This really has nothing to do with Apple iPhones. This vulnerability is in the carrier networks and ALL cellular phones and ALL mobile communications carried by those networks! It allows any hacker who knows your phone number to listen in on your phone calls, your standard messaging (not on Apple IMessaging which is encrypted), and to track your location. This is BAD! — PING!

Pinging dayglored, ThunderSleeps, and Shadow Ace for a very important message from the hacking community!

Mobile Communications OOPS!
Ping!

The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.

If you want on or off the Mac Ping List, Freepmail me

http://www.protocols.com/pbook/appletalk/ss7/

SS7 Protocol Suite

This page describes the following SS7 protocols:

BICC	Bearer Independent Call Control protoco
BISUP	B-ISDN User Part
DUP	Data User Part
ISUP	ISDN User Part
MAP	Mobile Application Part
MTP-2	Message Transfer Part Level 2
MTP-3	Message Transfer Part Level 3
Q2140	Recommendation Q.2140
SCCP	Signalling Connection Control Part
TCAP	Transaction Capabilities Application Part
TUP	Telephone User Part

For information on SS7 and other telecom protocol testing

CCITT developed the Signalling System 7 (SS7) specification. SS7 is a common channel signalling system. This means that one channel is used only for sending the signalling information, whether the system has one bearer channel or multiple bearer channels. The hardware and software functions of the SS7 protocol are divided into layers which loosely correspond to the OSI 7 layer model.The SS7 protocol suite is illustrated here in relation to the OSI model: Click the protocols on the map to see more details. BICC ITU-T Q.1901 Bearer Independent Call Control protocol is a call control protocol used between serving nodes. This protocol is based on the ISUP protocol, and was adapted to support the ISDN services independent of the bearer technology and signalling message transport technology used. The format of the BICC packet is shown in the following illustration:

8

7

6

5

4

3

2

1

Octet

CIC

LSB

1

CIC

2

CIC

3

MSB

CIC

4

Message Type

5

BICC packet structure

Routing Label The label contained in a signalling message, and used by the relevant user part to identify particulars to which the message refers. It is also used by the Message Transfer Part to route the message towards its destination point. Call Instance Code (CIC) The allocation of call instance codes to individual circuits is determined by bilateral agreement and/or in accordance with applicable predetermined rules. Message Type Code The message type code consists of a one octet field and is mandatory for all messages. The message type code uniquely defines the function and format of each ISDN User Part message. Each message consists of a number of parameters. Message types may be:

6 9 44 24 26 23 41 25 27 7 5 47 32 33 31 8 1 12 16 18 14 2 13 45

Address complete. Answer. Call progress. Circuit group blocking. Circuit group blocking acknowledgement. Circuit group reset. Circuit group reset acknowledgement. Circuit group unblocking. Circuit group unblocking acknowledgement. Connect. Continuity. Confusion Facility accepted. Facility reject. Facility request. Forward transfer. Initial address. Release. Release complete. Reset circuit. Resume. Subsequent address. Suspend. User-to-user information.

Parameters Each parameter has a name which is coded as a single octet. The length of a parameter may be fixed or variable, and a length indicator for each parameter may be included.


Enlarge	More Details

Interested in more details about testing this protocol?

BISUP Recommendation Q.2763 (02/95). http://www.itu.int/ITU-T/. The B-ISDN User Part (B-ISUP) is applicable to international B-ISDN networks. In addition, the B-ISDN User Part is suitable for national applications. Most messages and parameters specified for international use are also required in typical national applications. Moreover, coding space has been reserved in order to allow national administrations and recognized operating agencies to introduce network specific signalling messages and parameters within the internationally standardized protocol structure. B-ISDN user part messages are carried on the ATM signalling link by means of S-AAL service data units, the format of which is described in 6.2/Q.2110. As a national option B-ISDN user part messages can be carried on the STM signalling link by means of signal units, the format of which is described in 2.2/Q.703. The format of, and the codes used in the service information octet are described in 14.2/Q.704. The service indicator for the B-ISDN user part is coded 1001. The signalling information field of each message signal unit containing an B-ISDN user part message consists of an integral number of octets and encompasses the following parts: a) routing label; b) message type code; c) message length; d) message compatibility information; e) message content. The structure of the B-ISUP protocol is as follows:

8	7	6	5	4	3	2	1	Octets
Message Type								1
Length Indicator								2
Length Indicator								3
Ext.	Broadband/narrow- band interworking ind		Pass on not possible ind	Discard message ind	Send notification ind	Release call ind	Transit at intermed exch. ind	4

Message Type The different message types. The following message types are available:

0x01	INITIAL ADDRESS
0x02	SUBSEQUENT ADDRESS
0x05	CONSISTENCY CHECK REQUEST
0x06	ADDRESS COMPLETE
0x08	FORWARD TRANSFER
0x09	ANSWER
0x0A	IAM ACKNOWLEDGE
0x0B	IAM REJECT
0x0C	RELEASE
0x0D	SUSPEND
0x0E	RESUME
0x0F	RESET ACKNOWLEDGE
0x10	RELEASE COMPLETE
0x11	CONSISTENCY CHECK REQ ACK
0x12	RESET
0x13	BLOCKING
0x14	UNBLOCKING
0x15	BLOCKING ACKNOWLEDGE
0x16	UNBLOCKING ACKNOWLEDGE
0x17	CONSISTENCY CHECK END
0x18	CONSISTENCY CHECK END ACK
0x2C	CALL PROGRESS
0x2D	USER-TO-USER INFORMATION
0x2F	CONFUSION
0x32	NET RESOURCE MANAGMENT
0x34	USER PART TEST
0x35	USER PART AVAILABLE
0x38	SEGMENTATION

Message Length The message length in octets. Broadband/narrow-band Iinterworking Ind: 0 Pass on 1 Discard message 2 Release call 3 Reserved Pass on not Possible Indicator The following indicators are available 0 Release call 1 Discard information

Discard Message Indicator The following indicators are available 0 Do not discard message 1 Discard message

Send Notification Indicator The following indicators are available 0 Do not send notification 1 Send notification

Release call indicator The following indicators are available 0 Do not release call 1 Release call

Transit at intermed exch. Indicator The following indicators are available 0 Transit interpretation 1 End node interpretation


Enlarge	More Details

Interested in more details about testing this protocol?

DUP ITU-T recommendation X.61 (Q.741) http://www.itu.int/itudoc/itu-t/rec/q/q500-999/q741.html

The Data User Part (DUP) defines the necessary call control, and facility registration and cancellation related elements for international common channel signalling by use of Signalling System No. 7 for circuit-switched data transmission services. The data signalling messages are divided into two categories:

Call and circuit related messages: used to set up and clear a call or control and supervise the circuit state.

Facility registration and cancellation related messages: used to exchange information between originating and destination exchanges to register and cancel information related to user facilities.

The general format of the header of call and circuit related messages is shown as follows:

15	8	7		0
OPC	DPS
BIC		OPC
TCS			BIC
Message specific parameters				Heading Code

The general format of the header of facility registration and cancellation messages is shown as follows:

15	8	7	0
OPC	DPS
Spare bits		OPC
Message specific parameters			Heading code

Routing Label The label contained in a signalling message and used by the relevant user part to identify particulars to which the message refers. This is also use by the message transfer part to route the message towards its destination point. It contains the DPS, OPC, BIC and TSC fields.

