
Exposing The Flaw In Our Phone System
This is Linus from Linus Tech Tips and we hacked the phone network in order to spy on him.
15 chapitres
- The Opening Hack and Phone Network VulnerabilityThe DemonstrationDerek and team hacked the phone network to intercept Linus's calls and steal his two-factor passcodes without touching his phone or sending any messages.How It WorksThey used a remote application to redirect incoming calls to their system, allowing them to answer calls intended for Linus's number on demand.Key VulnerabilityThe hack exploits fundamental flaws in the global phone system that allow attackers to control call routing without any physical access to the target device.Real-World ImpactThis same technique could happen to anyone with a regular SIM card, making it a widespread security threat affecting millions of users.
- The Blue Box Era and Early PhreakingHistorical OriginsIn the 1970s, Steve Jobs and Steve Wozniak created the Blue Box, a device that hacked the telephone network to make free long-distance calls that normally cost $25 per minute.Technical Breakthrough• They discovered they could control billions of dollars worth of phone infrastructure with homemade Radio Shack parts • The Blue Box was instrumental in the founding of Apple ComputerFamous ExploitsWozniak pretended to be Henry Kissinger and called the Pope, causing Vatican staff to wake cardinals before they realized it was a prank.Why It MatteredThe Blue Box demonstrated that phone networks could be exploited by individuals, leading to major changes in how telecommunications systems were secured.
- From Analog to Digital: How Phone Systems EvolvedManual Era• Until the mid-1920s, phone calls were connected manually by operators • By 1950, over a million operators in the US alone were needed • Operators handled hundreds of connections per hourRotary Dial TechnologyThe rotary dial automated connections by sending electrical pulses down the phone line, with each digit represented by a specific number of pulses.Long Distance ProblemLong distance lines had high capacitance and resistance, distorting control signals and making automation nearly impossible over distance.Touch Tone SolutionPush-button phones solved the problem by using audio frequencies within the human hearing range to carry control signals that all networks could process.
- The Vulnerability of Touch Tone and SS7 IntroductionTone-Based ControlEach push-button was assigned unique frequency combinations that could travel through the voice channel, allowing all networks to process control signals regardless of distance.The 2600 Hertz Exploit• Long distance calls checked for a 2600 Hz tone to verify connection status • Jobs and Woz exploited this by sending the 2600 Hz tone after dialing a toll-free number • Some people used a Cap'n Crunch whistle that naturally produced the exact frequencyThe New ProtocolPhone companies responded by creating Signaling System No. 7, which separated control signals onto a dedicated digital line instead of the voice channel.SS7 TodaySS7 was introduced in 1980 and is still broadly in use today, but may not be as secure as originally thought.
- Real-World Consequences: The Princess Latifa CaseThe SituationPrincess Latifa of Dubai claimed her father held her in solitary confinement and sedated for years. In 2018, her martial arts instructor Tiina helped her escape.The Escape AttemptThey fled to a yacht captained by former French intelligence officer Hervé Jaubert and sailed toward India for eight days.The CaptureA dark boat sent by her father intercepted the yacht on March 4th, with agents boarding and abducting Latifa to take her back to Dubai.SS7 Attack RoleThe captain was the victim of a coordinated SS7 attack designed to pinpoint his location and reveal the princess's whereabouts.
- How SS7 Attacks Work: The Three StepsStep One: InfiltrateAttackers must gain access to the SS7 network by leasing connections from telecom providers, which can cost a few thousand dollars per month or be obtained through bribery or hacking.Step Two: Gain Trust• Attackers need to obtain the IMSI, a unique 15-digit identifier from the target's SIM card • They use SS7 messages like 'send routing info' to collect the IMSI from a subscriber • Networks have firewalls to block suspicious requests, making this step criticalStep Three: AttackWith SS7 access and the IMSI, attackers can intercept calls, redirect traffic, and steal authentication codes.Why It's PossibleSS7 was designed in 1980 when mobile phones barely existed and the telecom landscape was controlled by a few large trusted operators.
- The Global Roaming Problem and Network TrustRoaming NeedWhen you travel internationally, your phone must connect to a foreign network that queries your home network to verify you're a valid customer and will pay charges.The Walled Garden• Telcos establish agreements with providers in countries they serve (one primary, one backup) • Networks accept messages only from Global Titles they have agreements with • The system is designed as a closed 'walled garden' with few barriers once insideHistorical SecuritySS7 was secure when developed because the telecom landscape was dominated by a few large, reputable operators with mutual interest in network integrity.Modern VulnerabilityToday there are over 1200 operators and 4,500 networks. Many provide SS7 access to virtual network operators, mass-text services, and other companies that can be bribed, hacked, or compromised.
- Call Interception Demonstration with LinusThe SetupJames from Hacksmith was scheduled to call Linus. Karsten and Alexandre executed an SS7 attack to intercept the call before it reached him.The Result• Linus's phone did not ring at all • Derek answered the call instead, pretending to be Linus • James had no idea he was talking to someone other than his intended recipientThe MechanismBy tricking the network into thinking Linus's phone was roaming, they could rewrite the destination number to one they controlled.Minimal RequirementsAll that was needed was Linus's phone number. The attacker could act as a middleman, recording calls while forwarding them, completely undetected.
