“I don’t think most Americans realize how insecure US telephone networks are. If more consumers knew how easy it is for bad guys to track or hack their mobile phones, they would demand the FCC and wireless companies do something about it. These aren’t just hypotheticals.”
This is from a statement issued last week by Senator Ron Wyden (D-Ore.) after receiving a letter from the Department of Homeland Security warning that “nefarious actors may have exploited” global cellular networks “to target the communications of American citizens.”
“Hackers can exploit SS7 flaws to track Americans, intercept their calls and texts, and hack their phones to steal financial information, know when they are at home or away, and otherwise prey on unsuspecting consumers. Moreover, according to multiple news reports, SS7 spying products are widely available to both criminal and foreign governments.”
Alarmingly, the letter reveals that:
“This threat is not merely hypothetical – malicious attackers are already exploiting SS7 vulnerabilities. One of the major wireless carriers informed my office that it reported an SS7 data breach, in which customer data was accessed, to law enforcement.”
It is not clear if the warning refers to state-sponsored entities acting for political gain or criminal hackers for financial gain. Also undisclosed is who the wireless carrier is, and the extent of the breach.
What is SS7?
Signaling System No. 7 (SS7) is a set of telephony signaling protocols that provide the backbone for all cell phone communication everywhere in the world. It allows phone networks to communicate among themselves in order to connect users and pass messages between networks, ensure correct billing, and to allow users to roam on other networks.
First developed in the 1970s, in technological terms the sprawling SS7 system is ancient. Importantly, no-one at the time thought to build any security measures into it.
It is has been well known to be insecure since at least 2008, and the situation has become worse in recent years. Where once there were only a few mobile networks, there are now literally thousands worldwide. The industry did nothing about this, however, because the risks were thought to be purely theoretical.
This changed in 2014 when vulnerabilities in SS7 allowed hackers to record a rather embarrassing secret unencrypted phone conversation between the US ambassador to Ukraine, Geoffrey Pyatt, and US Assistant Secretary of State, Victoria Nuland, in which Pyatt was highly critical of the EU.
It was nevertheless thought that using encrypted messaging apps such as WhatsApp, Facebook Messenger, Google Hangouts, and Viber, would protect communications.
In 2016, however, a security researcher demonstrated how hackers with access to the SS7 network could spoof users’ identifies and setup fake accounts which would allow them to access messages belonging to users of many messaging apps that rely on phone numbers to authenticate users.
In 2017 O2 Telefónica in Germany confirmed that the SS7 network had been used by criminals to bypass SMS-based two-factor authentication (2FA) in order to steal money from bank accounts.
A time for action?
In his letter to the FCC, Wyden urges the watchdog body to properly address the issue and to compile a list of SS7 breaches known to have occurred over the last five years.
This not the first time that similar calls have been made, however. In 2016, US congressman Ted Lieu (D-Calif.) called for an oversight committee investigation into SS7:
“The applications for this vulnerability are seemingly limitless, from criminals monitoring individual targets to foreign entities conducting economic espionage on American companies to nation states monitoring US government officials. ... The vulnerability has serious ramifications not only for individual privacy, but also for American innovation, competitiveness and national security. Many innovations in digital security – such as multi-factor authentication using text messages – may be rendered useless.”
The investigation was held, but the FCC working group tasked with it comprised mainly of telecoms industry lobbyists and not a single academic expert…
The SS7 is a playground for spies
Initial concerns over SS7 centered over the ease with which mobile users can be tracked by anyone with access to the network. This has shifted, however, to alarm that it can be used to access huge amounts of personal data belonging to just about every mobile phone user in the world.
And as noted earlier, it can even be used to intercept encrypted communications and 2FA security measures.
According to the Washington Post, “American, Chinese, Israeli and Russian intelligence agencies are the most active users of SS7 surveillance.”
Only this month news broke that US police can find the location of any phone in the country in seconds thanks to SS7. Even worse, just days after this revelation came to light it was reported that this information was almost trivially easy for hackers to access.
Furthermore, security companies around the world do thriving business selling SS7 hacking tools to governments, police forces, and criminals. As far as US intelligence agencies are concerned, this has turned SS7 into a double-edged sword. Brian Collins, chief executive of AdaptiveMobile Security, told the Washington Post:
“America is the Number One target, far and away. Everyone wants to know what’s happening in America.”
Despite being a threat to US national security, though, it seems the American government has little appetite for addressing the problem. Why? The answer is very likely that it finds SS7’s mass-surveillance capabilities too big a golden goose to kill off…
Image credit: By sdecoret/Shutterstock.