DPS The destination point code (14 bits) is the code applicable to the data switching exchange to which the message is to be delivered. OPC The originating point code (14 bits) is the code applicable to the data switching exchange from which the message is sent. BIC Bearer identification code (12 bits). For bearers which form part of a 2.048 Mbit/s PCM system according to Recommendation G.734, the bearer identification code contains in the 5 least significant bits a binary representation of the actual number of the time slot which is assigned to the bearer. The remaining bits of the bearer identification code are used where necessary, to identify one among several systems, interconnecting the originating point and destination point. For bearers which form part of a 8.448 Mbit/s PCM system the bearer identification code is coded in accordance with the scheme specified for the circuit identification code for the corresponding case in Recommendation Q.723. TSC Time slot code (8 bits). If the data circuit is derived from the data multiplex carried by the bearer, identified by the bearer identification code:

Bits 1-4 contain, in pure binary representation, the channel number of the circuit within the 12.8 kbit/s or 12 kbit/s phase; the channel number being in the range: 0-15 for 600 bit/s circuits 0- 3 for 2400 bit/s circuits 0- 1 for 4800 bit/s circuits 0 for 9600 bit/s circuits

Bits 5-7 contain, in pure binary representation, the number of the 12.8 kbit/s or 12 kbit/s phase, the phase number being in the range 0-4;

Bit 8 is coded 0.

In the case where the data circuit uses the full 64 kbit/s bearer rate, the time slot code will be 01110000. Heading code The heading code (4 bits) contains the message type code which is mandatory for all messages. It uniquely defines the function and format of each DAP message.

Message specific parameters Contains specific fields for each message. Spare bits Not used, should be set to “0000”. Interested in more details about testing this protocol?

ISUP Q.763 http://www.itu.int/itudoc/itu-t/rec/q/q500-999/q763_23976.html

ISUP is the ISDN User Part of SS7. ISUP defines the protocol and procedures used to setup, manage and release trunk circuits that carry voice and data calls over the public switched telephone network. ISUP is used for both ISDN and non-ISDN calls. Calls that originate and terminate at the same switch do not use ISUP signalling. ISDN User Part messages are carried on the signalling link by means of signal units. The signalling information field of each message signal unit contains an ISDN User Part message consisting of an integral number of octets.

The format of the ISUP packet is shown in the following illustration:

Routing label

Circuit identification code

Message type code

Mandatory fixed part – (Parameters)

Mandatory variable part – (Parameters)

Optional part – (Parameters)

ISUP packet structure

Routing label The label contained in a signalling message, and used by the relevant user part to identify particulars to which the message refers. It is also used by the Message Transfer Part to route the message towards its destination point.

Circuit identification code The allocation of circuit identification codes to individual circuits is determined by bilateral agreement and/or in accordance with applicable predetermined rules.

Message type code The message type code consists of a one octet field and is mandatory for all messages. The message type code uniquely defines the function and format of each ISDN User Part message. Each message consists of a number of parameters. Message types may be: Address complete Answer Blocking Blocking acknowledgement Call progress Circuit group blocking Circuit group blocking acknowledgement Circuit group query @ Circuit group query response @ Circuit group reset Circuit group reset acknowledgement Circuit group unblocking Circuit group unblocking acknowledgement Charge information @ Confusion Connect Continuity Continuity check request Facility @ Facility accepted Facility reject Forward transfer Identification request Identification response Information @ Information request @ Initial address Loop back acknowledgement Network resource management Overload @ Pass-along @ Release Release complete Reset circuit Resume Segmentation Subsequent address Suspend Unblocking Unblocking acknowledgement Unequipped CIC @ User Part available User Part test User-to-user information Parameters Each parameter has a name which is coded as a single octet. The length of a parameter may be fixed or variable, and a length indicator for each parameter may be included.

ISUP decode

Interested in more details about testing this protocol?

MAP EIA/TIA-41 http://www.tiaonline.org.com

Mobile Application Part (MAP) messages sent between mobile switches and databases to support user authentication, equipment identification, and roaming are carried by TCAP In mobile networks (IS-41 and GSM) when a mobile subscriber roams into a new mobile switching center (MSC) area, the integrated visitor location register requests service profile information from the subscriber’s home location register (HLR) using MAP (mobile application part) information carried within TCAP messages.

The packet consists of a header followed by up to four information elements. The general format of the header is shown here:

The format of the header is shown in the following illustration:

1 byte	1 byte
Operation specifier	Length
MAP Parameters …
MAP header structure

Operation specifier The type of packet. The following operations are defined:

AuthenticationDirective

AuthenticationDirectiveForward

AuthenticationFailureReport

AuthenticationRequest

AuthenticationStatusReport

BaseStationChallenge

Blocking

BulkDeregistration

CountRequest

FacilitiesDirective

FacilitiesDirective2

FacilitiesRelease

FeatureRequest

FlashRequest

HandoffBack

HandoffBack2

HandoffMeasurementRequest

HandoffMeasurementRequest2

HandoffToThird

HandoffToThird2

InformationDirective

InformationForward

InterSystemAnswer

InterSystemPage

InterSystemPage2

InterSystemSetup

LocationRequest

MobileOnChannel

MSInactive

OriginationRequest

QualificationDirective

QualificationRequest

RandomVariableRequest

RedirectionDirective

RedirectionRequest

RegistrationCancellation

RegistrationNotification

RemoteUserInteractionDirective

ResetCircuit

RoutingRequest

SMSDeliveryBackward

SMSDeliveryForward

SMSDeliveryPointToPoint

SMSNotification

SMSRequest

TransferToNumberRequest

TrunkTest

TrunkTestDisconnect

Unblocking

UnreliableRoamerDataDirective

UnsolicitedResponse

Length The length of the packet. MAP parameters Various parameters dependent on the operation. Interested in more details about testing this protocol?

MTP-2Q.703 http://www.itu.int/itudoc/itu-t/rec/q/q500-999/q703_24110.html

Message Transfer Part – Level 2 (MTP-2) is a signalling link which together with MTP-3 provides reliable transfer of signalling messages between two directly connected signalling points. (Compliant with ITU Q.703 1994 and ANSI T1.111 199.)

The format of the header is shown in the following illustration:

7	8 bits
Flag
BSN (7 bits)	BIB
FSN (7 bits)	FIB
LI (6 + 2 bits)
SIO
SIF
Checksum (16 bits)
Flag

MTP-2 header structure

BSN Backward sequence number. Used to acknowledge message signal units which have been received from the remote end of the signalling link.

BIB Backward indicator bit. The forward and backward indicator bit together with forward and backward sequence number are used in the basic error control method to perform the signal unit sequence control and acknowledgment functions.

FSN Forward sequence number.

FIB Forward indicator bit.

LI Length indicator. This indicates the number of octets following the length indicator octet.

SIO Service information octet.

SIF Signalling information field.

Checksum Every signal unit has 16 check bits for error detection.

Interested in more details about testing this protocol?

