
00:03:37
each ridge pushes two
metal plates into contact
00:03:40
completing the circuit to the exchange.
00:03:43
The dial sends pulses
to match each number.
00:03:46
For the number two, it sends two pulses.
00:03:49
For the number three
it sends three pulses.
00:03:53
This goes on up to 10
pulses for the number zero,
00:03:56
which is why zero is at
the far end of the dial
00:03:58
instead of beside the one.
00:04:01
Those pulses that travel down
the phone line, they determine
00:04:04
how your line is connected.
00:04:06
So they're known as control signals,
00:04:08
but as the length of the
transmission line was increased,
00:04:11
so did its capacitance and resistance
00:04:13
and this caused the clear input
signals to become distorted,
00:04:16
smoothing out voltage changes.
00:04:18
So now the pulses couldn't trigger
00:04:21
the switching at the exchange.
00:04:22
While this wasn't a
problem for local calls,
00:04:24
it made automating long
distance almost impossible.
00:04:28
Now all phone lines including
long distance ones were built
00:04:31
to carry sounds in the human voice
00:04:33
and hearing range, mainly
from 300 to 3,400 Hertz.
00:04:38
So why not use this built-in capability
00:04:40
to carry control signals.
00:04:42
To do this, phone companies
introduced the touch tone
00:04:46
or push button telephone.
00:04:48
On a keypad,
00:04:49
specific frequencies were
assigned to the horizontal axis
00:04:53
and the vertical axis
00:04:55
so that each button was
uniquely identifiable
00:04:58
by the combination of two tones.
00:05:00
(buttons beeping)
00:05:06
By sending control signals
within the voice band,
00:05:09
all telephone networks could receive it
00:05:11
using their existing systems
independent of distance.
00:05:15
But with this innovation
came an opportunity for jobs
00:05:18
and Wozniak to exploit.
00:05:21
When you made a long distance
call, it was first routed
00:05:24
to a central node.
00:05:25
This node communicated with a remote node
00:05:28
and they determined if a line was free,
00:05:30
by checking whether both sides
00:05:32
were sending a 2600 Hertz tone.
00:05:36
So Jobs and Woz exploited this.
00:05:39
First, they would dial
a toll free 1-800 number
00:05:42
which would get them into a local node
00:05:44
and then they would send a
2600 hertz tone into the phone.
00:05:49
This would trick the remote node
00:05:51
into thinking the call
had been disconnected.
00:05:54
So the remote node would start
playing the 2600 hertz tone
00:05:57
again, but Jobs and Woz
were still on the line.
00:06:01
And when they stopped playing
the tone on their side,
00:06:03
the remote node assumed a
new call was being placed.
00:06:06
By sending a key pulse tone
00:06:09
followed by the desired phone number
00:06:10
and ending with a start
tone, they could connect
00:06:14
to any long distance number for free
00:06:17
as the home node still
believed it was connected
00:06:19
to a toll-free number.
00:06:23
The vulnerabilities in the
signaling system were obvious
00:06:26
to mimic the 2600 hertz tone.
00:06:28
Some people would even use a toy whistle
00:06:31
from a Cap'n Crunch cereal box.
00:06:33
It just happened to make that frequency.
00:06:36
(whistle blowing)
00:06:38
The telephone companies clearly needed
00:06:40
to develop a new signaling protocol
00:06:43
and their solution was to
use a separate digital line
00:06:46
for carrying control signals.
00:06:48
That way no one could control the network
00:06:50
by sending tones down the voice line
00:06:53
because it no longer controlled
how the call was connected.
00:06:57
This new protocol was called
Signaling System no. 7
00:07:00
or SS7 for short.
00:07:02
And it's still broadly in use today,
00:07:05
but it may not be as
secure as people thought.
00:07:10
- Hello, my name is Latifa Al Maktoum.
00:07:12
I was born-
- Princess Latifa
00:07:13
of Dubai claimed that her
father Sheikh Mohammed,
00:07:16
the ruling emir had held
her in solitary confinement
00:07:18
in the dark, beaten and
sedated for several years.
