On call forwarding and SMS through SS7

Call forwarding and SMS through SS7

CM is aware of the publications of The Washington Post on vulnerabilities in SS7. These are our finding on this topic.

 

  • The majority of the information in the Washington Post article has been known for years.
  • The newest development in the publications is on call forwarding and not on SMS
  • CM offers two solutions to cope with this issue: 1) direct operator connections. 2) end-two-end encryption for messaging on smartphones.

Licenses

GSM is based on licenses. GSMA issues these licenses en their domestics. Operators used to trust each other. The growth in (virtual) operators worldwide decreased the mutual thrust. Precautions are taken to prevent misuse of networks. This has been going on for years. Next to numerous other companies, CM has been supporting and helping operators with this. From a technical point of view, the vulnerabilities can be compared to the vulnerabilities email and internet (DNS, BGP, MX) suffer from too. However, Within the telecom industry this is less common because the number of players is limited and well known.

Within GSM there are options built to listen into. This has been done regulatory and is used as well. Specialised organisations – like CM - do have options to retrieve location information on a country level. A more specific localisation is only accessible from within the telecom network.

Call forwarding

The mentioned call forwarding technology works only with voice calls, and not with SMS messages. People putting antennas near receiver to intercept and decrypt messages has been know a long time. This is a very labour-intensive and costly technique and not scalable. That’s why governments in case of serious terror threats only done that. There are minor risks for transaction authentication number (TAN), One Time Passwords (OTP) and two-factor authentication (2FA), because their validity is only short and decrypting takes longer.

Direct connections

CM offers some companies in some countries possibilities to send traffic over closed lines that don’t use SS7. The customers’ messages travel directly to CM (through VPN or private lines) and from CM to the designated operators (through VPN or private lines), which terminate them in their own network. This method costs half a cent more for more operators and can be realised with a click on a button for pre-existing customers. CM furthermore offers possibilities to add encryption through apps with SDK’s. This ensures more security but is only available to smartphone owners and takes some time to implement.

Precautions

We put everything in effort to secure our transactions and take necessary precautions and inform our customers. The above is based upon our knowledge, experience and our opinion.

 



Enjoyed this article? Please share the news!

About the author

Erik Eggens is an allround journalist, editor, content creator and copywriter and takes a keen interest in mobile, finance and politics.

Connect with Erik on

LinkedIn, Twitter.