Table of contents:

Insecure communication: 9 ways to eavesdrop on your phone
Insecure communication: 9 ways to eavesdrop on your phone

A mobile phone is a universal bug that a person constantly and voluntarily carries with him. Ideal for 24/7 surveillance and listening. To the delight of special services and hackers, most people do not even suspect how easy it is to connect to a communication channel and listen to their conversations, read SMS and messages in instant messengers.

Insecure communication: 9 ways to eavesdrop on your phone
Insecure communication: 9 ways to eavesdrop on your phone

1. SORM - official wiretapping

The most obvious way is official wiretapping by the state.

In many parts of the world, telephone companies are required to provide access to wiretapping lines for the competent authorities. For example, in Russia, in practice, this is done technically through SORM - a system of technical means to ensure the functions of operational-search activities.

Each operator is obliged to install an integrated SORM module on his PBX.

wiretapping, SORM
wiretapping, SORM

If a telecom operator has not installed equipment on its PBX for wiretapping the phones of all users, its license in Russia will be canceled. Similar programs of total wiretapping operate in Kazakhstan, Ukraine, the USA, Great Britain (Interception Modernization Program) and other countries.

The venality of government officials and intelligence officers is well known to all. If they have access to the system in "god mode", then for a fee you can get it too. As in all state systems, in the Russian SORM is a big mess and typical Russian carelessness. Most of the technicians are actually very low qualified, which allows unauthorized access to the system without being noticed by the intelligence services themselves.

Telecom operators do not control when and which subscribers are listening on SORM lines. The operator does not check in any way if there is a court sanction for wiretapping a particular user.

“You take a certain criminal case about the investigation of an organized criminal group, which lists 10 numbers. You need to listen to a person who has nothing to do with this investigation. You just finish off this number and say that you have operative information that this is the number of one of the leaders of the criminal group,”say knowledgeable people from the site“”.

Thus, through SORM, you can listen to anyone on a "legal" basis. Here's a secure connection.

2. Wiretapping through the operator

Operators of cellular communications in general, without any problems, look at the list of calls and the history of movements of a mobile phone, which is registered in various base stations according to its physical location. To receive call records, as with special services, the operator needs to connect to the SORM system.

Under the new Russian laws, operators will be required to store audio recordings of all users' conversations from six months to three years (the exact date is now being negotiated). The law comes into force in 2018.

3. Connection to signal network SS7

Knowing the victim's number, it is possible to wiretap the phone by connecting to the network operator of the cellular network through vulnerabilities in the SS7 signaling protocol (Signaling System No. 7).

wiretapping, SS7
wiretapping, SS7

Security experts describe this technique this way.

The attacker infiltrates the SS7 signaling network, in the channels of which it sends a Send Routing Info For SM (SRI4SM) service message, specifying as a parameter the telephone number of the attacked subscriber A. In response, the home network of subscriber A sends the attacker some technical information: IMSI (international subscriber identifier) and the address of the MSC that is currently serving the subscriber.

Next, the attacker, using the Insert Subscriber Data (ISD) message, injects the updated subscriber profile into the VLR database, changing the address of the billing system in it to the address of his own, pseudo-billing, system. Then, when the attacked subscriber makes an outgoing call, his switch instead of a real billing system turns to the attacker's system, which instructs the switch to redirect the call to a third party, again controlled by the attacker. On this third party, a conference call is assembled from three subscribers, two of which are real (caller A and callee B), and the third is introduced by an unauthorized attacker and can listen and record the conversation.

The scheme is quite working. Experts say that when the SS7 signaling network was developed, it did not include mechanisms to protect against such attacks. The implication was that this system was already closed and protected from outside connections, but in practice, an attacker could find a way to join this signaling network.

You can connect to the SS7 network in any country in the world, for example, in a poor African country, and you will have access to switches of all operators in Russia, the USA, Europe and other countries. This method allows listening to any subscriber in the world, even on the other side of the world. Interception of incoming SMS from any subscriber is also carried out as elementary as the transfer of balance via USSD request (for more details, see the speech of Sergey Puzankov and Dmitry Kurbatov at the PHDays IV hacker conference).

