Veritasium: Exposing The Flaw In Our Phone System

This is a must-watch video IMO. I was aware of some of these issues with SS7, but that they are demonstrable in the real-world by a YouTuber is astounding to me.

9 Likes

I just saw this and I am about to show to the spouse. They key takeaway is to use E2EE messaging/calling service like Signal (and sadly recommended WhatsApp as well).

The case study the cybersecurity experts and Veritasium presented here is that an abused Emirati (from UAE) princess tried to escape by boat but the father tried to track her and traced her via the Captain’s phone via SS7 and recaptured the princess.

This is freaky

They didn’t tell how they managed to get Linus’s imei number but it was hell lot of scary. Not sure why banks still rely on sms for 2fa.

Also indicates how easy it would be for a government to spy on you.

This would be more serious problem in countries like UAE where encrypted whatsapp video/voice calls are blocked.

1 Like

I am also a bit confused about this, but I do think this aspect was staged. They mentioned there are some ways to obtain the IMSI required to perform this attack with only the victim’s phone number, but I think this depends on the carrier.

My understanding is that some carriers leak IMSI, like you can use SS7 to ask for the IMSI with just the phone number, but other (maybe most or all nowadays?) carriers block it.

In other cases it may require social engineering the carrier or using an IMSI catcher device (which would actually capture the TSMI over the air, but you can use SS7 to get the IMSI from the TSMI).

3 Likes

I thought IMEI numbers are on the phones and IMSI are on the SIM cards? Both are different unique identifiers that cellular providers should have access to.

That’s why I never used or disclosed a phone number of the SIM card in my phone, and I have my phone set to LTE only, so I only use it for internet access.

1 Like

Probably Linus provided his imei so they can make this video.

1 Like

Yeah , sorry i meant the imsi not the imei.

Then how do you attend your calls ?

1 Like

VoIP.

1 Like

You mean calls via Internet using your number instead of cellular network or Signal/WhatsApp ?

Yes, you could also use VoWiFi, it works even with airplane mode enabled.

I am not sure whether using only LTE or Vowifi would ensure no ss7 attacks.
In the video they mentioned about communication between 2 carriers could still be using ss7 technology, so you maybe using lte to connect to your isp , but the communication might use old network at some point.

I think best would be to use any e2ee solutions like signal or whatsapp and encourage family and friends to use that.

1 Like

I was aware of these issues but very good that this is made more publicly known and explained.

see also: SS7 problems now more widely know and spread

3 Likes

If I own a regular phone number in a voip provider, and I connect to this provider using encrypted sip, that end of the connection would bot be affected by ss7 control plane hacking. It can still be vulnerable, but with other means.
However, what about exchange between teleohony providers. They still use ss7 to discover and connect to each others. Isn’t this vulnerable too ?

1 Like

I think they gave him the phone? I watch LTT and I know that he was planning on trying out the new iPhone, because his fold died and for the time being he was using his previous samsung S8 phone. So, they most likely just gave that phone to him or something like that.

This would be impacted just the same, it is just an IPSec tunnel to your carrier as the towers do.

6 Likes

My interpretation is that it depends on the SS7 server of the carrier the attacker connects to to get the information rather than the carrier of the victim. Given the apparent multitude of SS7 providers that exist, the attacker only needs to know of one that suits their needs.

So the most that the SS7 system would know is the apparent IP address for the VoWiFi end point. And that can be obscured by using a VPN to a location of your choice.

That probably is enough to keep your location hidden from the attacker. It does nothing to mitigate the fact they can monitor or redirect any of your traffic. For that a end-to-end encrypted IP only system like Signal would be needed.

VoWiFi bypasses your VPN.

7 Likes