The 'wild west' of #SS7 security Surveillance companies are increasingly using clever encoding to try to bypass signaling firewalls — here's new research showing how the latest attack works: https://t.co/Gg0tZ0euL9 @EneaAB @josephfcox @rj_gallagher @campuscodi @lorenzofb

I'll be explaining how we got here, how attackers and defenders have evolved and the future of securing mobile networks. https://t.co/JoPGyMWflH

Excited to announce that next week I'll be presenting the fascinating History of Signalling Security—from #SS7 to modern-day 5G challenges! Join me @virusbtn as we dive into the last ten years of many scary headlines but little concrete facts.

Happy to have contributed to this mobile phone security episode with @veritasium. Its a great introduction to #ss7 and its security risks. Plus kudos to @yodresh for his work.

New #4G/#5G #cybersecurity research released today. @nerfux breaks down #SCTP 'quantum' insertion attacks on telecom networks: https://t.co/mzWOJ58bOL In the past, mobile network security has focused a lot on edge protection, in the future we will need to look inward as well.

Thanks to @tomwithington and @arm_magazine for featuring our new "Location Tracking on the Battlefield" report. Check out the article in this month's edition!⬇️ https://t.co/is65W9Wf97

12/12 Note this is one *possible* way it could have happened, other methods like a local 3G/4G radio voice interception using Fake Base Stations are possible, but they would require a SS7 link. 2G radio interception may also be possible although more likely to be noticed

11/12 Lastly, while SS7 security has improved greatly since then, some elements of this would have made it more likely to succeed. The targeting of an outbound roamer for example is more likely to succeed that a subscriber at home.

10/12 2nd, Russia has reportedly done this before. This matches the method that Ukraine accused Russia of using in 2014 , as a result by publishing this new recording they would not have been 'burning' any secret hacks. https://t.co/SmFH4cQnMt https://t.co/lI462NMv1u

9/12 This matches was occurred as the German roamer to Singapore is the first person that we hear. They get intro-ed/added to the conference by another. The recording can only happen with his call.

8/12 The call is then directed to the Russian PBX/listener. At this point, a new call is initiated to the webex conference number, with the original German mobile being spoofed, and is sent to the webex number. The Russian device then acts as a MITM and the call is recorded

7/12 The Russian ‘billing platform’ says the call should go ahead, but also should be redirected to a different number. This number is a Russian listening device. most likely a PBX. This information is relayed back to Singapore network in a CAMEL CONNECT command

6/12 The webex starts, and the German roamer attempts to dial to it (or to an interim number, the interception method is the same). However, the Singapore network now checks the Russian ‘billing platform’, via a CAMEL IDP command. This is to see whether the call should go ahead

5/12 Now the attack. First, Russia would modify the billing platform info (gsmSCF address) stored for the German roamer, in the Singapore network. This is done via a SS7 ISD command (with target's IMSI or MSISDN), from a GT (address) in the German network to a GT they control

4/12 Next, Russia would need to know the German roamer was a person of interest, and they need his number. OSINT could be used to get the MSISDN or a local IMSI catcher could obtain IMSI. News reports say the event was "riddled" with Russian intelligence. https://t.co/h3hgvE5G46

3/12 But as @RidT also states, this person gets added by another, so its probably not wifi. And if i'm a German general abroad, would i use my "handy" or a strange hotel phone? I think I would use my mobile. https://t.co/vGvvCZsBUR

2/12 First step is that we assume the call intercepted was generated by a German mobile device, roaming into Singapore. In the press release we are not told for certain it was a mobile. So could have been a mobile or a hotel line (or wifi) https://t.co/h3hgvE5G46

1/12 It has been confirmed that the #Taurus interception was done via “a non-secure line”. Below is my opinion of one way in which it *might* have been done, taking into account the situation and #Russia's previous history. Essentially it involves using #SS7 interception. 🧵

11/11 Conclusion: certainly not the biggest or most impactful attack but the fact NSOGroup reportedly offered it shows it had some value. Binary SMS continues to be an area with a steady stream of vulnerabilities. Also our first time finding an attack in legal documents!

10/11 Good news though is that we didn't observe any attackers using this technique in the operators we protect, this may be due to it being old. In addition it should be relatively easy to block these attacks. More suggestions on how to do this in the blog