How to tap into phones without a warrant

An architectural flaw in the software allows certain individuals to access private calls, messages, even bank accounts

So you heard about the latest snooping scam which implicates business houses and politicians for collusion, AKA good old-fashioned corruption. Did you wonder how so many phone numbers across (presumably) multiple networks got tapped and got recorded. Legally, there is only one way to tap a phone. The police get a warrant from the courts and then go to the network operator who intercepts the calls and allows the police to sit in and take away the recording.

But did you know that once you are inside the network operator as an administrator, you can listen in to any unsecured phone in the world? No warrant required. That could be a businessman talking about a high stakes deal or talking to his wife. All you need is a number and a compliant network admin (or a hacker who has hacked a participating Telco sitting halfway around the world) who can hear the conversation. Intercept texts and also potentially hijack email addresses, social media accounts, bank accounts and anything else that uses your phone as a verification method. In other words, the one-time password (OTP) security measure is not foolproof.

How is this possible?

The answer lies in something called Signalling System No. 7 (SS7), developed in 1975, which underpins modern telephony. It allows over 800 telecom operators to connect and disconnect calls across networks (and also provide services such as roaming, pre paid billing, SMS etc).

There are certain flaws in the SS7 architecture that allow this. These flaws have been known to security and intelligence firms for a long time and have been used to eavesdrop on conversations, locations and meta-data. In 2008, these flaws were revealed to the general telecom trade. Ever since, telcos and governments have sporadically implemented the fixes. But as a general rule, they remain unfixed as governments and intelligence agencies want this easy gateway to eavesdropping.

Three months ago, a US lawmaker (and before that, an Australian lawmaker) gave permission to a German security firm to demonstrate this. The firm then promptly started tracking the senator in real time, recorded calls and SMSes with a reporter. All this was done for a TV show and with explicit permission. Such a firm, or a hacker with access to a telco, or a rogue admin at a telco, can, at will, listen in to any call in the world. That includes you and me.

How does this affect you?

Apart from your daily business and mundane calls and SMSes, if you have activated a number with your Facebook account, this vulnerability allows one to hijack your Facebook/Twitter/email account by a simple PIN request via SMS. Your Facebook account can be used as login credentials on thousands of sites, so, now even they are potentially compromised.

Banks use SMS based OTP service (mandated in many transactions by RBI). Once you are the target of a hacker or a government agency your account could be drained of funds very quickly without you coming to know about it.

What can you do to prevent it?

Unfortunately, not much. You can call up your telco and enquire about whether they’ve patched the SS7 vulnerability. But even if they have your phone may still be vulnerable due to some other network not following protocol. The only thing you can really do is keep an eagle eye on account activity and hope no one is out to get you.

Your best bet would be to use apps that use end-to-end encryption for voice and text messages like Skype, Whatsapp, Viber amongst others. Keep in mind, some of these provide the ability to call landlines and mobiles direct. Those calls are not encrypted.

If the thought of a hacked telco or a rogue admin didn’t give you the chills, there is an Israeli firm who for $20 million will provide a turnkey solution that allows you to listen in to such calls anywhere in the world. All you need is a phone number.


. . . . . . . .

Leave a Reply