Insecure communication: 9 ways to listen to your phone

1. SORM - official wiretapping

The most obvious way - to the official wiretapping by the government.

In many countries, the telephone companies are required to provide access to the lines of interception of telephone channels to the competent authorities. For example, in Russia, in practice, this is done technically through SORM - hardware system to provide the functions of search operations.

Each operator must be installed on your PBX integrated module SORM.

If the operator has not set at the PBX equipment for wiretapping phones of all users of its license in Russia it will be canceled. Similar programs operate in total wiretapping Kazakhstan, Ukraine, the United States, the United Kingdom (Interception Modernisation Programme, Tempora) And other countries.

The corruption of public officials and employees of the security services is well known. If they have access to the system in "god mode", that for a fee you can also get it. As in all state systems, in the Russian SORM - a big mess and typical Russian carelessness. Most of the technicians actually has a very

low qualificationsThat allows you to connect illegally to the system unbeknownst to themselves special services.

Telecom operators have no control over when and who of subscribers listen on SORM lines. The operator does not check whether there is a specific user wiretap court sanction.

"Takes a certain criminal proceedings on the investigation of an organized criminal group, which lists the 10 rooms. You have to listen to someone who has no relation to this investigation. You just finished off this number and say that you have timely information about what is the number one of the leaders of the criminal group ", - they say people in the know with site "Agentura.ru".

Thus, through SORM you can listen to anyone on a "legal". Here is a protected connection.

2. Wiretapping by the operator

Cellular operators generally without any problems viewing the list of calls and movements of history a mobile phone that is registered to different base stations in its physical location. To get a recording of calls, like the secret service, the operator needs to connect to the SORM system.

By Russia's new laws Operators are obliged to keep record of all conversations members from six months to three years (the exact term is now agree). The law takes effect in 2018.

3. Connection to the signaling network SS7

Knowing the number of the victims may listen to the phone, connected to a network via the network operator Vulnerability SS7 signaling protocol (Signaling System № 7).

Security experts describe this technique in such a way.

The attacker piggybacks on SS7 signaling network in which channels sends an overhead message Send Routing Info For SM (SRI4SM), pointing to a telephone number parameter attacked subscriber A. In response to the subscriber's home network attacker A sends some technical information: IMSI (International Subscriber Identity) and the MSC switch address, which is currently serving subscriber.

Next, an attacker with a message Insert Subscriber Data (ISD) introduces the data base VLR updated subscriber profile changing in it the address of the billing system to address their own, psevdobillingovoy systems. Then, when the attacked party makes an outgoing call, it turns the switch instead of the actual billing system to attacking system, which allows the switch directive to redirect the call to a third party, again controlled by attacker. On this third party conference call was going from three subscribers, two of which are real (caller A and a called B), and the third attacker unauthorized embedded and can listen to and record conversation.

Driving it is working. Experts say that the development of SS7 signaling network it was not built to protect against such attacks mechanisms. The implication was that this system and so covered and protected from the outside connections, but in practice, the attacker can find a way to join the signaling network.

By the SS7 network, you can connect to anywhere in the world, for example in a poor African country - and you'll get access switches all operators in Russia, the United States, Europe and other countries. This method allows you to listen to any phone in the world, even on the other side of the globe. Intercept incoming SMS any phone also carried out elementary, as well as balance transfer via USSD-request (for more details see speech Puzankova Sergei and Dmitry Kurbatov at hacker conference PHDays IV).

4. Connecting to cable

The documents Edward Snowden became known that the intelligence agencies are not only "officially" listen to telephone communication via switches but connected directly to fiberRecording all traffic entirely. This allows you to listen to foreign operators, who do not give a listening officially install equipment on their exchanges.

This is probably a fairly rare practice for international espionage. Since the PBX in Russia and so everywhere is worth a listening equipment, there is no need to connect to the fiber. Perhaps such a method should be applied only to intercept and capture the traffic in local area networks to local exchanges. For example, to record the intercom in the company, if they are carried out within the local PBX or VoIP.

5. Installing Spyware Trojan

At the household level, the easiest way to listen to the user's conversation on the mobile phone to Skype and other programs - just install a Trojan on his smartphone. This method is available to everyone, it does not require the powers of government intelligence agencies or the court's decision.

Overseas law enforcement agencies often buy special trojans that use nobody known 0day-vulnerabilities in Android and iOS to install the programs. These Trojans are commissioned law enforcement agencies develop companies like Gamma Group (Trojan FinFisher).

Russian law enforcement agencies to put the Trojans not make much sense, unless you want to opportunity activate the smartphone microphone and record, even if the user is talking on a mobile phone. In other cases, with the wiretapping copes SORM. Therefore, the Russian special services do not actively implement Trojans. But it is a favorite hacker tool for informal use.

Wives spy on their husbands, businessmen studying the activities of competitors. In Russia, the Trojan software is commonly used for wiretapping behalf of private clients.

Trojan is installed on the smartphone in different ways: through a bogus software update through an email with a fake application, through a vulnerability in the Android or in popular software iTunes type.

New vulnerabilities in programs are literally every day, and then slowly close. For example, a Trojan installed through FinFisher vulnerability in iTunesThat Apple is not closed from 2008 to 2011-th. Through this hole can be installed on the victim's computer any software from the Apple name.

Perhaps, on your smartphone is already set a Trojan. You do not seem that the smartphone battery recently discharged a little faster than normal?

6. Updating application

Instead of installing a special spyware Trojan attacker can do more clever: select the application that you voluntarily install on your smartphone, and then give him full authority to have access to phone calls, call recording and transmission of data to a remote server.

For example, it may be a popular game, which is distributed through the "left" mobile application directories. At first glance, the usual game, but with the function of interception and recording of conversations. Very comfortably. User with your hands allows the program to go online, where it sends the files to record the conversation.

Alternatively, the malicious application's functionality can be added as an upgrade.

7. Counterfeit base station

Counterfeit base station having a stronger signal than the real BS. Due to this, it intercepts the subscriber traffic and allows you to manipulate the data in the phone. It is known that the false base stations are widely used by law enforcement agencies abroad.

In the US, popular models false BS called StingRay.

And not only law enforcement agencies are using such devices. For example, businessmen in China often use fake BS for mass spamming to mobile phones that are located within a radius of hundreds of meters around. In general, China's production of "fake hundred" put on stream, so that the local stores is not a problem to find a similar device, assembled just on the knee.

8. hacking femtocells

miniature low-power mobile stations that intercept traffic from mobile phones that are within range - Recently, femtocells are used in some companies. Such a femtocell allows you to record phone calls all the employees of the company, before redirecting the calls to the base station the mobile operators.

Accordingly, for the wiretapping of phone you want to install a femtocell or hack the original femtocell operator.

9. Mobile complex for remote wiretapping

In this case, a radio antenna installed near the subscriber (working distance to 500 meters). Directional antenna, connected to a computer, intercepts telephone signals, and after use it simply taken away.

Unlike fake femtocells or Trojan is a malicious user does not need to worry about that to get to the place and set the femtocell, and then remove it (or remove the Trojan, not a trace hacking).

Capabilities of modern PCs is sufficient to record the GSM signal on a large number of frequencies, and then crack the encryption using rainbow tables (here technology description It is known from one skilled in Karsten Zero).

---

If you voluntarily carry a universal bug automatically collect an extensive dossier on himself. The only question is, who will need this dossier. But if necessary, he can get it easily.