MTP-3 Q.704 http://www.itu.ch/itudoc/itu-t/rec/q/q500-999/q704_27792.html

Message Transfer Part – Level 3 (MTP-3) connects Q.SAAL to the users. It transfers messages between the nodes of the signalling network. MTP-3 ensures reliable transfer of the signalling messages, even in the case of the failure of the signalling links and signalling transfer points. The protocol therefore includes the appropriate functions and procedures necessary both to inform the remote parts of the signalling network of the consequences of a fault, and appropriately reconfigure the routing of messages through the signalling network.

The structure of the MTP-3 header is shown in the following illustration:

Service indicator	Subservice field
4 bits	4 bits
MTP-3 header structure

Service indicator Used to perform message distribution and in some cases to perform message routing. The service indicator codes are used in international signalling networks for the following purposes:

Signalling network management messages

Signalling network testing and maintenance messages

SCCP

Telephone user part

ISDN user part

Data user part

Reserved for MTP testing user part.

Sub-service field The sub-service field contains the network indicator and two spare bits to discriminate between national and international messages.

Interested in more details about testing this protocol?

Q2140 Recommendation Q.2140. http://www.itu.int/ITU-T/ The SSCF for NNI Signaling standard consists of the Service Specific Coordination Function (SSCF) in conjunction with the Service Specific Connection Oriented Protocol (SSCOP) which defines the Service Specific Convergence Sublayer (SSCS). The purpose of the Service Specific Coordination Function is to enhance the services of SSCOP to meet the needs of the requirements of the NNI level 3 protocol. In addition the SSCF at the NNI provides communication with Layer Management for proper operation of signalling links. The SSCF at the NNI is the uppermost sub-layer in the protocol stack for the SAAL at the NNI. By construction, it utilizes the services of the underlying SAAL sub-layers, in combination with its own functions, to provide an overall SAAL service to the SAAL user, as described below. The SAAL at the NNI provides signalling link functions for the transfer of signalling messages over one individual signalling data link. The SAAL functions provide a signalling link for reliable transfer of signalling messages between two signalling points. A signalling message delivered by the higher levels is transferred over the signalling link in variable length Protocol Data Units (PDUs). For proper operation of the signalling link, the PDU comprises transfer control information in addition to the information content of the signalling message. The protocol header structure is as follows:

8	7	6	5	4	3	2	1	Octets
Reserved								1
								2
								3
SSCF Status								4

SSCF Type The SSCF status:

1	Out of Service
2	Processor Outage
3	In Service
4	Normal
5	Emergency
7	Alignment Not Successful
8	Management Initiated
9	Protocol Error
10	Proving Not Successful


Enlarge	More Details

Interested in more details about testing this protocol?

SCCP Q.713 http://www.itu.int/itudoc/itu-t/rec/q/q500-999/q713_23786.html

The Signalling Connection Control Part (SCCP) offers enhancements to MTP level 3 to provide connectionless and connection-oriented network services, as well as to address translation capabilities. The SCCP enhancements to MTP provide a network service which is equivalent to the OSI Network layer 3. (Compliant with the ITU specification Q.713, ITU-T: Signalling System No. 7 SCCP Formats And Codes 03-93 SS7 Basics/ Toni Beninger/ S038 1991 ANSI T1.112.)

The format of the header is shown in the following illustration:

Routing label

Message type code

Mandatory fixed part

Mandatory variable part

Optional part

SCCP header structure

Routing label A standard routing label. Message type code A one octet code which is mandatory for all messages. The message type code uniquely defines the function and format of each SCCP message. Existing Message Type Codes are:

CR	Connection Request.
CC	Connection Confirm.
CREF	Connection Refused.
RLSD	Released.
RLC	Release Complete.
DT1	Data Form 1.
DT2	Data Form 2.
AK	Data Acknowledgment.
UDT	Unidata.
UDTS	Unidata Service.
ED	Expedited Data.
EA	Expedited Data Acknowledgment.
RSR	Reset Request.
RSC	Reset Confirm.
ERR	Protocol Data Unit Error.
IT	Inactivity Test.
XUDT	Extended Unidata.
XUDTS	Extended Unidata Service.

Mandatory fixed part The parts that are mandatory and of fixed length for a particular message type will be contained in the mandatory fixed part.

Mandatory variable part Mandatory parameters of variable length will be included in the mandatory variable part. The name of each parameter and the order in which the pointers are sent is implicit in the message type.

Optional part The optional part consists of parameters that may or may not occur in any particular message type. Both fixed length and variable length parameters may be included. Optional parameters may be transmitted in any order. Each optional parameter will include the parameter name (one octet) and the length indicator (one octet) followed by the parameter contents.

Interested in more details about testing this protocol?

TCAPQ.773 http://www.itu.int/itudoc/itu-t/rec/q/q500-999/q773_24880.html

TCAP (Transaction Capabilities Application Part) enables the deployment of advanced intelligent network services by supporting non-circuit related information exchange between signalling points using the SCCP connectionless service. TCAP messages are contained within the SCCP portion of an MSU. A TCAP message is comprised of a transaction portion and a component portion. (Compliant with ITU recommendation q.773.)

A TCAP message is structured as a single constructor information element consisting of the following: Transaction Portion, which contains information elements used by the Transaction sub-layer; a Component Portion, which contains information elements used by the Component sub-layer related to components; and, optionally, the Dialogue Portion, which contains the Application Context and user information, which are not components. Each Component is a constructor information element.

Tag

Length

Contents

TCAP packet structure

Information Element An information element is first interpreted according to its position within the syntax of the message. Each information element within a TCAP message has the same structure. An information element consists of three fields, which always appear in the following order.

Tag The Tag distinguishes one information element from another and governs the interpretation of the Contents. It may be one or more octets in length. The Tag is composed of Class, Form and Tag codes.

Length Specifies the length of the Contents.

Contents Contains the substance of the element, containing the primary information the element is intended to convey.

TCAP Packet Types

TCAP packet types are as follows:

Unidirectional

Query with permission

Query without permission

Response

Conversation with permission

Conversation without permission

Abort

Interested in more details about testing this protocol?

TUP ITU-T Recommendation Q.723. http://www.itu.int/ITU-T/. Signalling System No.7 – Telephone User Part.

