Expériences/Exposing The Flaw In Our Phone System
Exposing The Flaw In Our Phone System

Exposing The Flaw In Our Phone System

Veritasium31 min21 sept. 2024
This is Linus from Linus Tech Tips and we hacked the phone network in order to spy on him.
15 chapitres
  • The Opening Hack and Phone Network Vulnerability(0'001'03)
    Derek and team hacked the phone network to intercept Linus's calls and steal his two-factor passcodes without touching his phone or sending any messages.
    They used a remote application to redirect incoming calls to their system, allowing them to answer calls intended for Linus's number on demand.
    The hack exploits fundamental flaws in the global phone system that allow attackers to control call routing without any physical access to the target device.
    This same technique could happen to anyone with a regular SIM card, making it a widespread security threat affecting millions of users.
  • The Blue Box Era and Early Phreaking(1'032'23)
    In the 1970s, Steve Jobs and Steve Wozniak created the Blue Box, a device that hacked the telephone network to make free long-distance calls that normally cost $25 per minute.
    • They discovered they could control billions of dollars worth of phone infrastructure with homemade Radio Shack parts • The Blue Box was instrumental in the founding of Apple Computer
    Wozniak pretended to be Henry Kissinger and called the Pope, causing Vatican staff to wake cardinals before they realized it was a prank.
    The Blue Box demonstrated that phone networks could be exploited by individuals, leading to major changes in how telecommunications systems were secured.
  • From Analog to Digital: How Phone Systems Evolved(2'235'00)
    • Until the mid-1920s, phone calls were connected manually by operators • By 1950, over a million operators in the US alone were needed • Operators handled hundreds of connections per hour
    The rotary dial automated connections by sending electrical pulses down the phone line, with each digit represented by a specific number of pulses.
    Long distance lines had high capacitance and resistance, distorting control signals and making automation nearly impossible over distance.
    Push-button phones solved the problem by using audio frequencies within the human hearing range to carry control signals that all networks could process.
  • The Vulnerability of Touch Tone and SS7 Introduction(5'007'10)
    Each push-button was assigned unique frequency combinations that could travel through the voice channel, allowing all networks to process control signals regardless of distance.
    • Long distance calls checked for a 2600 Hz tone to verify connection status • Jobs and Woz exploited this by sending the 2600 Hz tone after dialing a toll-free number • Some people used a Cap'n Crunch whistle that naturally produced the exact frequency
    Phone companies responded by creating Signaling System No. 7, which separated control signals onto a dedicated digital line instead of the voice channel.
    SS7 was introduced in 1980 and is still broadly in use today, but may not be as secure as originally thought.
  • Real-World Consequences: The Princess Latifa Case(7'108'00)
    Princess Latifa of Dubai claimed her father held her in solitary confinement and sedated for years. In 2018, her martial arts instructor Tiina helped her escape.
    They fled to a yacht captained by former French intelligence officer Hervé Jaubert and sailed toward India for eight days.
    A dark boat sent by her father intercepted the yacht on March 4th, with agents boarding and abducting Latifa to take her back to Dubai.
    The captain was the victim of a coordinated SS7 attack designed to pinpoint his location and reveal the princess's whereabouts.
  • How SS7 Attacks Work: The Three Steps(8'009'00)
    Attackers must gain access to the SS7 network by leasing connections from telecom providers, which can cost a few thousand dollars per month or be obtained through bribery or hacking.
    • Attackers need to obtain the IMSI, a unique 15-digit identifier from the target's SIM card • They use SS7 messages like 'send routing info' to collect the IMSI from a subscriber • Networks have firewalls to block suspicious requests, making this step critical
    With SS7 access and the IMSI, attackers can intercept calls, redirect traffic, and steal authentication codes.
    SS7 was designed in 1980 when mobile phones barely existed and the telecom landscape was controlled by a few large trusted operators.
  • The Global Roaming Problem and Network Trust(9'0013'19)
    When you travel internationally, your phone must connect to a foreign network that queries your home network to verify you're a valid customer and will pay charges.
    • Telcos establish agreements with providers in countries they serve (one primary, one backup) • Networks accept messages only from Global Titles they have agreements with • The system is designed as a closed 'walled garden' with few barriers once inside
    SS7 was secure when developed because the telecom landscape was dominated by a few large, reputable operators with mutual interest in network integrity.
    Today there are over 1200 operators and 4,500 networks. Many provide SS7 access to virtual network operators, mass-text services, and other companies that can be bribed, hacked, or compromised.
  • Call Interception Demonstration with Linus(13'1918'10)
    James from Hacksmith was scheduled to call Linus. Karsten and Alexandre executed an SS7 attack to intercept the call before it reached him.