00:07:22
In late February, 2018,
00:07:24
her Finnish martial arts
instructor Tiina helped her escape.
00:07:29
They fled to a yacht captain
00:07:30
by former French intelligence
officer, Hervé Jaubert.
00:07:34
And for eight days they
sailed toward India.
00:07:37
Latifa was hopeful but it wasn't to last.
00:07:41
Late on the night of March
4th a dark boat pulled up
00:07:44
alongside it was sent by her father.
00:07:48
Laser cites pierced the smoke
as agents boarded the yacht,
00:07:51
abducting Latifa and
taking her back to Dubai.
00:07:58
But how did they find her?
00:08:00
Well the captain had been the victim
00:08:02
of a coordinated SS7 attack,
00:08:05
one aiming to pinpoint his location
00:08:07
and by extension the
whereabouts of the princess.
00:08:11
And I'm going to show you how
using the exact same steps
00:08:15
to spy on my friends with
their permission of course.
00:08:19
This is Karsten Nohl and
Alexandre De Oliveira.
00:08:23
They are cybersecurity specialists
00:08:25
who are helping me spy on Linus.
00:08:27
We took three steps to spy on him.
00:08:30
First you have to infiltrate SS7,
00:08:32
second gain trust and third attack.
00:08:37
Of course, the main reason
any of this is possible
00:08:39
is step one.
00:08:42
When SS7 was introduced in 1980,
00:08:44
mobile phones barely existed.
00:08:46
They were so big that
they were mainly just used
00:08:49
as car phones but things changed quickly
00:08:52
and the number of mobile
phones in the world exploded.
00:08:59
- Roaming is one of the
main use cases of SS7.
00:09:02
Say Derek, you visit me over here.
00:09:05
Your phone would try to connect
to a network that's foreign
00:09:09
and that network would
then have to reach out
00:09:12
to your home network in Australia asking,
00:09:15
is this a valid customer?
00:09:17
Are you willing to pay for the charges
00:09:19
that they'll incur on my network?
00:09:21
And all of that information
is exchanged over SS7.
00:09:26
- For this to work,
00:09:27
telcos need to communicate
with each other.
00:09:30
So the way they do that is
by making sure they're part
00:09:32
of the same club.
00:09:34
The way they share membership to this club
00:09:36
is by using unique addresses to identify
00:09:39
where requests are coming from.
00:09:41
- SS7 is a global network,
just like the internet
00:09:44
and like on the internet you
need some addressing scheme.
00:09:47
So you need some way of saying
this is me and this is you.
00:09:50
And on the internet we use IP addresses.
00:09:53
On SS7 we use what's
called Global Titles, GTs.
00:09:57
- [Derek] So to provide
global roaming coverage,
00:09:59
telcos typically establish agreements
00:10:01
with two providers in
each country they serve.
00:10:04
One primary and one backup.
00:10:06
Telcos generally accept
messages only from Global Titles
00:10:09
with which they have agreements.
00:10:11
And the whole system is
designed to be a closed network
00:10:14
with few barriers once inside,
00:10:17
this is known as the
walled garden approach.
00:10:20
So this system seems
pretty secure and it was.
00:10:26
When SS7 was developed in the '80s,
00:10:28
the telecommunications
landscape was dominated
00:10:30
by a few large reputable operators.
00:10:33
These operators had
established relationships
00:10:35
and mutual interest in maintaining
00:10:37
the integrity of the network.
00:10:39
But 45 years on the landscape
has shifted dramatically.
00:10:43
Now there are over 1200 operators
00:10:46
and 4,500 networks,
00:10:48
many of which need SS7 access
from virtual network operators
00:10:53
to mass-text services sending
Uber Eats notifications.
00:10:57
There are so many more players
in the garden that not all
00:11:00
of them are trustworthy.
00:11:04
- Those companies, some of them
00:11:07
sell services onto third parties,
00:11:10
some of them can be bribed,
some of them can be hacked.
