Kind: captions
Language: en
this is lonus from lonus Tech tips and
we hacked the phone network in order to
spy on him that's pretty messed up Derek
I slept easier not knowing that we
intercepted his phone calls and stole
his two Factor passcodes is that your
number elus yeah uh but I didn't get I
mine didn't even ring we didn't touch
his phone we didn't send him an email or
a text nothing we did it all remotely
and the worst part is it could happen to
you I think I'm really surprised that no
offense but like you guys did
it well you're not a career criminal
hacker Mastermind necessarily indeed but
here it is a normal looking and feeling
device with no you know obvious problem
with it and you just receive my call
instead of me receiving it just what
like on command you just it's an app on
your computer or what I I don't even
know but before we explain how we did
all that
[Music]
the first startup that Steve Jobs and
Steve wak made wasn't Apple no they were
tackling a different problem one where
their product was actually illegal so
back in the 1970s long-distance phone
calls were really expensive adjusted for
inflation a call from New York to London
could run you $25 a minute so these two
entrepreneurs created a little blue box
and what it did was it hacked the
telephone Network they could trick the
telephone company into connecting the
calls for free among other things we
were young and what we learned was that
we could build
something
ourselves that could
control billions of dollars worth of
infrastructure in the world I don't
think there would have ever been an
Apple computer had there not been blue
boxing was said you called the pope yeah
we did call the pope was pretended to be
Henry Kissinger and we got the number of
the Vatican and we called the pope and
they started waking people up in the
hierarchy you know I don't Cardinals and
this and that and and they actually sent
someone to wake up the pope when when
finally we just burst out laughing and
they realized that we weren't Henry
Kissinger but how were they able to do
all of this with one electronic box made
from Radio Shack
Parts until the mid 1920s most phones
had no way of dialing when your phone
was on the hook about 48 volts was
connected from The Exchange to your
phone then when you lifted the receiver
an internal circuit connected the
speaker and microphone drawing power and
that caused the voltage to drop to
around 10 volts and at the telephone
exchange this drop turned on a light
bulb alerting the operator who would
then pick up and ask who you're calling
Boston sir get me the bluebird Diner and
after Consulting a directory they would
connect a wire between your line and
your friends manually connecting calls
was labor intensive operators had to
handle hundreds of connections per hour
in 1910 one pundit said soon the
telephone system will need to employ
every working age woman in the country
as an
operator by 1950 there were more than a
million of them in the us
alone to reduce costs companies sought
to automate the call connection process
and one solution was the rotary dial
telephone to use it you place your
finger in a number hole rotated to the
end end and the dial rotates back and on
the inside a metal disc with ridges
turns each Ridge pushes two metal plates
into contact completing the circuit to
The
Exchange the dial sends pulses to match
each number for the number two it sends
two pulses for the number three it sends
three
pulses this goes on up to 10 pulses for
the number zero which is why zero is at
the far end of the dial instead of B
inside the one those pulses that travel
down the phone line they determine how
your line is connected so they're known
as control signals but as the length of
the transmission line was increased so
did its capacitance and resistance and
this caused the clear input signals to
become distorted smoothing out voltage
changes so now the pulses couldn't
trigger the switching at the exchange
while this wasn't a problem for local
calls it made automating long distance
almost impossible now all phone lines
including longdistance ones were built
to carry sounds in the human voice and
hearing range mainly from 300 to 3,400
Hertz so why not use this built-in
capability to carry control signals to
do this phone companies introduced the
touchtone or push button telephone on a
keypad specific frequencies were
assigned to the horizontal axis and the
vertical axis so that each button was
uniquely identifiable by the combination
of two
tones by sending control signals within
the voice band all telephone networks
could receive it using their existing
systems independent of distance but with
this Innovation came an opportunity for
jobs and wnc to exploit when you made a
long-distance call it was first routed
to a central node this node communicated
with a remote node and they determined
if a line was free by checking whether
both sides were sending a
2600hz
tone so jobs and was exploited this
first they would dial a toll-free 1800
number which would get them into a local
node and then they would send a 2600 HZ
tone into the phone this would trick the
remote node into thinking the call had
been disconnected so the remote node
would start playing the 2600hz tone
again but jobs and was were still on the
line and when they stopped playing the
tone on their side the remote node
assumed a new call was being placed by
sending a key pulse tone followed by the
desired phone number and ending with a
start tone they could connect to any
longdistance number for free as the home
node still believed it was connected to
a toll-free