4. Connecting to the cable

From the documents of Edward Snowden it became known that the special services not only "officially" wiretap phones through communication switches, but also connect directly to fiber, recording all traffic in its entirety. This allows wiretapping of foreign operators who do not allow the official installation of wiretapping equipment on their PBXs.

This is probably a fairly rare practice for international espionage. Since PBX in Russia already has listening equipment everywhere, there is no particular need to connect to fiber. Perhaps this method makes sense to use only to intercept and record traffic in local networks at local PBXs. For example, to record internal conversations in a company, if they are carried out within a local PBX or via VoIP.

5. Installing a spyware trojan

At the everyday level, the easiest way to listen to a user's conversations on a mobile phone, Skype and other programs is to simply install a Trojan on his smartphone. This method is available to everyone; it does not require the powers of state special services or a court decision.

Abroad, law enforcement agencies often buy special Trojans that use unknown 0day vulnerabilities in Android and iOS to install programs. Such Trojans, commissioned by law enforcement agencies, are being developed by companies like the Gamma Group (the FinFisher Trojan).

It makes little sense for Russian law enforcement agencies to install Trojans, unless they need the ability to activate the smartphone's microphone and record, even if the user is not talking on a mobile phone. In other cases, SORM copes well with wiretapping. Therefore, the Russian special services are not very active in introducing Trojans. But for unofficial use, it is a favorite hacking tool.

Wives spy on their husbands, businessmen study the activities of competitors. In Russia, Trojan software is widely used for wiretapping by private clients.

The Trojan is installed on a smartphone in various ways: through a fake software update, through an email with a fake application, through a vulnerability in Android, or in popular software such as iTunes.

New vulnerabilities in programs are found literally every day, and then very slowly they are closed. For example, the FinFisher Trojan was installed through a vulnerability in iTunes that Apple did not close from 2008 to 2011. Through this hole, any software on behalf of Apple could be installed on the victim's computer.

Perhaps such a Trojan is already installed on your smartphone. Don't you think that your smartphone battery has been discharging a little faster than expected lately?

6. Application update

Instead of installing a special spyware Trojan, an attacker can do even smarter: choose an application that you yourself voluntarily install on your smartphone, and then give him all the authority to access phone calls, record conversations, and transfer data to a remote server.

For example, it can be a popular game that is distributed through the "left" catalogs of mobile applications. At first glance, this is an ordinary game, but with the function of wiretapping and recording conversations. Very comfortably. The user with his own hands allows the program to go online, where it sends files with recorded conversations.

Alternatively, malicious application functionality can be added as an update.

7. Fake base station


The fake base station has a stronger signal than the real BS. Due to this, it intercepts the traffic of subscribers and allows you to manipulate data on the phone. It is known that fake base stations are widely used by law enforcement agencies abroad.

In the United States, a fake BS model called StingRay is popular.


And not only law enforcement agencies use such devices. For example, merchants in China often use fake BSs to send mass spam to mobile phones within a radius of hundreds of meters. In general, in China, the production of "fake honeycombs" is put on stream, so in local stores it is not a problem to find a similar device, assembled literally on the knee.

8. Hacking femtocell

Recently, some companies have been using femtocells - low-power miniature cellular stations that intercept traffic from mobile phones in range. Such a femtocell allows you to record calls from all employees of the company before redirecting calls to the base station of cellular operators.

Accordingly, to wiretap a subscriber, you need to install your own femtocell or hack the operator's original femtocell.

9. Mobile complex for remote wiretapping

In this case, the radio antenna is installed not far from the subscriber (works at a distance of up to 500 meters). A directional antenna connected to a computer intercepts all the phone signals, and at the end of the work it is simply taken away.

Unlike a fake femtocell or a Trojan, here the attacker does not need to worry about breaking into the place and installing the femtocell, and then removing it (or removing the Trojan without leaving any traces of hacking).

The capabilities of modern PCs are enough to record a GSM signal on a large number of frequencies, and then break the encryption using rainbow tables (here is a description of the technique from a well-known specialist in this field Karsten Noll).

If you voluntarily carry a universal bug with you, you automatically collect an extensive dossier on yourself. The only question is who will need this dossier. But if necessary, he can get it without much difficulty.