Another Report Highlights How Wireless SS7 Flaw Is Putting Everyone's Privacy At Risk

from the we'll-get-around-to-it dept

Last year, hackers and security researchers highlighted long-standing vulnerabilities in Signaling System 7 (SS7, or Common Channel Signalling System 7 in the US), a series of protocols first built in 1975 to help connect phone carriers around the world. While the problem isn’t new, a 2016 60 minutes report brought wider attention to the fact that the flaw can allow a hacker to track user location, dodge encryption, and even record private conversations. All while the intrusion looks like like ordinary carrier to carrier chatter among a sea of other, “privileged peering relationships.”

Telecom lobbyists have routinely tried to downplay the flaw after carriers have failed to do enough to stop hackers from exploiting it. In Canada for example, the CBC recently noted how Bell and Rogers weren’t even willing to talk about the flaw after the news outlet published an investigation showing how, using only the number of his mobile phone, it was possible to intercept the calls and movements of Quebec NDP MP Matthew Dub?.

Again the flaw isn’t new; a group of German hackers revealed the vulnerability in 2008 and again in 2014. It’s believed that the intelligence community has known about the vulnerability even earlier, and the hackers note that only modest headway has been made since German hacker Karsten Nohl first demonstrated it. But the flaw has gained renewed attention in recent weeks after Senator Ron Wyden sent a letter to the FCC (pdf) complaining that the agency isn’t doing enough (read: anything) to address it:

“One year ago I urged you to address serious cybersecurity vulnerabilities in U.S. telephone networks. To date, your Federal Communications Commission has done nothing but sit on its hands, leaving every American with a mobile phone at risk.”

Apparently, shoring up national security wasn’t as big of a priority as gutting net neutrality or eliminating consumer privacy protections at Comcast and AT&T’s behest. Wireless carriers have been downplaying the flaw, in part because of the cost of fixing it. But they also worry it will be used to justify more meaningful privacy protections here in the States. When the DHS published a 125 page report (pdf) detailing the scope of the problem, lobbyists for the industry called the problem “theoretical,” and the report “unhelpful,” calling the report’s advocacy for regulatory and legislative solutions “alarming.”

And while carriers have implemented some security standards to address the SS7 probem, at its core SS7 lacks a mechanism to ensure that carriers sending data requests are who they claim to be. And while some of the firewall solutions carriers have adopted can protect some of their own consumers, these fixes don’t extend to users who may be roaming on their networks. By and large, a large chunk of the problem is that these companies don’t want to spend the necessary time and money to engineer a real solution, especially if their intelligence partners are benefiting from it.

In a follow up report over at the Washington Post, the paper notes how the flaw at this point is far from theoretical, and is routinely exploited en masse by numerous intelligence agencies (including the United States):

“Wyden said the risks posed by SS7 surveillance go beyond privacy to affect national security. American, Chinese, Israeli and Russian intelligence agencies are the most active users of SS7 surveillance, experts say, and private-sector vendors have put systems within the reach of dozens of other governments worldwide. Sophisticated criminals and private providers of business intelligence also use the surveillance technology.

Other experts said SS7 surveillance techniques are widely used worldwide, especially in less developed regions where cellular networks are less sophisticated and may not have any protection against tracking and interception. But the experts agreed that Americans are significant targets, especially of rival governments eager to collect intelligence in the United States and other nations where Americans use their cellphones.

And again, that’s a particular problem for a country whose President thinks basic phone security is too much of a hassle. For a country that’s currently spending an ocean of calories trying to blacklist Chinese network vendors under breathless claims of national security, you’d think a massive problem with global privacy and security implications would get a little more attention.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Another Report Highlights How Wireless SS7 Flaw Is Putting Everyone's Privacy At Risk”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re:

Not only is the flaw well known, but the fixes for it are well known as well.

That doesn’t do much when the telcos are straight-up selling your location data, as we saw with LocationSmart a few weeks ago. At this point, any "fix" would be to protect a revenue source rather than customer privacy. This SS7 thing is effectively bypassing their paywall.

Anonymous Coward says:


Firewalls installed by carriers in recent years block many of the malicious queries, but many others are successful in eliciting unauthorized information from cellular carriers worldwide.

Just to be clear about what this is saying: the software is designed to respond to these queries from anyone. Rather than fixing the software, such as by requiring authentication or disabling these queries altogether, they’d be adding another layer of software on top to just block people from making those requests.

Such solutions are problematic for at least two reasons:

  • It means you’re adding one more message parser, which could itself be exploitable. If that system is watching over multiple SS7 endpoints, an exploit there might reveal more data than an exploit of an endpoint.
  • If the parser isn’t exploitable per se, any difference from the endpoint parsers can still be a problem—interesting things happen when the firewall and endpoint disagree on the meaning of a message. (TTLs and fragmentation have been used for this with TCP/IP firewalls.)

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...