If you've used a phone much, you probably know what cell service is. Quick recap: Cellular service is a wireless communication system that allows mobile devices, like phones, to connect to a network using radio frequencies. You might have known that already, but did you know that 3G cell service networks have a large security flaw that's easy to exploit?
To explain this better, let's go back in time! 🕒
Early Days of the Telephone
Before 1920, most phones didn't have a 'dialing' function. When you lifted the phone, a circuit connected inside it, which drew power and caused a light to illuminate at the telephone exchange. An operator would then notice the light and ask who you wanted to call.
If you asked for your friend John, then the telephone operator would find your friend's wire and connect it to yours — then, you could speak to each other.
Of course, as phones became more common, it was a LOT of work to connect everybody's wires. People were becoming concerned — soon, there wouldn't be enough workers to handle calls fast enough. So we needed to automate the call connection process.
Rotary Dial Telephones
Rotary dial telephones seemed to be a great solution! The basic concept of how a rotary dial phone works is fairly simple. You place your finger in a number hole, rotate the dial to the end, and it spins back. Inside the telephone, the dial rotating back would output electrical pulses, equivalent to the number you started on.
💡 Fun Fact: The 0 is at the end of the dial, sending 10 pulses, because you can't just output 0 pulses - this would be detected as merely doing nothing.
The problem is that when the line gets longer, the pulses have to go farther. The voltage drops, the pulses get distorted, and it's tough to tell them apart. So local calls (short) were easy, but long distance calls were quite problematic.
Now you might have noticed something. Rotary phones send pulses — a frequency — of electricity to the telephone exchange. What's something that travels as a frequency 🤔? Sound! What is a telephone for? Sending sound from one location to another! τῆλε (têle, “afar”) + φωνή (phōnḗ, “voice, sound”)
Since telephone wires are very optimized for carrying sound without losing quality, why not send sound tones instead of electrical pulses? And so was born…
… The Push-button Telephone
(aka the 'touch-tone telephone')
The idea is simple: when you push a button, a specific sound frequency is played. This sound gets sent through the telephone wires, and the telephone system translates it to figure out where to connect your call.
Now, here’s where the problem comes in — making long-distance calls means your phone needs to pass through multiple “nodes” that help connect you to the other person far away. To check if a line was available, the phone system would listen for a 2600 Hz tone (basically a specific sound frequency) between the two connected phones.
Hackers discovered they could trick the system. By dialing a toll-free number (like a 1-800 number) and playing a 2600 Hz tone into the phone, they made the local node think the call had been disconnected. The system would then open the line. Once they stopped playing the tone, the system thought there was a new incoming call. The hacker could now dial any long-distance number they wanted for free by playing the right tones.
Signaling System 7
To solve this problem, telephone companies developed a new signaling protocol, called SS7. This is still widely in use today.
Here's how it works: Instead of sending frequencies over the main phone line, commands were sent over a separate digital line. So, hackers couldn't just send tones down the voice line to get free calls.
But there is a problem!
While SS7 fixed the issue of tone-based hacks, it created new vulnerabilities. SS7 was designed during a time when trust between telecom companies was assumed — so security wasn't the priority. Once connected to the SS7 network, telecom providers could exchange information freely to route calls, send text messages, and even locate phones. The issue is, this system was never built to verify whether every user or request should be trusted.
Hackers, or even rogue telecom operators, can exploit this by gaining unauthorized access to the SS7 network. Many rogue telecom providers lease their services for sums of money to hackers. From there, hackers can:
Intercept Calls and Messages. Hackers can use SS7 to reroute a victim's calls or messages to their own devices, allowing them to eavesdrop on conversations or read SMS texts, including two-factor authentication codes.
Track Location. With access to SS7, attackers can ping cell towers to track the location of any phone, as long as it’s connected to a network.
Redirect Services. They can redirect calls and data without the victim knowing, potentially leading to identity theft, bank fraud, and more.
So, while SS7 fixed the old tone-based hacks, it opened up new ways for attackers to exploit the telecom network in a more sophisticated manner, especially by taking advantage of the lack of proper security and authentication within SS7 itself. This has made SS7 a target for modern attacks, even in today’s digital world.
If you have ever used cell service, there is a chance that your phone calls have been intercepted. If you don't happen to be a world leader, person with a lot of money, or popular political figure, then lucky you! The chances that your data has been stolen (via this method, at least) are very low.
Of course, that's not the point. Just because there is a low chance of a system being exploited to get an everyday individual's data doesn't mean it never will be, and it doesn't mean we shouldn't fix it.
The Solution
When I hear people say, “I have nothing to hide”, I think, “Oh really? Try posting your passwords all over the internet!”
Let's make something clear:
If you own something that can be stolen, you have something to hide.
That's just one of my pet peeves. If you really do have nothing to hide, good for you!
So, what can we do?
Well, the best thing you can do right now is stop using cell service (particularly 3G networks) whenever possible. For texting and phone calls, use an encrypted internet based service, like Signal or WhatsApp.
Use authenticator apps or passkeys for two-factor authentication instead of your phone number.
In the long term, SS7 is slowly being replaced in newer cellular networks. But that's a topic for another post. 😊
Thanks for reading!
Article written by BestCodes.