    • Linus's phone did not ring at all • Derek answered the call instead, pretending to be Linus • James had no idea he was talking to someone other than his intended recipient
    By tricking the network into thinking Linus's phone was roaming, they could rewrite the destination number to one they controlled.
    All that was needed was Linus's phone number. The attacker could act as a middleman, recording calls while forwarding them, completely undetected.
  • SMS Interception and Two-Factor Authentication Compromise(18'1020'27)
    Similar to phone calls, attackers trick the network into thinking the target is roaming, which reroutes their SMS messages to the attacker's Global Title.
    • Attackers can steal one-time passwords used in SMS-based two-factor authentication • This attack only works for a few seconds until the subscriber interacts with their phone network • SMS is the default 2FA method for many services, including bank accounts
    They successfully set up a new Linus YouTube channel by intercepting the 2FA code (820299), demonstrating how quickly a hacker can gain account access.
    The target would never know messages were intercepted or missed, making this attack particularly dangerous for sensitive accounts.
  • Location Tracking via SS7(20'2724'00)
    Using the IMSI and switching center information, attackers can issue commands to identify which cell tower a target is connected to.
    • In urban areas with many towers, this can place someone within 100 meters • Attackers can determine if someone is at home or work • The more towers in range, the more precise the location
    In 2016, Karsten and his team used this method to track US Congressman Ted Lieu's location to specific areas in California.
    SS7 location requests don't rely on GPS or complex triangulation methods. They simply identify the connected cell tower, making detection difficult.
  • Broader Security Threats and Government Surveillance(24'0026'00)
    • Criminals have used SS7 to intercept SMS 2FA codes and empty millions from bank accounts • Millions of malicious SS7 requests are sent each year • More than 2.5 million tracking attempts per year have been documented
    • The NSO Group acquired an SS7 tracking company in 2014 • NSO creates Pegasus spyware that gains complete access to phones without user interaction • Zero-click exploits can cost over $4 million per target
    One expert found 20-30 VIPs including a country's chief of cybersecurity under constant surveillance on a foreign network.
    People of interest to state agencies are primarily targeted, but interception attempts are far less common than tracking attempts.
  • The Security Evolution and Industry Response(26'0027'42)
    • Karsten Nohl and Tobias Engel exposed SS7 vulnerabilities publicly in 2014 • This was a wake-up call to the industry with hard evidence of how easy exploitation was • Showed that amateur hackers with basic means could execute sophisticated SS7 attacks
    • German telcos immediately started refusing 'anytime interrogation' requests after the 2014 conference • This command was never used constructively and was frequently abused • However, over 150 other SS7 messages still need to be stopped for complete security
    SS7 is the backbone of 2G and 3G communications, making complete replacement extremely difficult despite better alternatives existing.
    • Since 2018, EU cars have mandatory emergency call buttons using 2G and 3G SIM cards with SS7 • When 4G connectivity drops, 3G fallback is critical for functionality • This legacy support creates a barrier to phasing out SS7
  • Network Effects and the Path Forward(27'4229'03)
    • 5G signaling protocol can stop these attacks completely • Many networks already use 5G technology • However, when routing calls between networks, SS7 remains the de facto standard
    There's no advantage to being the first network to adopt a new system. You gain full benefits only when everyone else is already connected, creating enormous inertia.
    Unless major events put this back on the public radar, it could take another 10, 15, or even 20 years until SS7 networks are finally switched off.
    The same vulnerabilities that Derek and expert researchers exploited could be used by governments with greater resources and capabilities.
  • Personal Protection and Closing Thoughts(29'0330'11)
    There is unfortunately very little users can do to protect against location tracking as long as they have a SIM card.
    • Avoid SMS-based two-factor authentication when possible • Use authenticator apps or hardware tokens instead • This prevents interception of one-time passwords
    Use encrypted internet-based calling services like Signal or WhatsApp instead of regular phone calls to avoid tapping.
    • SS7 attacks represent a massive privacy intrusion with millions of abuse cases monthly • Privacy and unobserved thought are prerequisites for democracy • This affects not just individuals but the foundation of free society
  • Brilliant Sponsorship and Final Message(30'1131'54)
    Our technological world will never be perfect. New vulnerabilities will be found in replacement systems even as SS7 is being secured or replaced.
    The best approach is to continuously build knowledge and problem-solving skills to stay ready for whatever security challenges the future holds.
    • Brilliant offers thousands of interactive lessons in math, data analysis, technology, and programming • Their data clustering course teaches the same tools security researchers use to spot trends in billions of SS7 messages • Bite-sized lessons help build daily learning habits
    Visit brilliant.org/veritasium for 30 days free and 20% off annual premium subscription to start building better problem-solving skills today.