00:11:12
So there's probably thousands
00:11:14
of ways into SS7 at
reasonable effort or cost.
00:11:18
- How much are we talking
like how much would it cost
00:11:21
to buy access to SS7?
00:11:24
- Buying a single SS7
connection isn't that expensive?
00:11:27
We're talking a few
thousand dollars per month.
00:11:30
- The people who do sell access,
00:11:32
I mean, why would they do it?
00:11:34
- People sell SS7 for one reason money.
00:11:37
- And thanks to global agreements
00:11:39
between providers accessing a trusted GT
00:11:42
is like gaining access to all the GTs
00:11:44
they have partnerships with.
00:11:46
We even saw the invoice
00:11:47
of a valuable US-based
GT being leased illegally
00:11:51
for $13,000 a month.
00:11:54
Are you buying access to SS7?
00:11:56
- I'm paying for access to SS7. Yes.
00:11:57
And we do that because
we do SS7 security tests.
00:12:02
So we need to be in a similar
position as real hackers
00:12:06
to get near real results.
00:12:09
- So step one, infiltrate SS7 is complete.
00:12:13
Onto step two, gain trust.
00:12:15
Hackers today can try
many different things
00:12:17
once they've scaled the
wall into the garden.
00:12:20
But you need more than just SS7 access
00:12:23
and a phone number to attack.
00:12:25
Even a trusted GT and the
phone number of the target
00:12:28
isn't enough to uniquely identify them.
00:12:31
Now you need something from the SIM card.
00:12:34
The real key in a mobile network
00:12:36
is a unique 15 digit identifier
which belongs exclusively
00:12:40
to the SIM card on the phone.
00:12:42
It's called an international
mobile subscriber identity
00:12:45
or IMSI for short.
00:12:47
And it is very important.
00:12:50
- Basically to be able to collect the IMSI
00:12:52
from a subscriber,
00:12:55
we would launch some of the messages
00:12:57
such as send routing info
00:12:59
or send routing info for SM.
00:13:01
These messages are normally
used to collect the IMSI.
00:13:07
- Networks have firewalls in place
00:13:08
that will deny some requests
if they look suspicious.
00:13:11
Getting an IMSI is
crucial to appear trusted.
00:13:15
So let's move on to the
critical step three, attack.
00:13:19
Do you wanna just like try the phone?
00:13:20
Is there anything you can
try to see if it works?
00:13:22
Like call someone.
- Sure.
00:13:23
- [Derek] Or text someone?
- Sure. I'll call my wife.
00:13:27
- She normally pick up.
00:13:28
- Yeah, she'll probably pick up.
00:13:31
- [Yvonne] Hello?
00:13:32
- Hello Yvonne, this is
the voice of your husband.
00:13:37
I would like to talk to
you about the payment.
00:13:42
- Okay, thanks.
00:13:44
- No, no, it's me. It's me.(laughs)
00:13:47
- Did she hang up on you?
- Yeah, yeah, she did.
00:13:49
So we've established the phone works
00:13:51
as a completely normal phone.
00:13:52
- Do you have any
important calls coming up?
00:13:54
- I don't know if I'd say it's important,
00:13:56
but I'm on my way to
Creator Summit tonight
00:13:58
and James from Hacksmith was gonna call me
00:14:00
when we're gonna kind of make some plans.
00:14:02
(phone rings)
00:14:03
- I'm getting a call right
now. Are you getting a call?
00:14:06
- No.
00:14:08
- Hello, this is Linus.
00:14:10
- [James] Hey Linas, it's
James. How's it going?
00:14:13
- It's going really well. How are you?
00:14:15
- [James] Pretty good. Am I
gonna see the YouTube summit?
00:14:19
- Yes, I'm really looking forward to that.
00:14:21
And man, do I hate Macs?
00:14:24
So I feel like that's your persona man.
00:14:26
You can't game on a Mac.
Linus, you wanna talk?
00:14:30
- I would like to talk but
I never got the call, so...
00:14:36
- What number did you dial?
00:14:39
- [James] 4473.(beep)
- Is that your number, Linus?