number the vulnerabilities in the
signaling system were obvious to mimic
the 2600hz tone some people would even
use a toy whistle from a CPP crunch
serial box it just happened to make that
frequency the telephone companies
clearly needed to develop a new
signaling protocol and their solution
was to use a separate digital line for
carrying control signals that way no one
could control the network by sending
tones Down The Voice line because it no
longer controlled how the call was
connected this new protocol was called
signaling system number seven or ss7 for
short and it's still broadly in use
today but it may not be as secure as
people
thought hello my name is Latifa Al makum
I was Princess Latifa of Dubai claimed
that her father Shake Muhammad the
ruling Amir had held her in solitary
confinement in the dark beaten and
sedated for several years in late
February 2018 her Finnish martial arts
instructor Tina helped her
Escape they fled to a yacht captained by
former French intelligence officer erve
jber and for 8 days they sailed toward
India Latifa was hopeful but it wasn't
to last late on the night of March 4th a
dark boat pulled up alongside it was
sent by her
father laser sights pierced the smoke as
agents boarded the yacht abducting
Latifa and taking her back to
Dubai but how did they find her well the
captain had been the victim of a
coordinated ss7 Attack One aiming to
pinpoint his location and by extension
the whereabouts of The Princess and I'm
going to show you how using the exact
same steps to spy on my friends with
their permission of course this is
carsten NL and Alexandra de Ola they are
cyber security Specialists who are
helping me spy on lonus we took three
steps to spy on him first you have to
infiltrate ss7 second gain trust and
third attack of course the main reason
any of this is possible is step
one when ss7 was introduced in 1980
mobile phones barely existed they were
so big that they were mainly just used
as car phones but things changed quickly
the number of mobile phones in the world
exploded
roaming is one of the main use cases of
ss7 say Derek you you visit me over here
your phone would try to connect to a
network that's foreign and that Network
would then have to reach out to your
home network in Australia asking is this
a valid customer are you willing to to
pay for the charges that they'll incure
on my network and all of that
information is exchanged over
S7 for this to work Telos need to
communicate with each other
so the way they do that is by making
sure they're part of the same Club the
way they share membership to this club
is by using unique addresses to identify
where requests are coming from ss7 is a
Global Network just like the internet
and like on the internet you need some
addressing scheme so you need some way
of saying this is me and this is you and
on the internet we use IP addresses on
ss7 we use what's called Global titles
GTS so to provide global roaming
coverage Telos typically establish
agreements with two providers in each
country they serve one primary and one
backup Telos generally accept messages
only from Global titles with which they
have
agreements the whole system is designed
to be a closed network with few barriers
once inside this is known as the Walled
Garden approach so this system seems
pretty secure and it
[Music]
was when ss7 was developed in the'80s
the telecommunic A's landscape was
dominated by a few large reputable
operators these operators had
established relationships and mutual
interest in maintaining the Integrity of
the network but 45 years on the
landscape has shifted dramatically now
there are over 1200 operators and 4,500
networks many of which need ss7 access
from virtual Network operators to Mass
Tech Services sending Uber Eats
notifications there are so many more
players in the garden
that not all of them are
trustworthy those companies some of them
um sell Services onto third parties some
of them can be bribed some of them can
be hacked so there's probably thousands
of ways into ss7 at reasonable effort or
cost how much are we talking like how
much would it cost to buy access to ss7
buying a single ss7 connection isn't
that expensive we're talking a few
thousand per month the people who do
sell access I mean why why would they do
it people sell ss7 XS for one reason
money and thanks to Global agreements
between providers accessing a trusted GT
is like gaining access to all the GTS
they have Partnerships with we even saw
the invoice of a valuable us-based GT
being leased illegally for
$113,000 a month are you buying access
to ss7 I'm paying for access to ss7 yes
and um we we do that because we do ss7
security tests so we need to be in a
similar position as real hackers to get
near Real Results so step one infiltrate
ss7 is complete on to step two Gain
trust hackers today can try many
different things once they've scaled the
wall into the garden but you need more
than just ss7 access and a phone number
to attack even a trusted GT and the
phone number of the target isn't enough
to to uniquely identify them now you
need something from the SIM card the
real key in a mobile network is a unique
15 digigit identifier which belongs
exclusively to the SIM card on the phone
it's called an international mobile
subscriber Identity or imy for short and
it is very
important basically to be able to
collect the M from a subscriber we would
launch some of the messages such as s
routing info or send info
for these messages are normally used to
collect the
M networks have firewalls in place that
will deny some requests if they look
