Intelligence Oversight

Nick Asks the NSA: Signaling System 7 (SS7)

By Nicholas Weaver
Wednesday, April 20, 2016, 8:47 AM

A challenge to effective Congressional oversight of the NSA is the difficult in even knowing the right questions to ask, even when the answers are classified and can only be provided within the SSCI SCIF. And this problem is substantially compounded in areas where there is a need for highly detailed technical understanding in order to construct the questions in the first place.

Here, in an attempt to improve matters and to provide some accessible insights into critical security problems, I will start what I hope to be an occasional series: Nick Asks the NSA. I’ll try to offer the necessary background on emerging security discussions and formulate the questions I think the SSCI and HPSCI should be asking. Naturally, I’d prefer public answers, but I’d be satisfied to know that at least congressional oversight committees are asking the questions.

First up, Nick Asks the NSA about Signaling System 7 (SS7).

Background: Signaling System 7

SS7 is the protocol phone companies use to talk to each other. It is an "out of band" signaling protocol, a separate communication channel used to coordinate calls and other features. For example, SS7 is the protocol involved in cellular roaming, allowing a cellphone to work effectively anywhere on the planet.

Unfortunately SS7 has a large amount of legacy, the biggest being a design concept dating back to the old Bell telephone days with a single flat trust model. This means that a cellular company in Kazakhstan is considered just as trustworthy as AT&T.

Unfortunately this represents a significant weakness, as analyzed by researchers at Positive Technologies and elsewhere. Once an attacker gains the ability to send SS7 messages—by compromising or acting as part of a phone company anywhere in the world—the attacker can send messages to any other telephone company.

The earliest attack, discovered in 2008 by Tobias Engel, involved requesting a target phone's location. With just a phone number, it is possible to track anyone anywhere in the world on a cell-tower level. Of course, this was soon commercialized for "lawful" purposes. [Note: For attack tools, "lawful" purpose generally means "ascribe to the Wehrner von Braun school of rocketry."] More recent work developed the ability to hijack incoming and outgoing calls and messages, as well asking for the encryption keys used to protect calls from over-the-air eavesdropping. 60 Minutes recently broadcast a good demonstration.

However, these attacks, although fundamentally baked-into the protocol, are detectable. Someone monitoring SS7 traffic should be able to detect these network requests and classify them as anomalous. For example, it is quite common for a foreign carrier to query for its phones when they roam to the US, but it is another matter entirely for the same carrier to query for US phones still in the US; there is no reason why a Congolese cellphone carrier should ask to forward traffic from a US phone.

Questions for Congress to ask the NSA:

#1: Is the NSA monitoring SS7 traffic into and out of the United States under EO12333, FAA 702, or any other authority?

Comment: I would hope so. This clearly qualifies as "metadata" under Smith v. Maryland and FAA 702 would seem to grants explicit authority for this kind of monitoring, even if it included content and not just metadata. This data is valuable for a wide variety of foreign intelligence purposes.

#2: Does the NSA's monitoring of SS7 traffic include a detection suite for SS7 exploitation by others?

Comment: Again, here the answer should be “yes.” SS7 attacks are in the toolkit of any even minimally competent foreign actor. Indeed, low-level activist hackers have used SS7 attacks to track Hacking Team—a "lawful" malcode vendor's—sales staff.

Those preliminary questions—the answers to which should be an enthusiastic, “yes!”—out of the way, we should move on to the more meaty and consequential oversight questions. Notably, I would not necessarily expect the NSA to be able to produce immediate responses, but it would be significant if they needed to conduct entirely de novo analysis, since that would signal they are not engaging in asking themselves these critical questions.

#3: How many different actors have the NSA identified as using SS7 vulnerabilities to track individuals or intercept communications within the United States?

Comment: There are likely many such actors, who should be identifiable by who they are targeting, what carrier they are using to generate their SS7 messages, and any anomalous fingerprints (such as common timing or motifs). The NSA should have classified intelligence of the tactics, techniques, and procedures of all of these actors.

#4: How many victims appear to be intelligence targets, such as US government officials? How many actors involved in intelligence targeting can be attributed to specific countries?

Comment: I would assume that SS7 is widely used to target US government officials and other similar "foreign intelligence" targets by both our "allies" and adversaries.

#5: Are there any plans to notify victims who possess an active Top Secret security clearance? Are there any plans to notify US government employees without an active Top Secret clearance?

Comment: Simply identifying attacks, without a remediation plan would demonstrate substantial weakness in how the NSA handles cyber-defense. The Agency must have protocols and procedures to notify victims.

#6: How many victims of such targeting appear to be criminal suspects? How much of this targeting appears to come from countries which have an MLAT with the United States?

Comment: I suspect that SS7 tracking is not restricted to intelligence services but is also used in criminal investigations by other countries. Some countries may even use this kind of tracking as an expedient work-around the cumbersome MLAT process.

MLAT reform is an urgent topic. Evidence of foreign law enforcement violating US law to obtain data should significantly impact the discussion, both as a reason for improving the process and as a reason to view foreign requests with suspicion.

#7: How many victims of such targeting appear to be activists and others whose activity would be protected by the First Amendment? Are there any plans to notify these victims?

Comment: It is possible, even likely, that foreign actors are targeting people in the US based on legitimate First Amendment activities. After all, we have clear evidence of foreign actors using hacking tools to target activists in the US. Recognizing the prevalence of this kind of activity should inform US policy decisions concerning repressive regimes.

#8: Are you working with carriers to identify bad actors and block some of these attacks?

Comment: I hope so.


In conclusion, I doubt the NSA would ever make the answers to these questions publically available, but they really should consider doing so. These sources and methods are widely known, so a large amount of information highly impactful to US policy debate in a number of areas could be brought to the public without compromising intelligence collection.