The Telephone User Part (TUP) carries the telephone user messages on the signalling data link by means of signal units. The signalling information of each message constitutes the signalling information field of the corresponding signal unit and consists of an integral number of octets. It basically contains the label, the heading code and one or more signals and/or indications. The service information octet comprises the service indicator and the subservice field. The service indicator is used to associate signalling information with a particular User Part and is only used with message signal units (see Recommendation Q.704, § 12.2). The information in the subservice field permits a distinction to be made between national and international signalling messages. In national applications when this discrimination is not required possibly for certain national User Parts only, the subservice field can be used independently for different User Parts. The TUP header structure is as follows:

8	7	6	5	4	3	2	1	Octets
Message Type Code								1

Message Type Code The message type code. The following message type codes are available:

0x11	Initial Address
0x21	Initial Address With Additional Information
0x31	Subsequent Address
0x41	Subsequent Address With One Signal
0x12	General Forward Setup Information
0x32	Continuity Signal
0x42	Continuity Failure Signal
0x13	General Request
0x14	Address Complete
0x24	Charging
0x15	Switching Equipment Congestion Signal
0x25	Circuit Group Congestion Signal
0x35	National Network Congestion Signal
0x45	Address Incomplete signal
0x55	Call Failure Signal
0x65	Subscriber Busy Signal (electrical)
0x75	Unallocated Number Signal
0x85	Line Out Of Service Signal
0x95	Send Special Information Tone Signal
0xA5	Access Barred Signal
0xB5	Digital Path Not Provided Signal
0xC5	Misdialled Trunk Prefix
0xF5	Extended Unsuccessful Backward Setup Information
0x06	Answer Signal, Unqualified
0x16	Answer Signal, Charge
0x26	Answer Signal, No Charge
0x36	Clear Back Signal
0x46	Clear Forward Signal
0x56	Reanswer Signal
0x66	Forward Transfer Signal
0x76	Calling Party Clear Signal
0x17	Release Guard Signal
0x27	Blocking Signal
0x37	Blocking Acknowledgement Signal
0x47	Unblocking Signal
0x57	Unblocking Acknowledgement Signal
0x67	Continuity Check Request Signal
0x77	Reset Circuit Signal
0x18	Maintenance Oriented Group Blocking
0x28	Maintenance Oriented Group Blocking Acknowledgement
0x38	Maintenance Oriented Group Unblocking
0x48	Maintenance Oriented Group Unblocking Acknowledgement
0x58	Hardware Failure Oriented Group Blocking
0x68	Hardware Failure Oriented Group Blocking Acknowledgement
0x78	Hardware Failure Oriented Group Unblocking
0x88	Hardware Failure Oriented Group Unblocking Acknowledgement
0x98	Circuit Group Reset
0xA8	Circuit Group Reset Acknowledgement
0xB8	Software Generated Group Blocking
0xC8	Software Generated Group Blocking Acknowledgement
0xD8	Software Generated Group Unblocking
0xE8	Software Generated Group Unblocking Acknowledgement
0x1A	Automatic Congestion Control Information
0x2C	Metering Pulse Message
0x1D	Operator Signal
0x1E	Subscriber Local – Busy Signal
0x2E	Subscriber Toll – Busy Signal
0x1F	Malicious Call Tracing Signal


Enlarge	More Details

Interested in more details about testing this protocol?

SS7 Family Protocol Information BICC | BISUP | DUP | ISUP | MAP | MTP-2 | MTP-3 | Q2140 | SCCP | TCAP | TUP

Additional Information

I am impressed!!!!
I bow before your greatness.

Very informative, thank you for taking the time.

“invited the hackers to prove their claims by giving a brand new iPhone to Congressman Ted Lieu – who agreed to participate in the test”

Let’s repeat the experiment with a fresh-from-the-store phone rather than one that the hackers and 60 minutes had access to prior to the test.

60 Minutes had and has credibility issues.

“60 Minutes had and has credibility issues.”

Yes they do.

However, this impacts all cellular phones, not just the iPhone. They singled out the iPhone in the headline to attract readers. That’s quite scummy.

I wonder if they’d get their panties in a bunch if people would start using apps to encrypt phone conversations in realtime. I almost want to do that for fun. Seriously, just require each end user to agree on a particular key to use (much like one time pads) and encrypt the call. Not pretty, but it’d work ... and it’d be enough to cause some chuckles I think.

This kind of garbage is starting to really torque me off. I have absolutely nothing to hide and my phone conversations are quite boring ... but that’s nobody’s damn business ... get a frigging warrant if you want me to bore you to tears when you listen in on my calls about my latest sinus infection or how frigging tired I am :-).

Thanks for the ping.

We’ve know about the issues in ss7 signalling for a long time. Personally, I think the that particular ‘flaw’ was purposely made a part of the spec.

Ted Lieu was my city councilman. He is about as deep blue as a democrat can get.

If there's concern about hacking cell phones, you can bet the only concern is how it affects him and his socialist friends.

Brought to you by the fine folks who authorized the 1996 Telecom Act, CALEA and HIPPA.....

Let’s repeat the experiment with a fresh-from-the-store phone rather than one that the hhackers and 60 minutes had access to prior to the test.

It had nothing to do with the make of the phone. It had to do with a vulnerability to on the NETWORK, not the phone.

We’ve know about the issues in ss7 signaling for a long time. Personally, I think the that particular ‘flaw’ was purposely made a part of the spec.

How do you think the NSA listens in?

Guess I get to give one of my history lessons on telecom and how we got here.

It's long so grab a drink.

There are various telecom laws that have been enacted since the 1934 Communications Act that enabled the government to do just what they have been revealed to be doing.

Which created the FCC, who could over see and regulate telecom and broadcasting.

This had the effect of creating monopolies by government fiat, as the FCC was to make broadcast and telecom regular throughout the states.

It also granted the government, for the 1st time, a lawful means of wiretapping:

"no person not being authorized by the sender shall intercept any communication and divulge or publish the existence, contents, substance, purport, effect, or meaning of such intercepted communications to any person."

The transimission of ten digits constitutes communication in that you authorize a carrier to originate a call from a phone number, which you own and they manage, to a number which someone else owns and is managed by the terminating carrier.

The terminating end receives your call and sees your ANI (automatic number identification) dispalyed. This gives the party called information about who may be calling and You Transmitted That Message, from a number and device you own. That is the 1st time you communicate with a person before a word is uttered.

Keep this in mind later as you read so you understand the fullness of how government bureacrates justify views your 4th amendment and 1st.

Wire tapping wasn't against the law per se but, rather, the information gathered could not be divulged from a wiretap. So government went on doing it anyway, much the way the are doing it today. I believe the possession of a private transmission by anyone, in particular, a government without a lawful and sworn warrant is an abrigement of the 1st and 4th amendment.

The public became increasing aware of this and demanded more regulation over wiretapping and eavesdropping of their conversation. They weren't specific enough about what they would not allow and government wanted to continue wiretapping and eavesdropping and they looked for ways to pass one thing that really was another. So in 1968 OCCSSA was passed and you ended up with a further piercing of your 1st and 4th amendment rights, as pertains to transimission via wire or broadcasting:

To safeguard the privacy of innocent persons, the interception of wire or oral communications where none of the parties to the communication has consented to the interception should be allowed only when authorized by a court of competent jurisdiction and should remain under the control and supervision of the authorizing court.

So problem solved right? Need to have proper jurisdiction and control by warrant to wiretap by Law Enforcement?

Maybe. But at least with 1968 the wiretapping came under control and was now limited to a specific individual, for a specific time period(30 days) and for a specific number. It basically got specific and limited how LEO's could obtain information.

Now here is the fun part of 1968:

Nothing contained in this chapter or Section 605 of the Communications Act of 1934 shall limit the constitutional power of the President to take such measures as he deems necessary to protect the Nation against actual or potential attack or other hostile acts of a foreign power, to obtain foreign intelligence information deemed essential to the security of the United States, or to protect national security information against foreign intelligence activities. Nor shall anything contained in this chapter be deemed to limit the constitutional power of the President to take such measures as he deems necessary to protect the United States against the overthrow of the Government by force or other unlawful means, or against any other clear and present danger to the structure or existence of the Government.