00:14:43
- Yeah, but I didn't get,
mine didn't even ring.
00:14:47
I heard it ring but I heard it
00:14:49
through my speakers on my computer.
00:14:50
'Cause I assume it went
to your phone then.
00:14:53
- That's right.
- [Linas] Or did it go
00:14:54
to your computer?
00:14:55
- No. Yeah, it went to everything of mine.
00:14:57
So yeah, James, I don't know.
00:15:00
You called Linus and it went to me.
00:15:02
Thank you for taking part
in this weird demonstration.
00:15:06
- There is absolutely
nothing here to indicate
00:15:10
that I was supposed to receive a call.
00:15:12
- Yeah, and I mean the crazy thing
00:15:14
is that's like a regular
Canadian SIM card in there.
00:15:17
So any Canadian SIM card in
theory could be vulnerable
00:15:21
to such an attack where you
know, someone dials your number
00:15:24
and it just doesn't go to you.
00:15:26
- This is like phreaking but on
a completely different level.
00:15:30
- That's exactly it.
00:15:32
- Now I'm familiar already with
the concept of SIM swapping
00:15:36
where you social engineer
a way to get a SIM
00:15:40
that is registered to
someone else's account.
00:15:42
We've actually had accounts
stolen that way in the past,
00:15:44
but in this case my phone still works.
00:15:49
- [Yvonne] Hello?
00:15:49
- Hey, so the demo we're
doing is pretty trippy hun.
00:15:54
Basically they had Hacksmith call me,
00:15:57
my phone didn't ring at all
00:15:58
and instead Derek from Veritasium
picked up the phone call
00:16:02
and was able to talk to him
and Hacksmith had no idea
00:16:07
that he called me and then-
- [Yvonne] Sorry,
00:16:08
I'm with Cindy.
00:16:09
- Oh. Oh, hi Cindy.
00:16:12
- [Yvonne] Oh, you're not on speaker.
00:16:13
- Okay, that's fine. Just
tell Cindy hi for me.
00:16:15
- [Yvonne] Okay.
00:16:16
Okay, goodbye.
00:16:18
- [Derek] So how are we
able to seize control
00:16:20
of Linus number like that?
00:16:22
- When you put a phone
number in your address book,
00:16:25
you often don't put the country code,
00:16:27
but then if you're in a roaming scenario,
00:16:29
that phone number would connect
00:16:30
to a completely different person
00:16:32
in the country you're currently in.
00:16:33
So it does make sense to basically
overrule people's choices
00:16:38
as to whom they're trying to dial
00:16:40
because they're not gonna
triple check each time
00:16:42
whether the address book entries
00:16:44
have country codes in them.
00:16:46
- This is a powerful function
00:16:49
by tricking the network into
thinking his phone is roaming,
00:16:52
we can rewrite the number
he is calling to a number
00:16:55
that we control.
00:16:57
- And so what I did at the
end was when I received
00:16:59
this message, I sent back your
number that you can see here
00:17:05
was your US based number.
00:17:09
So even if you were located in Australia,
00:17:12
I was still able to
forward the call to you
00:17:16
on your US number in Australia.
00:17:19
- That's amazing.
00:17:20
You just try a few times
and then it works, right?
00:17:22
- Yes, it's not always
that simple,(laughs)
00:17:27
but this time it was quite difficult.
00:17:30
- So the most important
question I have now then is
00:17:34
what did you need to steal from me
00:17:36
in order to become me?
00:17:39
Like is this something
you can social engineer
00:17:41
out of my carrier?
00:17:42
Is this something that I would need
00:17:44
to accidentally leak a
screenshot of my IMEI.
00:17:48
- At the very simplest, all we would need
00:17:50
is your phone number.
00:17:51
That's it.
00:17:52
You could even do
something where I could act
00:17:55
as a middleman where I would
reroute the call to me,
00:17:59
but also simultaneously I would
dial for you the real number
00:18:03
and I would send you through to them
00:18:04
and then I can sit on the line
and just record that call.