suspicious getting an m is crucial to
appear trusted so let's move on to the
critical step three
attack do you want to just like try the
phone is there anything you can try to
see if it works like call someone or
text someone sure I'll call my
wife she normally pick up yeah she'll
she'll probably pick up hello hello
Yvonne this is the voice of your
husband I would like to talk to you
about the
payment um okay by no no it's me it's
me did she hang up on you yeah yeah she
did so we've established the phone works
as a completely normal phone do you have
any important calls coming up I don't
know if I'd say it's important but I'm
on my way to Creator Summit tonight and
uh James from hacksmith was going to
call me and we were going to kind of
make some plans uh I'm getting a call
right now are you getting a call
no hello this is
lonus hey lonus it's James how's it
going it's going really well how are you
pretty good am I going see the YouTube
Summit yes I'm really looking forward to
that and man do I hate
Max so I I I feel like that's your
persona man you can't game on a Mac uh
line you want to talk I I would like to
talk but I I never got the call so what
what number did you
dial is that your number lonus yeah uh
but I didn't get I mine didn't even ring
I heard it ring but I heard it through
my speakers on my computer cuz I assume
it went to your phone then that's right
or did it go to your computer no yeah it
went to everything of mine so yeah James
I don't know you called you called lonus
and it went to me thank you for uh for
taking part in this weird demonstration
there is absolutely nothing here to
indicate that I was supposed to receive
a call yeah and I mean the crazy thing
is that's like a regular Canadian SIM
card in there so any Canadian SIM card
in theory could be uh vulnerable to such
an attack where you know someone dials
your number and it just doesn't go to
you this is like freaking but on a
completely different level that's
exactly it now I'm familiar already with
the concept of sim swapping where you
social engineer a way to get a sim that
is registered to someone else's account
we've actually had accounts stolen that
way in the past but in this case my
phone still works hello hey so the demo
we're doing is pretty trippy hun uh
basically they had hacksmith call me my
phone didn't ring at all and instead
Derek from veritasium picked up the
phone call and was able to talk to him
and hacksmith had no idea that he called
me and then sorry I'm with Cindy oh oh
hi Cindy oh you're not on speaker okay
that's fine just tell Cindy hi for me
okay
bye so how are we able to seize control
of Linus's number like that when you put
a phone number in your address book you
often don't put the country code but
then if you're in a roaming scenar
scario that phone number would connect
to a completely different person in the
country you are currently in so it does
make sense to basically overrule
people's choices as to whom they're
trying to dial because they're they're
not going to triple check each time
whether their address book entries have
have country codes in
them this is a powerful function by
tricking the network into thinking his
phone is roaming we can rewrite the
number he is calling to a number that we
control and so what I did at the end
when I received this message I sent back
your number that you can see here was
your us-based
number so even if you were located in
Australia I was still able to forward
the call to you on your Us number in uh
Australia that's amazing you just try a
few times and then it works right yes
it's it's not always that
simple but this time I was quite
difficult so the most important question
I have now then is what did you need to
steal from me in order to become me like
is this something you can social
engineer out of my career is this
something that I would need to
accidentally leak a screenshot of my
IMEI at the very simplest all we would
need is your phone number that's it you
could even do something where I could
act as a middleman where I would reroute
the call to me but also simultaneously I
would dial for you the real number and I
would send you through to them and then
I can sit on the line and just record
that call yikes but this isn't the only
attack we can do a lot more with ss7 we
can also intercept text messages as part
of our suite of attacks similar to phone
calls we can trick the network into
thinking the target is raming which
reroutes their messages to our GT we can
then steal onetime passwords used in
two-factor authentication this type of
attack works until the subscriber
interacts with their phone network at
which point the phone reconnects to the
correct GT but you need a few seconds
only to hack into somebody's account of
course you need that few second window
to received a onetime password so we
actually set up a new uh lonus YouTube
channel okay so theoretically he could
get this username and password via uh a
dump because I'm a butthead and I use
the same username and password across
different accounts uh or he could
install a key logger on my system he
could get it that way when I'm typing it
in so then I verify my number but of
course he has my number because that's
realistically not that hard to find and
theoretically I'm supposed to get a
two-factor code right now
except I got it
82299 I'm in he's in he hacked the main
frame wild hey yep we can hack your
YouTube account I'm going to start
posting science videos on lineus Tech
tips oh that's okay I'm sure they'll get
like 30 million views or whatever so
I'll be fine with it thanks for the
AdSense