Sweet! The Federal Government and the President alone can abrogate your rights but, local LEO! Heavens to Betsy! Our rights have been restored...NOT!

Let's skip a few other acts and go to 1978.

Here we get FISA aka The Foreign Intelligence Surveillance Act. This granted the Feds a new and farther reaching power than 1934 and 1968. Now they can get faster respone on warrants to sweep communications made to or received by US citizens or organizations who happen to be in this country and suspected of crimes or organizing crimes against the state and they can go to a special court that deals specifically with FISA and FISA alone.

Kind of like fastracking and the probable cause requirement was weakened to further expedite a warrant.

Fast forward again to the the 1986 Electronic Communications Privacy Act or (ECPA). Right around this time, because of competition in telecom, all kinds of communications mediums are expanding to the consumer and businesses alike. That is, they are becoming more affordable and common in the marketplace and these new services or technologies make communication faster and easier.

The government needs to get a handle on this and quick before they lose the lawful ability to monitor things like Cellular Phones(in your car), Faxing(no more suitcase), Paging(some quick messaging with limited characters displayed), email is now coming into use and othe services that were made unlawfully using things like DISA off a PBX or hybrid phone system. Direct Inward Service Access allows you to call back into a switch or PBX and transfer to anywhere in the corportation and reach an intended party faster or simply get to voice mail which was now finally starting to work, thanks largely to the smart guys at a PBX company called ROLM, who were the 1st to make it work correctly.

It also allowed another nifty feature that criminals, terrorists and other miscreants were taking advantage of and that was while DISA allowed you to call anyone or device within a companies network, it also allowed you to transfer out of the PBX and make calls to anywhere. Heck, if you didn't know DISA was enable on your PBX you would figure it when the phone bill came in for $thousands of dollars to countries like Pakistan, Afgahnistan, India, Mumbai, Mexico and countries all over South America. It was pretty rampant for a while.

So ECPA now allowed the Federal government,which I believe at this time consists of largely the FBI and Secret Service to do really neat things like trap and trace or use pen registers to obtain numbers dialed and numbers dialed from.

The Secret Service had a trap and trace on our switch, at the long distance company I was working for at the time. My recollection is that is wasn't in use all the time but, only for lawful and specific investigations.

This was made possible by:

Upon an application made under section 3122 of this title, the court shall enter an ex parte order authorizing the installation and use of a pen register or a trap and trace device within the jurisdiction of the court if the court finds that the attorney for the Government or the State law enforcement or investigative officer has certified to the court that the information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation.

So it kinduh sort came with some new limitations or did it?

Well, actually the law established a mechanism by which the government could now do what it called "Roving Wiretaps". This enabled the government to tap "A Person" and the communications devices they use, anywhere, anytime. How did criminals get around this?

Well, calling cards, call back services and Cell phones. Calling cards could be used from say a payphone that one doesn't frequent. You would dial a toll free number, then a PIN authorizing you to make a call and then you would make a call. Afterward you would toss the card and go get some more. NOT TRACEABLE at all at that time. We can trace better today but, switching and routing technologies as well as advanced huereistics give us a better capability.

Call back services enabled you to essentiall do the same thing. You call a toll free number and they complete your call. Here however you use a credit card and you could get those anywhere, anytime back then.

Cell phones. So at that time Cell Phones are either firmly in your car or carried as a bag phone. Kewel thing here is two things. They don't transmit the calling ANI to the PSTN as they are switched within the cell service providers network. All the PSTN sees is the switch number and a Feature Group A or B origination code and they bill the service provider and the service provider bills you off the connection between them and the distant end. The other kewel thing is how cell phones work. As you move your phone would jump from tower to tower to tower. No way to trace back then.

Sucks for feds but, there are some work arounds which is why they come up with CALEA in 1994. Now you are screwed because all service providers must provide and pass not only ANI of transimission and receive to each other but, also how the call was routed. The whole routing. This gives the Feds more power to not only scrutinze your calling patterns and who you've called but, additional powers to Rove Tap but, still that wasn't enough for an ever voracious Fed looking for new tools that ensare criminals.

More directly communications were required by law to develop methods so as to make surveillance easier and not impeded that process. It doesn't say it ecactly like that but, that is how it is interpreted and here's why:

A telecommunications carrier shall ensure that its equipment, facilities, or services…are capable of expeditiously isolating and enabling the government, pursuant to a court order or other lawful authorization, to intercept, to the exclusion of other communications, all wire and electronic communications carried by the carrier within a service area to or from equipment [and] to access call-identifying information.

Now, you would think the phone companies would be pissed about the government telling them how to make their equipement, at their cost, which provided no value to the end user or their customers. Just another cost and and appendix to a system that no one asked for but, was imposed by law.

They were P.O.'d as hell.

So Congress mercifully handed over $500 million dollars of your tax money to pay for this. Well, at least initially the cost ended up being way more than that, as most government programs aren't properly calculated using so much as an abacus. Just a plan on the back of a napkin.

Actually, billions of your tax dollars were spent to modify communications companies equipment and networks to give the Feds even greater, more intrusive and faster access to almost anything they wanted.

Cute huh?

Not as cute the govenment finally thinking "Hey, we forked over all this money for this equipment. We actually own it or parts of it and now we demand access to our stuff". Like what your money bought? The communications companies and the Feds were now partners by law. Anyone think that is funny?

Now, the FBI's Electronic Surveillance has been meeting with the FCC since 2003. Why? Well, seems there is a technology that is now being used worldwide to make and receive phone calls and there doesn't seem to be a of tracking these calls because they are not routed using circuit switching they are now being routed via packet switching and it's hard to distinguish data being sent from voice. Erh, well because it's packet switching they can't distinguish essentially what's in the envelope without some sort of inspection.

But, wait a minute! Our partners under the 1994 CALEA act requires communications companies to help us and provide a means and method to surveil so as not impede our investigations! Let's have a talk with them. Only this time we bring some of our other partners like DEA and DOJ into the conversation and let's serious on this.

The list of agencies who can surveil you just got bigger.

But how did they start surveiling? They and their partners invented a program called Carnivore or technically DCS 1000 system. Most of us just called it DEX for short.

But, giving access to specific users(targets) ends up being pretty difficult both from a logistics standpoint and there were critics such as EFF and EPIC who worried about privacy on a whole host of issues. The government prevailed and mandated that if the user could not be silo'd for an investigation then the service provider must give "Whole Pipe" access. Guess who is in that pipe? How would I know and you don't until you surveil each and every thing transmitting through the pipe and analyzing egress and ingress traffic. Now, how do get to who you want? You actually access everyone's information in that pipe.

That's where your privacy starts to erode. Say you say something interesting over the phone, send a txt or email and the FBI finds it curious. Well, what if they had a buddy who could use a bit of a hand out and they simply made them aware of what you transmitted either indirectly or outright let them see or hear it?

Now, you are being surveiled. Wink, wink...Oh wait old techonology. But so is everyone else by this other three letter agency because there isn't another way to do it.

It's called trawling for a reason.

