
  stolen();
/* This article is taken from Frequency */
/* issue #14. We credit Frequency and   */
/* give them full credit. Written by    */
/* Screamer Chaotix.                    */

=======================================
THE BASICS OF SS7
=======================================

	To my surprise (and horror) few people I've talked with really knew what SS7 was.  I'm certain the more experienced hackers out there know everything I'm about to dictate, but hopefully some of you less informed will get something out of it.
	To begin, SS7 stands for "Switching System 7" and was designed to allow for more features on your telephone line and security precautions.  Features include call return (*69), call back (*66), and of course caller id.  Security precautions should be obvious to anyone who calls his/herself a phone phreak.  It comes in the form of "out of band signaling."  Which, simply put, means switching information travels on a different channel than your voice.  This was created to prevent those evil phreaks from controlling the phone switches and routing their calls wherever they like.  To explain this in a bit more depth let me start at the beginning.

The 60's and 70's - Years of the Phreak

	Using a small device called a "Blue Box" a person could generate the tones necessary to control long distance switches, thus allowing them to route their calls through any trunk, and to any operator, they liked.  The mechanics were rather simple, with only the tones being important.  And of course, the most important tone was 2600hz.  With a regular phone you could send 2600hz down the voice channel to make the switch think the line was vacant.  Then using special MF (multi-frequency) tones you could route a call anywhere you liked.  This was exploration in it's most exciting electronic form.  A person with a blue box could tour the world from their home phone (not smart) or any nearby payphone (now you're thinking).  The fun wouldn't last forever of course, soon the phreaks would lose their freedomthanks to public attention and a little thing known as out of band signaling.

	To understand out of band signaling one must first know the types of switches that are out there.  These are known as "points" in the telephone network.  There's the SSP (System Switching Point) which is your local switch.  Next up is the STP (System Transfer Point) which does the actual routing of data.  And finally, there's the SCP (System Control Point), which is essentially a big database full of routing information, caller info, and other goodies that dictate where your call goes.  I'll explain what SS7 has to do with this in a minute, but first let's make a phone call.
Pick up the phone and dial a number.  First, your local switch (SSP) receives the numbers you've dialed and finds an open voice channel for your call to go through on the trunk.  Once found, the channel becomes reserved for your call.  Next, the switch will send the call request to the SCP (through the STP) where the number you've dialed is decoded and routed back through the STPs to the SSP where your call is going.  This switch gets the information from the SCP as to who is calling, where they're from, whether or not their caller id is being blocked, and who they're calling.  When this is received the switch sends back a reply to the first switch announcing that the call can be completed.  By this time, the other person's phone is ringing, and by the time they pick up the voice channel is open on the trunk allowing you both to communicateabout all sorts of important things.
	It should be noted that this is just the VERY basics of how a call is completed.  It has left out the bits of data that travel through, such as IAMs and TCAPs etc.  For more information, I suggest you have a look at sites like www.howstuffworks.com and search for phone systems.
	Now that we've made the call, we know how the information goes through.  In the olden days it was much simpler.  Rather than traveling through STPs and gathering information from SCPs, all data traffic went through the same channel as your voice.  The dangers of this were mentioned before, but what's not clear to a lot of people is why we need this complex system when we could just reserve one channel on the trunk for data.
	Finally, we get to SS7.  In it's simplest form SS7 could be used as described above, nothing more than a reserved channel on a trunk.  But due to high network traffic and people making more than just local calls, it's impossible to send all this data through a single trunk (a trunk going from California to Amsterdampicture it).  SS7 alleviates this problem by leaving the voice channels for the trunks, and the data traffic for the STPs (those are the routers remember) and the SCPs (rememberjust a big database of information).  Not only does it clear up traffic (allowing voice traffic to travel at 56-64kbps) it also prevents you, the phone phreak, from being able to send those magical tones down the line.

2001 - Theories and Mindless Ramblings of a Sleep Deprived Phreak

	Above I've given you a brief introduction to switching system 7.  Everything gets easier if you think of it as both hardware and software rolled into one to route data through the phone network without traveling down the same trunk as your voice.  But now onto the more hacker like possibilities that I've either heard discussed, or contemplated myself.
	"He who controls the spice, controls the universe."  -Frank Herbert's DUNE.  The spice, in this case, are the switches that keep the world connected.  In the days of 80's (Remember those? Big hair, cool movies and songs, and really bad clothes?) it was possible to scan out phone switches with your home telephone (usually located up above the 9900 suffix).  You knew you had one when you received the high pitch screech.  Then with your modem (if you weren't using a demon dialer of course) you would call it up, and voilayou were in.  And in some cases, you really were inno passwords or anything.  And if there was password protection, getting it was only a phone call away.  But that's only if you didn't feel like sitting there for an hour or so with a pencil and paper.  Of course, as with everything else this became harder and harder to find.  In fact, I've only heard of a few people finding switches they could dial into within the past few yearsif you've had the pleasure, please share with the rest of us.  
	But what if?  Even if they couldn't get into the SSP, what if someone managed to sneak between the STP and SCP and actually sniff the data?  Picture all that private information sitting right on your computer screen.  Sure it's extremely hypothetical, but everything starts with an idea.  You would see the originating number, the destination number, and all of the information that's left up to the SCP to figure out.  Ever wanted to trace the cops before they trace you?  It might be easier than you think, if you had access of course.
Well there you have it, my brief intro to SS7 and a few possibilities to keep you interested for a while.  I realize this isn't everything there is to know, but we can save that for another time.  Hopefully you've got the basics of SS7 down and are ready to learn more, I wish you the best of luck.  And ladies, be sure to kiss your local phone phreak.  

// -screamer