00:18:09
- Yikes.
00:18:10
- But this isn't the only attack.
00:18:12
We can do a lot more with SS7.
00:18:15
We can also intercept text
messages as part of our suite
00:18:18
of attacks.
00:18:19
Similar to phone calls,
00:18:20
we can trick the network
into thinking the target
00:18:22
is roaming, which reroutes
their messages to our GT.
00:18:26
We can then steal one time passwords
00:18:28
used in two factor authentication.
00:18:31
This type of attack works
until the subscriber interacts
00:18:34
with their phone network,
00:18:35
at which point the phone
reconnects to the correct GT.
00:18:39
- But you need a few seconds
00:18:40
only to hack into somebody's account.
00:18:42
Of course you need that few second window
00:18:44
to receive the one time password.
00:18:46
- So we actually set up a
new Linus YouTube channel.
00:18:50
- Okay, so theoretically
he could get this username
00:18:53
and password via a dump
because I'm a butthead
00:18:58
and I use the same username
00:18:59
and password across different accounts
00:19:01
or he could install a
key logger on my system.
00:19:04
He could get it that way
when I'm typing it in.
00:19:06
So then I verify my number.
00:19:09
But of course he has my number
00:19:10
because that's realistically
not that hard to find.
00:19:13
And theoretically I'm supposed
00:19:15
to get a two factor
code right now except...
00:19:18
- I got it, 820299, I'm in.
00:19:25
- [Linas] He's in. He hacked
the mainframe. Wild hey.
00:19:28
- Yep, we could hack your YouTube account.
00:19:31
I'm gonna put, I'm gonna
start posting science videos
00:19:33
on Linus Tech Tips.
00:19:35
- Oh, that's okay.
00:19:36
I'm sure they'll get like 30
million views or whatever.
00:19:38
So I'll be fine with it.
Thanks for the AdSense
00:19:40
(Derek laughing)
00:19:41
- [Derek] Deal.
00:19:43
And you could see the code right there.
00:19:45
- [Alexandre] Exactly.
00:19:46
So you could see that at
the at the bottom. 820299.
00:19:51
So basically once the
interception is running,
00:19:54
then I would receive any SMS sent.
00:19:58
- He would never have known
that he missed those messages
00:20:01
or that they were intercepts.
- Exact, exact.
00:20:04
- Wow. Yeah, this seems pretty serious.
00:20:08
I mean, SMS two-factor authentication
00:20:10
is almost the default, right?
00:20:11
- Unfortunately, yes,
it's not only the default
00:20:15
but in some cases it is
the only available option
00:20:18
and sometimes that can
even be for accounts
00:20:20
that should be treated with the utmost
00:20:23
of care like a bank account.
00:20:25
- [Derek] There's a third method of attack
00:20:27
that we weren't able to show Linus.
00:20:29
Lucky for him,
00:20:29
his network blocked the requests.
00:20:32
On many networks,
00:20:33
you can use the IMSI number
in the switching center info
00:20:35
we harvested in step two
00:20:37
to send a command deeper into the network.
00:20:39
By targeting the switching
center where the device
00:20:41
with the IMSI is connected,
00:20:42
we can issue a command routinely used
00:20:45
for legitimate purposes such
as routing and forwarding calls
00:20:48
or providing emergency services based
00:20:50
on the device's location.
00:20:52
Using this request we can
track a target's location.
00:20:55
It's not as hard as you'd think.
00:20:57
SS7 doesn't even rely on
GPS to locate someone.
00:21:00
In fact, it was invented before
GPS was even in public use.
00:21:06
One way to do this is
if a target is in range
00:21:09
of multiple cell towers, their
location can be narrowed down
00:21:12
to where the signals overlap.
00:21:13
The more towers in range, the
more precise the location.
00:21:17
A more accurate method
measures the time it takes
00:21:20
for signals to reach a
phone from three towers.
00:21:23
By calculating the distance
based on transmission speed,
00:21:26
we can pinpoint an exact
location on a 2D plane,
00:21:29
but SS7 attacks don't use
either of these methods.