For proof that government and communications companies were partners we need look at some statements and just ponder the people who made them:

"I think the FCC has a lot of room here," said Stewart Baker, who represented ISP's. "CALEA was written knowing that there would be new technologies for telecommunications." Now who was this Mr. Baker on a deeper level? Well, only the former general counsel of the NSA.

Derek Khlopin, regulatory counsel to the Telecommunications Industry Association said what the FBI is "worried about is, when you have voice over DSL, if there's a way someone could say they're not subject to CALEA." Guess where he worked before getting this plush job? He was an Attorney at the FCC!

The ACLU, EFF, EPIC and many VoIP providers as well as DSL providers objected and said their services didn't fall within the definition of CALEA.

Oh really?

The FBI fired back "CALEA applies to telecommunications carriers providing DSL and other types of wireline broadband access." Basically, FU and give us what we want...Now! You Will Give us Full Pipe Access. Problem solve for the alphabet agencies at Fed.

Your 1st and 4th got eroded right there and then.

I believe it's around this time that Vonage lifts the curtain and describes that they can route to any agency by Court Order any stream they want so long as they have the right equipment on their end. Forward to today and companies are saying the Feds don't have direct access to their networks, right? Well, in one sense they don't but, if they direct a service provider to give them whole pipe and they have the right equipment on their end, then everyone gets caught up in the trawling. Maybe the intended target, maybe you, Maybe your loved ones but, everyone on that pipe gets redirected to the alphabet agency requesting it.

Remember Stuart Baker, the attorney representing ISP's and formerly of the FCC? He further lifts the curtain and has this to say. Remember, he is the legal interface to the FCC on behalf of ISP's but, formerly of the FCC:

"It would be very difficult to set up a network so that you could only intercept voice packets and not the others. The likely result here is that you'll have modifications that are useful for law enforcement not just for voice packets but for other packets as well."

And he's absolutely right. There is no way to seperate the packets. For that you would need something called DSCP and that doesn't come into wide spread use and useable, from a surveillance standpoint and the network that enables that isn't ubiquitos ...yet.

Still in 2003 the government has made clear they see communications providers of all types "Their Partners" and now the providers are admitting they are. We already have Vonage admitting they are a partner and giving whole pipe access. Who else demystifies the relationship between private entities and the government? Why none other than Earthlink and David Baker, who is the vice president of law and public policy "The FBI is really an ally of sorts" ... "They're saying to the FCC, look, you guys are thinking of classifying everything as an information service, but you have to be aware of the implications." Naw, David you guys took Fed money and like the mafia once you take, your theirs. Oh, don't want to forget, David use to be Commissioner and Chairman of the Georgia Public Service Commission. I think he's a good guy. He actually works on issues of privacy and is currently Chairman of the California ISP Providers Association (CISPA) I've met him once and seen some of his writings.

Oh! Let's move back to 2000 and the Digital Privacy Act Sponsored by! Bob Barr, Republican plick. This dastardly act removed the requirement of a warrant and the alphabet agencies now, only needed probable cause. Hey! WTF! Did you not read the 4th amendment regarding search and seizure and that warrant sworn upon part???

But, there it is. So now they had access to ""Full Pipe" trawling everyone's information and they no longer required a warrant. How Kafka.

But, that's not all and they weren't even close to finishing off your unalienable rights. Why later that same year, they passed the Electronic Communications Privacy Act. Don't you love how they title all thee things and envelope them in terms that really obfuscate the evil part so you don't look deeper?

What did the ECPA enable the Feds to do now? Why, it expanded their search and seizure of private records by demanding service providers deliver, on demand, any and all electronic communications "stored at the service provider".

As the service providers have mentioned they can do this, for their partners, if they have the right equipment at their end. They do. It's the law, otherwise it would "impede an investigation".

Remember way back at the beginning of all this where I explained who owns your phone number, your email address(not the free ones), your website(paid ones), etc? Why you own and the service provider is only a manager of your private and paid for stuff. Whenever you initiate a call, txt, email on your private and paid for devices on a service you pay for, you own that and when you make that call you are transmitting who the sender is. Same on email, txt, VoiP etc.

That is your private information and transmission. 1st and 4th amendment applies but, the partners all got together and said "Nope" we share it amongst each other and with any Tom, Dick or Hairy agency that demands Full Pipe access and your stuff might get caught up that trawling.

This is the FBI's Carnivore eating up everything it can and hell, they even rent it out to other alphabet agencies and who do we know they don't let InterPol or other partners of the US use it? Well, another program makes that possible. More later.

Between 1996 and 2006 the FBI admits in an open paper their Internet wiretaps increased more than 2,000%. Big deal? I don't know. All that is still quite young and still is in terms of market growth and saturation. Maybe it's a valid number and we should accept it. After all there weren't that many people with email even before 2000.

Still, all your stuff got tossed on a table and perused while they were looking for another guy's stuff. Remember, the 4th amendment and it's dictate that a warrant must specify place and objects very spefically? Bob Barr toasted that for you and this just before we get to Patriot Act which will come a year later, after some animals kill 3,000 human beings in one day.

Moving on.

One more time "No government agency has direct access to our systems"

Going back one more time because I am trying to remember all this off the top of my head and looking for proof and quotes on the Internet. Let's look at December 2000 and the FBI issues a report as to how Carnivore is used and how it operates.

Have fun reading this:

Currently, all Internet wiretaps using the Carnivore system begin with an FBI investigation. As with any wiretap, the FBI requires its investigators to ask for permission. According to the Illinois report, the process the FBI follows to obtain a wiretap is as follows:

--For a full mode wiretap only

· A case agent in an investigation determines a wiretap may be needed.

· The agent contacts the FBI’s Chief Division Counsel (CDC), familiar with statutory requirements.

· The agent contacts a Technically Trained Agent (TTA); an experienced Special Agent with advanced training.

· After consulting with the CDC, the TTA, and with field office supervisors, the case agent will determine if the wiretap is required.

--For a pen register wiretap only

· The case agent requests pen-register surveillance in writing, with a justification for necessity.

--Then, for either full mode or pen mode

· FBI shows a judge the relevance of the information sought to the investigation.

· FBI shows a judge why traditional enforcement methods are insufficient.

· FBI must submit request with information such as target internet service provider (ISP), e-mail address, etc.

· This process may take up to 4-6 months.

At this point, two court orders are issued; one that authorizes the intercept, and a second, which directs the ISP to cooperate with the investigation. After receiving a court order, the FBI begins conversations with the target ISP. Carnivore is deployed when:

· The ISP cannot narrow sufficiently the information retrieved to comply with the court order.

· The ISP cannot receive sufficient information.

· The FBI does not want to disclose information to the ISP, as in a sensitive national security investigation.

Let's get on a big boat with a huge net and go fishing!

If it is deemed necessary, a Carnivore computer is taken from FBI headquarters and brought to the ISP. The TTA takes responsibility for the installation of the system, for configuration of the system based on the court order, and for securing the work area at the ISP. After this, the TTAs work is done; the TTA does not receive or complete minimization on any of the information collected by Carnivore.

At this point, the case agent can retrieve the intercepted information remotely as it is received by Carnivore, or he can await the information on the Jaz disk from the computer.