deal and you could see the code right
there exact so you could see it at the
at the bottom
82299 so basically once the interception
is running then I would receive any SMS
sent he would never never have known
that he missed those messages or that
they were
intercepted exact wow yeah this uh seems
pretty serious I mean SMS two Factor
authentication is almost the default
right unfortunately yes it's not only
the default but in some cases it is the
only available option and sometimes that
can even be for accounts that should be
treated with the utmost of care like a
bank account there's a third method of
attack that we weren't able to show
lineup lucky for him his Network blocked
the requests on many networks you can
use the M number and the switching
Center info we harvested in step two to
send a command deeper into the network
by targeting the switching Center where
the device with the MZ is connected we
can issue a command routinely used for
legitimate purposes such as routing and
forwarding calls or providing Emergency
Services based on the device's location
using this request we can track a
target's location it's not as hard as
you'd think ss7 doesn't even rely on GPS
to locate someone in fact it was
invented before GPS was even in public
use one way to do this is if a Target is
in range of multiple cell towers their
location can be narrowed down to where
the signals overlap the more Towers in
range the more precise the location a
more accurate method measures the time
it takes for signals to reach a phone
from three
towers by calculating the distance based
on transmission speed we can pinpoint an
exact location on a 2d plane but ss7
attacks don't use either of these
methods they try to be subtle an ss7
location request simply identifies the
cell tower the target is connected to in
an urban area with many Towers this can
place them to within 100 m you would
definitely know which city block
somebody is in and if you wanted to to
for instance find out whether they're at
home or at work this is a great way to
do it yeah that's um it's it's a little
bit scary in 16 carsten and his team
used this method to track US congressman
Ted Lou the congressman has been in in
California more specifically the LA area
let's zoom in here a little bit so that
is how we did it we executed three steps
we infiltrated ss7 gained trust and
attacked we intercepted Linus's phone
calls and text messages I'm not sure he
was as excited about it as I was this is
why we can't have nice
things up until now this has just been a
bit of fun I've demonstrated these
attacks on a friend of mine but the
threats are real and they can have
devastating
consequences they will kill her the
captain texted shortly before Latifa was
abducted his phone was the target of an
ss7 attack that involved all three of
the steps we explored to start the
attackers had leased multiple GTS in
different countries then the following
all happened in a 5-minute window first
they sent at least seven separate
requests in to get the captain's M from
his us-based
operator when that didn't seem to work
they followed up with at least four
location requests so did it
work well all of these requests were
blocked by firewalls that's why we have
all the details but there was a sixth GT
we haven't shown this one nearby in the
US we have no information about the
requests on this GT because they likely
weren't
stopped we spoke with of black the
investigative journalist who revealed
the ss7 exploits in this story and this
is what he told us it's a brilliant
example of ss7 involvement because it
illustrates a classic sophisticated
pattern of attack multiple GTS and
multiple countries it's a textbook
example of Telco penetration risks
though because the emiratis were also
using other software like Pegasus and
other Hardware like spotter planes we
can't say that any single one of these
was the thing that led to her being
found but the evidence is damning and
ss7 is used pretty widely criminals have
used ss7 to intercept sms2 Factor
authentication codes and empty millions
of dollars from bank accounts for some
ss7 is just the first step the NSO group
a notorious Israeli cyber surveillance
firm acquired an ss7 Tracking Company in
2014 NSO is the company behind Pegasus a
spyware tool that gains complete access
to targeted phones without a user
clicking anything embedding itself and
erasing traces of Entry such zero click
hacks are costly they can cost more than
$4 million per exploit before NSO
commits resources targeting specific
software or vulnerabilities on a phone
first they gather basic data like device
type and software version to make their
lives easier and as you've seen with ss7
this isn't hard one expert we spoke to
tested a foreign Network and found 20 to
30 VIPs were constantly under
surveillance there including the
country's chief of cyber security
accurate data on tracking is difficult
to come by but another expert provided
evidence of more than 2 and A5 million
tracking attempts per year though they
reminded us that the people being
targeted are generally those of interest
to State agencies now we couldn't find
data on interception attempts but
luckily experts told us this is far less
common so so millions of malicious ss7
requests are sent each year but it used
to be even worse to request location
over ss7 you used to be able to send a
command without even knowing the MZ and
the network would just provide it to you
no questions asked the classical example
is the anytime interrogation request
which as the name already suggests is um
kind of a creepy command I don't believe