00:21:33
They try to be subtle.
00:21:34
An SS7 location request simply
identifies the cell tower
00:21:38
the target is connected to.
00:21:40
In an urban area with many towers,
00:21:42
this can place them to
within a hundred meters.
00:21:45
- You'll definitely know which
city block somebody is in
00:21:47
and if you wanted to, for
instance find out was it at home
00:21:51
and or at work, this is
a great way to do it.
00:21:54
- Yeah, it's a little bit scary.
00:21:58
In 2016, Karsten and his
team used this method
00:22:01
to track US Congressman Ted Lieu.
00:22:03
- The congressman has been in California,
00:22:07
more specifically the LA area.
00:22:09
Let's zoom in here a little bit.
00:22:11
- So that is how we did it.
We executed three steps.
00:22:15
We infiltrated SS7,
gained trust and attacked.
00:22:19
We intercepted Linus phone
calls and text messages.
00:22:22
I'm not sure he was as
excited about it as I was.
00:22:25
- This is why we can't have nice things.
00:22:28
- Up until now, this has
just been a bit of fun.
00:22:30
I've demonstrated these
attacks on a friend of mine,
00:22:33
but the threats are real
00:22:35
and they can have
devastating consequences.
00:22:38
"They will kill her."
00:22:39
The captain texted shortly
before Latifa was abducted.
00:22:42
His phone was the target of an SS7 attack
00:22:45
that involved all three
of the steps we explored.
00:22:48
To start, the attackers
had leased multiple GTs
00:22:50
in different countries
00:22:52
then the following all happened
in a five minute window.
00:22:55
First they sent at least
seven separate requests aiming
00:22:58
to get the captain's IMSI
from his US based operator.
00:23:02
When that didn't seem to
work, they followed up
00:23:04
with at least four location requests.
00:23:07
So did it work?
00:23:10
Well, all of these requests
were blocked by firewalls.
00:23:12
That's why we have all the details.
00:23:15
But there was a sixth GT we haven't shown.
00:23:18
This one nearby in the US,
00:23:20
we have no information about
the requests on this GT
00:23:23
because they likely weren't stopped.
00:23:27
We spoke with Crofton Black,
the investigative journalist
00:23:30
who revealed the SS7
exploits in this story
00:23:33
and this is what he told us.
00:23:35
"It's a brilliant example
of SS7 involvement
00:23:38
because it illustrates a
classic sophisticated pattern
00:23:41
of attack, multiple GTs
and multiple countries.
00:23:44
It's a textbook example of
telco penetration risks."
00:23:48
Though, because the Emiratis
were also using other software
00:23:51
like Pegasus and other
hardware like spotter planes.
00:23:54
We can't say that any single
one of these was the thing
00:23:58
that led to her being found.
00:24:00
But the evidence is damning
00:24:03
and SS7 is used pretty widely.
00:24:06
Criminals have used SS7
00:24:07
to intercept SMS two-factor
authentication codes
00:24:10
and empty millions of
dollars from bank accounts.
00:24:13
For some SS7 is just the first step.
00:24:16
The NSO Group,
00:24:17
a notorious Israeli cyber
surveillance firm acquired
00:24:20
an SS7 tracking company in 2014.
00:24:24
NSO is the company behind
Pegasus, a spyware tool
00:24:27
that gains complete access
00:24:28
to targeted phones without
a user clicking anything
00:24:31
embedding itself and
erasing traces of entry.
00:24:34
Such zero click hacks are costly.
00:24:37
They can cost more than
$4 million per exploit.
00:24:40
Before NSO commits resources
targeting specific software
00:24:43
or vulnerabilities on a phone,
00:24:45
first they gather basic
data like device type
00:24:48
and software version to
make their lives easier.
00:24:51
And as you've seen with
SS7, this isn't hard.
00:24:55
One expert we spoke to
tested a foreign network
00:24:57
and found 20
00:24:58
to 30 VIPs were constantly
under surveillance there,
00:25:02
including the country's
chief of cybersecurity.