Hardware Architecture

The hardware components of the Carnivore system are:

1) a one-way tap into an Ethernet data stream;

2) a general purpose computer to filter and collect data;

3) one or more additional general purpose computers to control the collection and examine the data;

4) a telephone link to connect the additional computer(s) to the collection computer.

Figure 2: Carnivore Hardware Architecture

One Way Tap

The connection from the filtering/collection computer to the ISP's network is a third-party one-way tap. The device, called the Century Tap, is produced by Shomiti Systems. The one-way tap is placed between a link from a switch to a subnet, as illustrated in the figure above.

The configuration reported in the Illinois report only works for standard Ethernet. Although the tap is capable of being used with full-duplex Ethernet, the researchers at the IITRI have determined that the presence of collisions could cause packet loss, or even the capture of wrong packets. In full duplex mode, this problem is exacerbated by increased throughput.

Filtering/Collection Computer

The computer which resides at the ISP is a Pentium-class PC installed with a 2 GB Jaz Drive, a standard 10/100 Mbps Ethernet adapter, a modem, Windows NT, and the software package pcAnywhere, produced by Symantec. It connects to the one-way tap through its Ethernet adapter. It connects to an outside control/examination computer through a modem using a special telephone link. According to the Illinois report, the computer is installed without a monitor or keyboard.

Control/Examination Computer

Any computer may act as a control/examination computer, so long as it has installed on it: pcAnywhere, the DragonWare package including CoolMiner and Packeteer, a modem, and the proper keys and passwords to access the Windows NT administrator account, pcAnywhere, and the telephone link.

Telephone link

The filtering/collection computer communicates with the control/examination computer through a telephone line, which is installed especially for its use. The telephone line is protected by third-party devices from Computer Peripheral Systems, Inc; (CPSI) from their line of Challenger Security Products (CSP). The protection devices come in pairs; a Lock is a device attached to the phone line on the end of the filtering/collection computer, and a Key is another device attached to the phone line on the end of the many control/examination computer being used.

Software Architecture

Figure 3: Carnivore Advanced Menu

"Carnivore software is a component of a software suite called DragonWare written by the FBI. The other components of DragonWare are Packeteer and CoolMiner, two additional programs that reconstruct e-mail and other Internet traffic from the collected packets." The software will be examined in two ways, first its functionality, and second its architecture.

Functionality

Carnivore's functionality can be broken up into 3 areas: Filtering, Output, and Analysis.

Filtering

The filtering system provided with the software is intended to take the large amounts of data passing through the tapped network stream and prevent the unwanted data from being stored. The software provides the user many different options for filtering and the combination of filters:

Fixed IP	Can choose a range of IP addresses.
Dynamic IP	If not in fixed IP mode, one can choose to include packets from in either Radius or DHCP mode.
Protocol Filtering	One can choose to include packets from TCP, UDP, and/or ICMP in either Full mode, Pen mode, or none.
Text Filtering	One can include packets that contain arbitrary text.
Port Filtering	One can select particular ports to include (i.e. 25 (SMTP), 80 (HTTP), 110 (POP3)).
E-mail address Filtering	One can select to include packets that contain a particular e-mail address in the to or from fields of an e-mail.

Output

The software produces three types of files when storing packets, files with extensions '.vor', '.output', and '.error'. The actual data collected from the network is saved in a .vor file. The '.output' file contains a human readable version of the settings used to collect the data in the corresponding '.vor' file. Finally, the '.error' file keeps track of any system messages that may have been generated during collection. The software does not prevent files from being stored on the local hard drive, but they are typically stored on the 2GB Jaz Drive attached to the system.

Analysis

The DragonWare package provides two programs to analyze the information stored in the '.vor' file produced by Carnivore.

Packeteer

This program takes the collection of IP packets in .vor files, reconstructs the TCP session, and creates a series of files that can be viewed with CoolMiner.

CoolMiner

This program can be set up to show only certain types of packets.

Architecture

The Carnivore software consists of four components: TapNDIS driver, TapAPI.dll, Carnivore.dll, and Carnivore.exe

TapNDIS (written in C) is a kernel-mode driver, which captures Ethernet packets as they are received, and applies some filtering. The source is divided into 13 files, 9 of which are borrowed intact or with only minor changes, from WinDis 32 sample programs. 2 others were generated by Microsoft Developer Studio. The remaining two files contain all the logic for driver-level filters and for writing data to a file. The IITRI assumes this to be the core of the Carnivore implementation.

TapAPI.dll (written in C++) provides the API for accessing the TapNDIS driver functionality from other applications.

Carnivore.dll (written in C++) provides functionality for controlling the intercept of raw data. This is where pen mode truncation occurs.

Did you understand any of that? I do but, this is my job.

All you really need to know is this part: "At this point, the case agent can retrieve the intercepted information remotely as it is received by Carnivore"

This is published 13 years ago! And the service providers are trying to tell you the Alphabet agencie do not have direct access to their networks! Are you freaking kidding me!? It sure looks like they do upon court order!

And her is the rub in case you didn't want to read all that stuff up above:

The FBI perform's its own minimization. That is, "control of the information is removed from a third-party source". The FBI and other agencies such as DOJ and DEA have no clients to protect. That means they have no legal or lawful reason to actually perform minimization, the 1st and 4th amendments be damned! Remember Reagan's sarcastic joke "I'm from the government. I'm here to help"??? You just have to trust they are of the highest morals and operate with pure and nuetral ethics.

Has there been any news of late that would give you a reason to trust them?

Well, you shouldn't as the FBI IITRI review of Carnivore states “the statutory suppression remedy available for illegal interception of other communications in Title III is not extended to electronic communications… the data gathered would not automatically be thrown out as evidence.”

Wow?! you mean you could just keep the information and use it later whenever it suited you? Courts said "Yeah, they can do that".

Barry Steinhardt of the ACLU sent the following in a letter to the House Judiciary Subcomittee on the Constitution:

Quote

"The existence of Carnivore first came to light in the April 6 testimony of
Attorney Robert Corn-Revere to the Constitution Subcommittee. Its operation
was further detailed in a report that appeared in today's Wall Street
Journal (copy attached). According to these reports, the Carnivore system
-- essentially a computer running specialized software-- is attached
directly to an Internet Service Provider's (ISP) network. Carnivore is
attached either when law enforcement has a Title III order from a court
permitting it to intercept in real time the contents of the electronic
communications of a specific individual, or a trap and trace or pen
register order allowing to it obtain the "numbers" related to
communications from or to a specified target.

But unlike the operation of a traditional a pen register, trap and trace
device, or wiretap of a conventional phone line, Carnivore gives the FBI
access to all traffic over the ISP's network, not just the communications
to or from a particular target. Carnivore, which is capable of analyzing
millions of messages per second, purportedly retains only the messages of
the specified target, although this process takes place without scrutiny of
either the ISP or a court.

Carnivore permits access to the email of every customer of an ISP and the
email of every person who communicates with them. Carnivore is roughly
equivalent to a wiretap capable of accessing the contents of the
conversations of all of the phone company's customers, with the "assurance"
that the FBI will record only conversations of the specified target. This
"trust us, we are the Government" approach is the antithesis of the
procedures required under our the wiretapping laws. They authorize limited
electronic surveillance of the communications of specified persons, usually
conducted by means of specified communications devices. They place on the
provider of the communications medium the responsibility to separate the
communications of persons authorized to be intercepted from other
communications.