there's ever legitimate purpose for one
network to send this command to another
Network interrogating about their
customers carsten NL and fellow security
researcher to BS Engle exposed these
vulnerabilities publicly in 2014 the ss7
research that was disclosed in 2014 was
a wakeup call to the industry most
people had heard rumors that ss7
tracking and spying was possible but
they hadn't really seen hard evidence of
it and especially how easy it is that a
rag gang of Hackers from Berlin was very
amateur means can do any type of ss7
hacking that they want after their
conference all of the German Telos
immediately started refusing these
requests anytime intergation is the
First ss7 Command everyone stopped
because it was abused a lot and never
used constructively but there is over
150 other messages that need to be
stopped as well to make ss7 be
completely secure so if there are so
many ways to abuse ss7 why haven't we
gotten rid of it well because it's the
backbone of 2G and 3G
Communications so what if we phase out
2G and 3G well that has caused problems
since 2018 cars in the EU are equipped
with mandatory emergency call buttons
that trigger in an accident they need a
SIM card to work and to cut costs guess
what auto manufacturers are using that's
right 2G and 3G SIM cards using
ss7 half to have that Legacy support or
when 4G connectivity drops you have
absolutely nothing left dude the the
number of times that I'm on
3G not insignificant and I'm in a
metropolitan area what's surprising of
course is that there hasn't been a
global push yet to replace ss7 with one
of the two newer versions of the
technology the latest of which that was
introduced with 5G seems pretty secure
but that's now a problem of first mover
dis Advantage so because of the network
effects you get nothing out of adopting
a technology as the first guy you want
to be the last one when everyone else is
already connected and you get the full
benefit from also joining the club so
even though the 5G signaling protocol
can stop the attacks completely and many
networks are using 5G technology on
their networks when routing calls
between networks ss7 is still the deao
standard you create a tremendous amount
of in to use a term that's probably more
your channel than my channel that makes
moving on extremely difficult so unless
there are some new major events that put
this back on on the public radar um it
could be another 10 15 maybe even 20
years until ss7 networks are finally
Switched Off what's crazy is that we
exploited these vulnerabilities and I'm
just a YouTuber I did have the help of
some excellent security researchers but
I'm surprised at how easy it all is now
imagine if I had the backing of a
government this is a real problem so
what can you do to protect yourself on
the personal side as long as you have a
SIM Card unfortunately there's not much
you can do about location tracking if
possible choose alternatives to SMS Bas
two Factor authentication so messages
can't be intercepted use an
authenticator app or Hardware tokens and
if you're worried about phone tapping
use encrypted internet-based calling
services like signal or Whatsapp we've
been told that is mainly used on people
of Interest so should it really matter
to you ss7 is a huge privacy intrusion
and there's there's millions of abuse
cases every single month whether privacy
intrusion is a problem for everyone
individually of course as almost a
philosophical question right somebody
who who grew up more in the berin
tradition of the chaos Computer Club
like myself strongly believes that that
privacy and the ability to kind of form
your own thoughts without being observed
is a prerequisite for democracy but many
other people would argue nothing to hide
nothing to
FEA our technological world will never
be perfect by the time we secure or
replace ss7 vulnerabilities will already
have been found in the new system but
luckily there's an easy way to be ready
for whatever the future holds build your
knowledge and problem solving skills a
little bit every day and you can start
doing that right now for free with this
video sponsor brilliant brilliant has
thousands of interactive lessons where
you can learn by doing making you a
better thinker and Problem Solver you
build real skills in everything from
math and data analysis to technology and
programming you name it brilliant is
designed to be uniquely effective their
first principles approach helps you
build understanding from the ground up
so you'll not only gain knowledge of key
Concepts you'll learn to apply them to
real world situations all while building
your intuition giving you the tools to
solve whatever problems come your way
brilliant's new course on data
clustering for example equips you with
the same tools security researchers like
carsten used to spot Trends among the
billions of ss7 messages this is really
helpful when hunting hackers but the
concepts you'll learn also help
navigating a world where data influences
everything from what movies are being
recommended to National politics and one
of the best things about brilliant is
since every lesson is bite-sized you can
can build your skills and sharpen your
mind whenever and wherever you have a
few minutes helping you build a daily
learning habit that sticks the opposite
of mindless scrolling to try everything
brilliant has to offer for free for 30
days visit brilliant.org veritasium or
you can scan the QR code or click that
link in the description you'll also get
20% off an annual premium subscription
so I want to thank brilliant for
sponsoring this video and I want to
thank you for watching