Otto

Advanced
Joined
22.09.20
Messages
104
Reaction score
423
Points
63

1. SORM - official wiretapping​

The most obvious way is official wiretapping by the state.

In many parts of the world, telephone companies are required to provide access to wiretapping lines for the competent authorities. For example, in Russia, in practice, this is done technically through SORM - a system of technical means for ensuring the functions of operational-search measures.

Each operator must install an integrated SORM module on his PBX.


image02_1485208413.jpg


If a telecom operator has not installed equipment on its PBX for wiretapping the phones of all users, its license in Russia will be canceled. Similar programs of total wiretapping operate in Kazakhstan, Ukraine, the USA, Great Britain (Interception Modernization Program, Tempora) and other countries.

The venality of government officials and intelligence officers is well known to all. If they have access to the system in "god mode", then for a fee you can get it too. As in all state systems, in the Russian SORM there is a big mess and typical Russian carelessness. Most of the technicians are in fact very low-skilled, which allows unauthorized access to the system without being noticed by the intelligence services themselves.

Telecom operators do not control when and which subscribers are listening on SORM lines. The operator does not check in any way if there is a court sanction for wiretapping a particular user.

“You take a certain criminal case about the investigation of an organized criminal group, which lists 10 numbers. You need to listen to a person who has nothing to do with this investigation. You just finish off this number and say that you have operative information that this is the number of one of the leaders of the criminal group, ”say knowledgeable people from the site “Agentura.ru”.

Thus, through SORM, you can listen to anyone on a "legal" basis. Here's a secure connection.


2. Wiretapping through the operator​

Operators of cellular communications in general, without any problems, look at the list of calls and the history of movements of a mobile phone, which is registered in various base stations by its physical location. To receive call records, as with special services, the operator needs to connect to the SORM system.

Under the new Russian laws, operators will be required to store audio recordings of all users' conversations from six months to three years (the exact date is now being negotiated). The law comes into force in 2018.


3. Connection to the SS7 signal network​

Knowing the victim's number, it is possible to wiretap the phone by connecting to the network operator of the cellular network through vulnerabilities in the SS7 signaling protocol (Signaling System No. 7).


image01_1485208412.png


Security experts describe this technique this way.

The attacker infiltrates the SS7 signaling network, in the channels of which he sends a Send Routing Info For SM (SRI4SM) service message, indicating the telephone number of the attacked subscriber A as a parameter. In response, the home network of subscriber A sends the attacker some technical information: IMSI (international subscriber identifier) and the address of the MSC, which is currently serving the subscriber.

Then the attacker, using the Insert Subscriber Data (ISD) message, injects the updated subscriber profile into the VLR database, changing the address of the billing system in it to the address of his pseudo-billing system. Then, when the attacked subscriber makes an outgoing call, his switch turns to the attacker's system instead of the real billing system, which gives the switch a directive to redirect the call to a third party, again controlled by the attacker. On this third party, a conference call is assembled from three subscribers, two of which are real (caller A and callee B), and the third one is unauthorized by an attacker and can listen and record the conversation.

The scheme is quite working. Experts say that when the SS7 signaling network was developed, it did not include mechanisms to protect against such attacks. The implication was that this system was already closed and protected from outside connections, but in practice, an attacker could find a way to join this signaling network.

You can connect to the SS7 network in any country in the world, for example, in a poor African country, and you will have access to switches of all operators in Russia, the USA, Europe and other countries. This method allows you to listen to any subscriber in the world, even on the other side of the world. Interception of incoming SMS from any subscriber is also carried out elementary, as well as transfer of balance via USSD request (for more details, see the speech of Sergei Puzankov and Dmitry Kurbatov at the PHDays IV hacker conference).


4. Connect to cable​

From the documents of Edward Snowden it became known that the special services not only "officially" wiretap phones through communication switches, but also connect directly to fiber, recording all traffic in its entirety. This allows wiretapping of foreign operators who do not allow the official installation of wiretapping equipment on their PBXs.

This is probably a fairly rare practice for international espionage. Since ATEs in Russia already have listening equipment everywhere, there is no particular need to connect to fiber. Perhaps this method makes sense to use only for intercepting and recording traffic in local networks at local PBXs. For example, to record internal conversations in a company, if they are carried out within a local PBX or via VoIP.


5. Installing a spyware trojan​

At the everyday level, the easiest way to listen to a user's conversations on a mobile phone, in Skype and other programs is to simply install a Trojan on his smartphone. This method is available to everyone; it does not require the powers of state special services or a court decision.

Abroad, law enforcement agencies often purchase special Trojans that use unknown 0day vulnerabilities in Android and iOS to install programs. Such Trojans are being developed by companies like the Gamma Group (FinFisher Trojan) commissioned by law enforcement agencies.

It makes little sense for Russian law enforcement agencies to install Trojans, unless they need the ability to activate the smartphone's microphone and record, even if the user is not talking on a mobile phone. In other cases, SORM copes with wiretapping. Therefore, the Russian special services are not very active in introducing Trojans. But for unofficial use, it is a favorite hacking tool.

Wives spy on their husbands, businessmen study the activities of competitors. In Russia, Trojan software is widely used for wiretapping by private clients.

The Trojan is installed on a smartphone in various ways: through a fake software update, through an email with a fake application, through a vulnerability in Android or in popular software such as iTunes.

New vulnerabilities in programs are found literally every day, and then very slowly they are closed. For example, the FinFisher Trojan was installed through a vulnerability in iTunes that Apple did not close from 2008 to 2011. Through this hole, any software on behalf of Apple could be installed on the victim's computer.

Perhaps such a Trojan is already installed on your smartphone. Don't you think your smartphone battery has been discharging a little faster than expected lately?


6. Application update​

Instead of installing a special spyware Trojan, an attacker can do even smarter: choose an application that you yourself voluntarily install on your smartphone, and then give him all the authority to access phone calls, record conversations, and transfer data to a remote server.

For example, it could be a popular game that is distributed through the "left" catalogs of mobile applications. At first glance, this is an ordinary game, but with the function of wiretapping and recording conversations. Very comfortably. The user with his own hands allows the program to go online, where it sends files with recorded conversations.

Alternatively, malicious application functionality can be added as an update.


7. Fake base station​

The fake base station has a stronger signal than the real BS. Due to this, it intercepts the traffic of subscribers and allows you to manipulate data on the phone. It is known that fake base stations are widely used by law enforcement agencies abroad.

A fake BS model called StingRay is popular in the USA.


image00_1485208616-e1485208632671-630x450.jpg



image00_1485208411-e1485208603574-630x450.jpg


And not only law enforcement agencies use such devices. For example, merchants in China often use fake BSs to send mass spam to mobile phones within a radius of hundreds of meters. In general, in China, the production of "fake honeycombs" is put on stream, so in local stores it is not a problem to find a similar device, assembled literally on the knee.
 
Top Bottom