00:25:06
Accurate data on tracking
is difficult to come by,
00:25:08
but another expert provided
evidence of more than two
00:25:11
and a half million
tracking attempts per year.
00:25:15
Though they reminded us that
the people being targeted
00:25:17
are generally those of
interest to state agencies.
00:25:21
Now we couldn't find data
on interception attempts,
00:25:23
but luckily experts told
us this is far less common.
00:25:28
So millions of malicious SS7
requests are sent each year,
00:25:32
but it used to be even worse.
00:25:35
To request location over SS7,
00:25:37
you used to be able to send a
command without even knowing
00:25:40
the IMSI and the network
would just provide it to you.
00:25:43
No questions asked.
00:25:44
- The classical example is
the anytime interrogation
00:25:47
request, which as the name already suggest
00:25:50
is have a creepy command.
00:25:53
I don't believe there's
ever legitimate purpose
00:25:55
for one network to send this command
00:25:58
to another network interrogating
about their customers.
00:26:02
- [Derek] Karsten Nohl
00:26:03
and fellow security
researcher Tobias Engel
00:26:05
exposed these vulnerabilities
publicly in 2014.
00:26:09
- The SS7 research that
was disclosed in 2014
00:26:13
was a wake up call to the industry.
00:26:15
Most people had heard
rumors that SS7 tracking
00:26:18
and spying was possible,
00:26:20
but they hadn't really
seen hard evidence of it
00:26:22
and especially how easy
it is that ragtag gang
00:26:26
of hackers from Berlin
00:26:27
with very amateur means can do any type
00:26:31
of SS7 hacking that they want.
00:26:33
- [Derek] After their conference,
00:26:34
all of the German telcos
immediately started
00:26:37
refusing these requests.
00:26:38
- Anytime integration is
the first SS7 command,
00:26:41
everyone stopped because
it was abused a lot
00:26:45
and never used constructively.
00:26:47
But there is over 150 other
messages that need to be stopped
00:26:52
as well to make SS7 be completely secure.
00:26:56
- So if there are so
many ways to abuse SS7,
00:26:59
why haven't we gotten rid of it?
00:27:01
Well, because it's the backbone of 2G
00:27:03
and 3G communications.
00:27:05
So what if we phase out 2G and 3G?
00:27:08
Well, that has caused problems.
00:27:10
Since 2018 cars in the EU are equipped
00:27:13
with mandatory emergency call buttons
00:27:15
that trigger in an accident.
00:27:17
They need a SIM card to
work and to cut costs,
00:27:20
guess what auto manufacturers are using.
00:27:22
That's right.
00:27:23
2G and 3G SIM cards using SS7.
00:27:27
- You have to have that legacy support
00:27:29
or when 4G connectivity drops,
00:27:32
you have absolutely nothing left.
00:27:33
Dude, the number of times that
I'm on 3G, not insignificant.
00:27:38
And I'm in a metropolitan area.
00:27:41
- What's surprising, of course,
00:27:42
is that there hasn't been a
global push yet to replace SS7
00:27:46
with one of the two newer
versions of the technology.
00:27:50
The latest of which that was introduced
00:27:52
with 5G seems pretty secure,
00:27:54
but that's now a problem of
first mover disadvantage.
00:27:59
So because of the network
effects you get nothing
00:28:01
out of adopting a
technology as the first guy.
00:28:05
You wanna be the last
one when everyone else
00:28:07
is already connected and
you get the full benefit
00:28:10
from also joining the club.
00:28:12
- [Derek] So even though
the 5G signaling protocol
00:28:14
can stop the attacks
completely and many networks
00:28:17
are using 5G technology on their networks,
00:28:19
when routing calls between networks,
00:28:22
SS7 is still the de facto standard.
00:28:25
- You create a tremendous
amount of inertia to use a term
00:28:29
that's probably more your
channel than my channel.
00:28:31
That makes moving on extremely difficult.
