For years, experts have warned of vulnerabilities in the network that routes phone calls and cellular service — but those attacks may be more widespread than anyone realized. For more than a year, a Tor Hidden Service has been offering ongoing access to telecom’s private SS7 network for as little as $500 a month. Combined with known vulnerabilities, that access could be used to intercept texts, track the location of an individual phone, or cut off cellular service entirely.
Accessible on Tor at zkkc7e5rwvs4bpxm.onion, the “Interconnector” service offers a variety of services charged as monthly fees, including $250 to intercept calls or texts, $500 for full access, or $150 for cellphone reports (including location data and IMSI numbers). Well-heeled users can even pay $5,500 for direct access to the SS7 port, billed as “everything you need to start your own service.”
One customer wrote to The Verge with complaints about the service, claiming to have paid the site’s fee only to be ignored by the site’s manager, never receiving access to the SS7 dashboard. Others have gone as far as labeling it a scam. The site responded to the concerns earlier today, promising a free page to test the service next week, although access to the site will be heavily limited.
Still, the offering is consistent with what we know about SS7 hacking. Unlike the internet, the SS7 network is a closed network, only meant to be accessed by a handful of telecom companies. As a result, there are few authentication systems in place once a user is on the network. In the past, researchers have raised concerns about SS7 attacks that hacked into telecom company systems remotely, or directly reprogrammed leased equipment like a femtocell.
The site’s manager, who goes by the name Interconnect0r, declined to say how she was able to maintain access, but said it did not present significant technical difficulties, despite regular intervention from phone companies. She also said many others were maintaining access to the SS7 network using similar methods.
“It’s easier than you would think,” she told The Verge. “It’s difficult to wrap your mind around how [easy], unless you've got the right guidance, or stumble upon the right information.”
Most of the vulnerabilities in the SS7 have been known for years, although little has been done to fix them. In 2014, Karsten Nohl first demonstrated how the SS7 system could be used to track a user’s physical location, and subsequent work showed how bad actors on the network could intercept texts and redirect calls. Those attacks could break two-factor authentication, intercepting an SMS or audio call sent through the compromised network.
In 2016, Nohl used the vulnerabilities to track the location of an iPhone belonging to Congressman Ted Lieu as part of a demonstration for CBS’s 60 Minutes. The following March, Rep. Lieu and Senator Ron Wyden sent a letter to Homeland Security Secretary John Kelly raising concerns about the issue, hoping to spur more aggressive fixes from telecom carriers.
“We are deeply concerned that the security of America’s telecommunications infrastructure is not getting the attention it deserves,” the letter reads. “Most americans simply have no idea how easy it is for a relatively sophisticated adversary to track their movements, tap their calls, and hack their smartphones.”
Update 4:12PM ET: Updated with the complaints about the service.