Want to know what else is BS about Carnivore and other operations like it? The operators of Carnivore are anonymous and cannot be brought into court to test their expertise, accuracy, accreditation, etc. Constitutionally you are able to confront your accuser and anyone in the process to test them as well right? Well, in the case of Carnivore and other programs their is no chain of evidence at the operator level. They login simply as "Administrator". Heck, that could be anyone.

You are so screwed.

Nowadays, they install Carnivore and like systems at will and with a court order they login remotely from say Miami Beach and begin their surveillance. Why should the be there? The Service provider is ordered by law to be a partner and provide all means to increase the speed of an investigation and there is no real reason why an FBI's partner can't host the Carnivore machine and the FBI access it remotely and they do.

I was going to go further and provide information on Patriot Act, what it enabled and PA II what it further enable, and how FISA completely eroded 4th amendment protections but, don't be "Snowed" by this BS that are collecting "metadata". But, I'm tired.

They are in fact, trawling for information.

They are in fact, using your private number to intercept others private numbers, txts, VoIP, email, etc. If you are paying for these services you have a complete expectation to privacy. You own the device, numbers, addresses and pay for a service. The government can no more say they are a partner with service providers anymore than they can go to the leasing company of your automobile and demand they give access to your vehicle that you pay for and maintain.

They could no more claim they are partners with the equipment you lease for your business such as phone system, computers, routers, Multifunction printers, etc and then go the leasing company and demand access to all those information devices as well any information you transmit from them using a service you pay for.

Same with your home. They can't claime partnership with the bank and then enter your home.

How is they can do this with your private and paid communications???

Anyone? Anyone? Bueller? Anyone?

So "Snowjob" put a name to another program called PRISM. What's new?

Ever hear of Eyewatcher? Echelon? Magic Lantern? V-Chip?

Did you know that the Feds can listen to priveledged conversations between a lawyer and a person under arrest if they deem it in the interest of national security?

Network vulnerability affecting ALL phones, so heads up! ... PING!

You can find all the Windows Ping list threads with FR search: just search on keyword "windowspinglist".

Thanks to Swordmaker for the ping!!

OOPS Indeed!!

This means every conversation and email made by Hillary Clinton on her phone was intercepted.

The Russians and Chinese know where Clinton and obama were during the Benghazi attack but we are not allowed to.

These guys didn’t present anything new, that I can see.

We knew about these issues for years and after The Telecommunications Act of 1996, SS7 was going to be an issue as follows:

2001 IEEE Proceedings United States Military Academy, West Point
http://www.daairatoulatif.com/admin/upload/10.1.1.121.6125.pdf

The protocol was originally designed for a closed telecommunications community; therefore, it possesses limited authentication facilities. However, deregulation now requires
phone companies to provide SS7 connections to any entity for a modest fee.

The Internet-PTN convergence allows attackers inroads
via entities with poorly secured SS7 networks.

ISDN connections are also points of unauthorized entry.

Once access to a PTN is gained, an attacker can perpetrate
modification, fabrication, interception and interruption on a potentially massive scale.

Fort example, during a terrorist bombing incident, an attacker can modify en- tries in a call forwarding database to re-route all phone calls to emergency services, disrupting them and possibly increasing the number of casualties

Thank you, Vendome. Your detailed history of 1st and 4th A. violations using ISP providers as the intercept point is both stunning and depressing. Totalitarian. We’ve been reading about these usurpations here on FR since its early days. Now you’ve put it all together. But what can we do to keep our lives private?
T.W.

Use encryption from inception of any communications or transmission you believe is important.

Just Look up TOR and also the history of anonymizing on the internet.

There are encryption tools for your devices, storage, etc.

SS7 and Internet don’t play well together.

BTW, Google serves up the Internet as they want you to see it. Kind of like POS AOL. It’s their version.

Alternative search engines give you greater access to the internet and are more secure as well. Think DuckDuckGo

Mobile phone hacking using ss7 protocol

June 6, 2015

Backstory of mobile phone hacking using SS7 flaws

Technology is, in its nature, developing based on current progress. Sometimes it is worth going back to the blue box era to discover something in today’s world. More or less recent scandals involving NSA’s practice to track, listen, and intercept communication without authorization made a splash, but not many took the time and effort to understand the magic behind this. Kudos for Washington Post: they went looking into this.

After little research taking me 50 years back in time, I will explain the technology behind and demonstrate that one does not need NSA resources or an army of hackers to repeat the trick on you.

The calling protocol that is used for one network to “talk” to another was developed in 1970’s and is called SS7. The protocol was somewhat refined around 2000 with a SIGTRAN specification, which made it IP network environment friendly. This, however, meant that all the weak links on the upper level of SS7 infrastructure were carried over.

Picture that the communication is made possible not by one, but in fact several hundreds of links, which result a chain that triggers phone on the other end of your call ringing. Referencing back to my earlier post on “Evolution of Authentication”, I would like to demonstrate that the same principle of security level assessment applies here: the chain is as safe as it’s weakest link.

Weak Link SS7 hacking

During my time in Deutsche Telekom Consulting, I was involved in review of a number of networks (fun times included climbing down sewers following copper lines laid there in 50s-60s-70-s, which were used by corporations and governments in 2003-2004 and likely still to be in place). The hardware and software providers vary from network to network and are extremely segmented, which leads to a simple result: they have to keep their chains wide open to make sure that the next chain link can integrate.

So did anyone know about these vulnerabilities until 2013? In short: of cause. First reference I have discovered dates back to a report published in 2001, which I (admittedly) could not read to full extent due to my neglected Swedish. Google Translate may help you.

It was also made public by Tobias Engel during a Chaos Computer Club Congress held in 2008, when Tobias made a live demo of tracking abilities:

Hacking of mobile phones via SS7

And, of cause, it was most widely reported during NSA scandal involving Edward Snowden, that revealed how NSA was exploiting the weaknesses of SS7 to create a very intelligent and complex series of solutions enabling them to simultaneously track and analyze millions of citizens without their nor carrier’s knowledge or approval.

So what does one require to make this work? The list is quite short:

Computer
Linux OS
SDK for SS7

Apart from the computer itself, remaining ingredients are free and publicly available on the Internet.

It may have slipped under your radar, but apparently now there is a legal way to use this technology to track anyone worldwide, and NSA is not involved at all: the service offering is open to public and provided by a NASDAQ listed Verint Systems Inc. (NASDAQ: VRNT). In their product description, which was made public, they refer to the system as “Skylock”. During search I even stumbled upon a certification of encryption capabilities of this product by NIST (certificate scan).

Verdict? Abandon illusions of privacy if you still had them.

Sources:

Disclaimer: this article is a warning to regular citizens about low technological barrier protecting their privacy specifically in relation to mobile phone hacking using ss7 protocol. It is not a guide to hack-a-phone. I will intentionally leave a few aspects uncovered. I urge all readers NOT to use this technology and hope that the solution to restrict this ability to track phones will be implemented soon.