Wyden Again Warns That ‘SS7’ Telecom Flaw Lets Foreign Countries Broadly Spy On American Communications
from the everyone-spying-on-everyone,-everywhere,-constantly dept
For many many years, experts have warned about massive longstanding flaws in Signaling System 7 (SS7, or Common Channel Signaling System 7), a series of protocols hackers can exploit to track user location, dodge encryption, and even record private conversations. Governments and various bad actors routinely exploit the flaw to covertly spy on wireless users around the planet without them ever knowing.
It’s extremely bad, and we’ve know about the problem for a long while. 60 Minutes aired a profile on the issue back in 2016. Senator Ron Wyden demanded answers as early as 2017 from mobile phone companies as to why they haven’t done more to thwart the abuse. I’d always lazily assumed we weren’t rushing to fix the problem because it was also being broadly exploited by the U.S. government.
Last year a Cybersecurity and Infrastructure Security Agency (CISA) official broke ranks with the NSA and finally formally acknowledged for the first time that yes, the U.S. has exploited flaws in SS7 for years, going so far as to use it to track and surveil folks within the U.S.
Senator Ron Wyden, ever the champion on consumer privacy issues, this week released more Department Of Homeland Security (DHS) warnings that China, Russia, Iran, and Israel are also happily exploiting the flaw to spy on people inside the United States. The information came in a response to Wyden’s ongoing inquiries by the Department of Defense (DoD):
“Karsten Nohl, founder and chief scientist of cybersecurity company Security Research Labs and who has extensively researched SS7, told 404 Media in an email that “We definitely observe geopolitical adversaries abusing SS7 weaknesses with impunity.”
Security Research Labs founder Karsten Nohl tells 404 Media that the amount of time people have spent talking about the SS7 flaw consistently exceeds the amount of time folks have actually put toward trying to fix it:
“It’s amazing that we are still talking about SS7. Solving these issues takes a focused multi-months project at each telco to configure a signalling firewall. It’s not a trivial undertaking; and yet is dwarfed by the amount of time people talk about SS7 security rather than fixing the issues already.” He said that while some countries are sending hundreds of pings per target each day, and that many of those malicious requests will be blocked by SS7 firewalls, it’s “safe to assume that other state actors and criminals are leveraging SS7 for a similar information gain without creating this unnecessary noise.”
Which is to say the problem is worse than what’s already known. And we’ve known it’s been really really bad for decades. We have the money to address it, so the question becomes, why haven’t we?
I can remember reading about this flaw back in the early 2000s. Public officials drove more attention toward the TikTok moral panic than they did toward fixing a massive security hole in our comms networks.
Our failure to hold telecom companies and executives accountable for being lazy cheapskates also continues to bite us on the ass. Telecoms and free market libertarian types insisted for years that gutting corporate oversight of telecoms would result in Utopian outcomes; here’s another arena where those deregulatory voices are suddenly nowhere to be found when the real world check for their ideology comes due.
It hasn’t been a banner year for telecom security in the wake of the Salt Typhoon hack (which the Wyden team is also raising a ruckus about), but the ongoing incompetence to tackle this SS7 flaw long ago tread well beyond embarrassment.
Filed Under: dhs, dod, privacy, ron wyden, security, ss7, telecom, wireless
Comments on “Wyden Again Warns That ‘SS7’ Telecom Flaw Lets Foreign Countries Broadly Spy On American Communications”
It’s when things go tough that we know on whom we can count.
And this may not be the best example to prove that we can count on telcos security, again.
A common refrain
I often spend more time at my job explaining why we need to do something than it would take for us to actually do it.
And we always end up having to do it anyways.
This comment has been flagged by the community. Click here to show it.
…. NO specific actionable solution is is even offered here or elsewhere, just decades of general hand wringing and vague finger pointing.
the root SS7 ‘Problem’ has thus never been identified — solving a big, poorly defined problem is naturally very difficult
Re:
None of this is true. Right from the article:
“Solving these issues takes a focused multi-months project at each telco to configure a signalling firewall.”
The root cause of the flaw is well documented, and the solution is straightforward if not easy.
This comment has been flagged by the community. Click here to show it.
Re: Re:
that quoted phrase is merely a general, non-specific ‘approach’
need much more detail on Who What Where How
Focus ain’t a specific solution.
Re: Re: Re:
Just another dented can finds its way into the too hard bag.
Re: Re: Re:
If you were a telecommunications security expert, you would already know things. If you are a telecommunications or security expert, you have better resources than a random blog to learn more about the flaws in SS7 (which are also present in the Diameter protocol that was adopted to replace it).
The details are dry and dense. Once I get past generalized info, I can’t summarize the issue without a better understanding of our common knowlege. So here is a 28 page paper from the EU in 2018 on the foundational flaws and the types of data capture that is ongoing to this day.
Re: Re: Re:
Why would you think you would find that information here?
SS7 = Weather
SS7 is like the weather. Everybody talks about it, but nobody does anything about it.
But TikTok!
Re:
I think you meant “But, but, think of the children”. That’s the only refrain that will garner any public traction, and without that public awareness, lawmakers won’t pay any attention either.
It’s all about face time and sound bites. Anything else is just a harassment of electrons.^
^ Paraphrased from Frank Zappa’s quote about composers.
FTFY
“… ‘SS7’ Telecom Flaw Lets US INtelligence Broadly Spy On American Communications “
Re:
While true, Wyden’s warnings appear targeted at congress critters who are all in a lather about foreign adversaries tapping our communications, and those that vote for them. As such, there doesn’t appear to be anything to fix. As much as I assume Wyden’s previously expressed concern over the US’ domestic surveilance remains intact, his warning here does appear to be about the intercept of communications by foreign powers.
Re: Re:
And my point is that perhaps it remains in place because it is exploited by US intelligence, even though dealing with it could help remove foreign spying.
Can someone just get the data from Lindsey Grahams phone already?
If someone walked up to members of Congress and could hand them even a single page of what they could gather, this would suddenly be a problem & get fixed.
We shouldn’t have to accept crap security because it might make it harder for our own government to spy on us.
With the Okwin games download , you can enjoy exciting gameplay and earn real money at the same time. Just predict the next color, and if your guess is correct, you’ll win rewards and cash!