Major SS7 Vulnerability In Wireless Networks Oddly Gets A Fraction Of The Hysteria Reserved For TikTok
from the you-are-not-serious-people dept
While lawmakers, looking to get on cable TV, spent much of the last few years performatively hyperventilating about TikTok privacy and national security issues, few of those same folks seem quite as bothered by the parade of obvious, nasty vulnerabilities in the nation’s telecom networks.
For example, we still haven’t somehow addressed longstanding flaws in Signaling System 7 (SS7, or Common Channel Signaling System 7), a series of protocols hackers can exploit to track user location, dodge encryption, and even record private conversations. Governments and various bad actors routinely exploit the flaw to covertly spy on wireless users around the planet without them ever knowing.
It’s very bad, and we’ve know about the problem for a long while. 60 Minutes aired a profile on the issue back in 2016. Senator Ron Wyden demanded answers as early as 2017 from mobile phone companies as to why they haven’t done more to thwart the abuse. I’d always lazily assumed we weren’t rushing to fix the problem because it’s currently being broadly exploited by the U.S. government.
Earlier this month a Cybersecurity and Infrastructure Security Agency (CISA) official broke ranks with the NSA and formally acknowledged for the first time that the U.S. has exploited flaws in SS7 for years, going so far as to use it to track and surveil folks within the U.S. 404 Media has an interesting (but paywalled) report that’s worth a read.
Wyden sent another letter to the Biden administration last February, asking why the government seemingly refuses to take the SS7 flaw particularly seriously:
“Surveillance companies and their authoritarian foreign government customers have exploited lax security in U.S. and foreign phone networks for at least a decade to track phones anywhere in the world. Authoritarian governments have abused these tools to track Americans in the United States and journalists and dissidents abroad, threatening U.S. national security, freedom of the press, and international human rights.”
In April the FCC announced it would finally be probing “grave” weaknesses in both SS7 and another similarly flawed protocol, Diameter. But the generally feckless agency will likely be butting heads not just with U.S. intelligence, but the giant telecoms like AT&T tethered to our domestic surveillance systems. So whether this results in any meaningful reform will have to be seen.
What’s amusing is that this is a massive, significant, proven flaw in our communications networks and a proven risk to national security, and yet you’d be hard pressed to see one-one thousandth of the press coverage or political attention relegated to concerns about a single Chinese app.
The TikTok fracas was utterly avoidable for three straight years as a partially Facebook-driven hysteria about the potential security threat of the app utterly consumed American discourse. Yet if you want to learn anything about the SS7 flaw, you’ll see nowhere near the same attention, with most of the coverage (like the 404 piece or this Economist piece from this month) paywalled.
Recall that Republican FCC official Brendan Carr spent much of the last three years going on cable TV news to whine incessantly about the purported privacy and national security threat of an app he doesn’t have regulatory oversight over. Yet do a basic Google search for his name and SS7 and you’ll find the Commissioner far less invested in a problem in a sector he actually regulates.
TikTok isn’t without issues, but I still tend to think the absolute hysteria surrounding TikTok mostly functions as a policy and media distraction from our comically corrupt failure to pass a modern privacy law, regulate data brokers, and protect U.S. consumers from harm.
Between the robocall scourge and major security vulnerabilities, policy incompetence has resulted in us ceding our wireless communications networks to scammers, scumbags, and surveillance hungry bureaucrats. And outside of Ron Wyden, officials that could do something about it spend more time crying about a popular Chinese app peppered with sexy dancing and adorable racoons — than doing their actual jobs.
Filed Under: 5g, cisa, flaw, nsa, phone, privacy, ron wyden, security, ss7, surveillance, telecom
Companies: tiktok
Comments on “Major SS7 Vulnerability In Wireless Networks Oddly Gets A Fraction Of The Hysteria Reserved For TikTok”
The infosec community has been scratching our heads over this for years.
Here’s a decade-old post by Bruce Schneier: https://www.schneier.com/blog/archives/2014/12/ss7_vulnerabili.html
Probably not his first post on the topic, and definitely not the first.
Re:
Indeed we have. As is so often the case, the fundamental and pervasive problems that urgently require attention languish, while the isolated ones make a big splash in the press and quickly gather attention – whether or not that’s merited.
Re: Re:
The article describes why nothing has been done about it.
The US government uses this flaw to track/wiretap people, and evidently couldn’t care less that non-government emps can do the same.
Info stolen? that’s a you problem.
-USA
Re: Re: Re:
That would be nice, but… “This post is for paid members only”
Presumably, they only need that capability outside of the USA. Inside, they can compel the phone companies to provide the data.
Re: Re: Re:2
Or just request it and watch the other corrupt bastards bend over backwards to provide despite there being no warrant in play.
Re: Re: Re:3
They all know what the government to Joseph Nacchio of Qwest, who refused to give up data without a warrant. That’s a form of compulsion.
Re: Re: Re:4
I’m not talking about threats of any kind, but the selling of data to brokers that the ‘authorities’ then buy it from, hence my charge of corruption against Alphabet et al.
Re:
The SS7 protocol was developed in the 1970s, for a telephone network run by a single company. Older than the Simple Mail Transfer Protocol (SMTP) for e-mail, and probably one of the oldest protocols still in common use.
Take a 1970s protocol for land-lines, add a surprise unplanned requirement for federation (the Bell breakup), tack on support for the niche product of car-phones… It’s kind of amazing it didn’t fall apart completely in its 40-year life. Signaling systems 5 and 6 didn’t last a decade combined.
As a bonus, the full standard doesn’t appear to be publically available (officially or on LibGen), which always impedes security research.
Re: Re:
This is the important bit. While a lightly technical history lesson is nice for understanding parts of how we got here, it doesn’t adequately explain why this major, known vulnerability is being ignored.
In reality, we know it’s the incestuous relationship between governments and telecoms that keeps it in place, combined with quarter-to-quarter profit-seeking and the inability to show immediate RoI for security expenditures.
It’s gone unaddressed, because leaving it unaddressed is a good way for the government to sidestep Americans’ privacy rights, and for the wealth gap to continue getting wider.
“… U.S. has exploited flaws in SS7 for years, going so far as to use it to track and surveil folks within the U.S….”
TikTok is a red herring to pull our attention away from the bullshit policies of our government. They want a complete surveillance state. Nothing less will do. Of course, “It’s for the children”…
Re:
Well, TikTok can’t be as directly abused by US “security” agencies other than the usual DPI and bots, so that’s a huge problem.
Its not a flaw
Its a feature.
You were expecting anything else from the USA gov.? they had it in the Hardwire system. Why not the Cell system?
Huawei
..and they were paranoid about Huawai’s equipment. I’m curious if there was a deeper agenda on why they wanted Huawei’s equipment pulled.