00:28:35
- So unless there are
some new major events
00:28:38
that put this back on the public radar,
00:28:41
it could be another 10,
15, maybe even 20 years
00:28:44
until SS7 networks are
finally switched off.
00:28:48
- What's crazy is that we
exploited these vulnerabilities
00:28:51
and I'm just a YouTuber.
00:28:52
I did have the help of some
excellent security researchers,
00:28:56
but I'm surprised at how easy it all is.
00:28:58
Now imagine if I had the
backing of a government.
00:29:01
This is a real problem.
00:29:03
So what can you do to protect
yourself on the personal side
00:29:06
as long as you have a SIM card?
00:29:08
Unfortunately there's not much you can do
00:29:10
about location tracking.
00:29:11
If possible, choose alternatives
00:29:13
to SMS based two-factor authentication.
00:29:15
So messages can't be intercepted.
00:29:18
Use an Authenticator
app or hardware tokens.
00:29:21
And if you're worried about phone tapping,
00:29:22
use encrypted internet
based calling services
00:29:25
like Signal or WhatsApp.
00:29:27
We've been told this is mainly
used on people of interest.
00:29:30
So should it really matter to you?
00:29:32
- SS7 is a huge privacy intrusion
00:29:34
and there's this millions of
abuse cases every single month.
00:29:38
Whether privacy intrusion is
a problem for individually,
00:29:41
of course as almost a
philosophical question, right?
00:29:44
Somebody who grew up more
in the Berlin tradition
00:29:47
of the Chaos Computer Club like myself,
00:29:50
strongly beliefs that privacy
00:29:52
and the ability to kind
of form your own thoughts
00:29:57
without being observed is a
prerequisite for democracy.
00:30:00
But many other people would argue nothing
00:30:04
to hide, nothing to fear.
00:30:07
(scrappy music)
00:30:11
- Our technological world
will never be perfect.
00:30:14
By the time we secure or replace SS7,
00:30:16
vulnerabilities will
already have been found
00:30:19
in the new system,
00:30:20
but luckily there's an
easy way to be ready
00:30:22
for whatever the future
holds, build your knowledge
00:30:25
and problem solving skills
a little bit every day.
00:30:28
And you can start doing
that right now for free
00:30:31
with this video sponsor, Brilliant.
00:30:33
Brilliant has thousands
of interactive lessons
00:30:35
where you can learn by doing,
making you a better thinker
00:30:39
and problem solver.
00:30:40
You build real skills
in everything from math
00:30:43
and data analysis to
technology and programming.
00:30:46
You name it.
00:30:47
Brilliant, is designed
to be uniquely effective.
00:30:50
Their first principles
approach helps you build
00:30:52
understanding from the ground up.
00:30:53
So you'll not only gain
knowledge of key concepts,
00:30:56
you'll learn to apply them
00:30:57
to real world situations all
while building your intuition,
00:31:00
giving you the tools to
solve whatever problems
00:31:02
come your way.
00:31:04
Brilliant's new course on
data clustering, for example,
00:31:06
equips you with the same tools,
00:31:08
security researchers like
Karsten used to spot trends
00:31:11
among the billions of SS7 messages.
00:31:13
This is really helpful
when hunting hackers,
00:31:15
but the concepts you'll learn
also help navigating a world
00:31:18
where data influences everything,
00:31:20
from what movies are being
recommended to national politics.
00:31:23
And one of the best
things about Brilliant is
00:31:26
since every lesson is bite
sized, you can build your skills
00:31:28
and sharpen your mind whenever
00:31:30
and wherever you have a few
minutes helping you build
00:31:33
a daily learning habit
that sticks the opposite
00:31:35
of mindless scrolling.
00:31:36
To try everything Brilliant
has to offer for free
00:31:39
for 30 days, visit
brilliant.org/veritasium
00:31:42
or you can scan the QR code
00:31:43
or click that link in the description.
00:31:45
You'll also get 20% off an
annual premium subscription.
00:31:49
So I wanna thank Brilliant
for sponsoring this video
00:31:51
and I wanna thank you for watching.