- SMS Interception and Two-Factor Authentication CompromiseSMS Interception MethodSimilar to phone calls, attackers trick the network into thinking the target is roaming, which reroutes their SMS messages to the attacker's Global Title.Two-Factor Vulnerability• Attackers can steal one-time passwords used in SMS-based two-factor authentication • This attack only works for a few seconds until the subscriber interacts with their phone network • SMS is the default 2FA method for many services, including bank accountsAccount Takeover DemoThey successfully set up a new Linus YouTube channel by intercepting the 2FA code (820299), demonstrating how quickly a hacker can gain account access.Real-World ExploitationThe target would never know messages were intercepted or missed, making this attack particularly dangerous for sensitive accounts.
- Location Tracking via SS7Technical MethodUsing the IMSI and switching center information, attackers can issue commands to identify which cell tower a target is connected to.Location Precision• In urban areas with many towers, this can place someone within 100 meters • Attackers can determine if someone is at home or work • The more towers in range, the more precise the locationHistorical ExampleIn 2016, Karsten and his team used this method to track US Congressman Ted Lieu's location to specific areas in California.Attack SubtletySS7 location requests don't rely on GPS or complex triangulation methods. They simply identify the connected cell tower, making detection difficult.
- Broader Security Threats and Government SurveillanceCriminal Exploitation• Criminals have used SS7 to intercept SMS 2FA codes and empty millions from bank accounts • Millions of malicious SS7 requests are sent each year • More than 2.5 million tracking attempts per year have been documentedNSO and Pegasus• The NSO Group acquired an SS7 tracking company in 2014 • NSO creates Pegasus spyware that gains complete access to phones without user interaction • Zero-click exploits can cost over $4 million per targetSurveillance ScaleOne expert found 20-30 VIPs including a country's chief of cybersecurity under constant surveillance on a foreign network.Who Gets TargetedPeople of interest to state agencies are primarily targeted, but interception attempts are far less common than tracking attempts.
- The Security Evolution and Industry Response2014 Revelation• Karsten Nohl and Tobias Engel exposed SS7 vulnerabilities publicly in 2014 • This was a wake-up call to the industry with hard evidence of how easy exploitation was • Showed that amateur hackers with basic means could execute sophisticated SS7 attacksEarly Improvements• German telcos immediately started refusing 'anytime interrogation' requests after the 2014 conference • This command was never used constructively and was frequently abused • However, over 150 other SS7 messages still need to be stopped for complete securityWhy SS7 PersistsSS7 is the backbone of 2G and 3G communications, making complete replacement extremely difficult despite better alternatives existing.Legacy Complications• Since 2018, EU cars have mandatory emergency call buttons using 2G and 3G SIM cards with SS7 • When 4G connectivity drops, 3G fallback is critical for functionality • This legacy support creates a barrier to phasing out SS7
- Network Effects and the Path ForwardNewer Solutions Available• 5G signaling protocol can stop these attacks completely • Many networks already use 5G technology • However, when routing calls between networks, SS7 remains the de facto standardFirst Mover ProblemThere's no advantage to being the first network to adopt a new system. You gain full benefits only when everyone else is already connected, creating enormous inertia.Timeline for ChangeUnless major events put this back on the public radar, it could take another 10, 15, or even 20 years until SS7 networks are finally switched off.Why This MattersThe same vulnerabilities that Derek and expert researchers exploited could be used by governments with greater resources and capabilities.
- Personal Protection and Closing ThoughtsLocation Protection LimitsThere is unfortunately very little users can do to protect against location tracking as long as they have a SIM card.2FA Alternatives• Avoid SMS-based two-factor authentication when possible • Use authenticator apps or hardware tokens instead • This prevents interception of one-time passwordsCommunication SecurityUse encrypted internet-based calling services like Signal or WhatsApp instead of regular phone calls to avoid tapping.Privacy Philosophy• SS7 attacks represent a massive privacy intrusion with millions of abuse cases monthly • Privacy and unobserved thought are prerequisites for democracy • This affects not just individuals but the foundation of free society
- Brilliant Sponsorship and Final MessageThe Challenge AheadOur technological world will never be perfect. New vulnerabilities will be found in replacement systems even as SS7 is being secured or replaced.Building KnowledgeThe best approach is to continuously build knowledge and problem-solving skills to stay ready for whatever security challenges the future holds.Learning Platform• Brilliant offers thousands of interactive lessons in math, data analysis, technology, and programming • Their data clustering course teaches the same tools security researchers use to spot trends in billions of SS7 messages • Bite-sized lessons help build daily learning habitsCall to ActionVisit brilliant.org/veritasium for 30 days free and 20% off annual premium subscription to start building better problem-solving skills today.





