by Karl Bode

Filed Under:
hacking, mobile carriers, privacy, ss7

Another Report Highlights How Wireless SS7 Flaw Is Putting Everyone's Privacy At Risk

from the we'll-get-around-to-it dept

Last year, hackers and security researchers highlighted long-standing vulnerabilities in Signaling System 7 (SS7, or Common Channel Signalling System 7 in the US), a series of protocols first built in 1975 to help connect phone carriers around the world. While the problem isn't new, a 2016 60 minutes report brought wider attention to the fact that the flaw can allow a hacker to track user location, dodge encryption, and even record private conversations. All while the intrusion looks like like ordinary carrier to carrier chatter among a sea of other, "privileged peering relationships."

Telecom lobbyists have routinely tried to downplay the flaw after carriers have failed to do enough to stop hackers from exploiting it. In Canada for example, the CBC recently noted how Bell and Rogers weren't even willing to talk about the flaw after the news outlet published an investigation showing how, using only the number of his mobile phone, it was possible to intercept the calls and movements of Quebec NDP MP Matthew Dubé.

Again the flaw isn't new; a group of German hackers revealed the vulnerability in 2008 and again in 2014. It's believed that the intelligence community has known about the vulnerability even earlier, and the hackers note that only modest headway has been made since German hacker Karsten Nohl first demonstrated it. But the flaw has gained renewed attention in recent weeks after Senator Ron Wyden sent a letter to the FCC (pdf) complaining that the agency isn't doing enough (read: anything) to address it:

"One year ago I urged you to address serious cybersecurity vulnerabilities in U.S. telephone networks. To date, your Federal Communications Commission has done nothing but sit on its hands, leaving every American with a mobile phone at risk."

Apparently, shoring up national security wasn't as big of a priority as gutting net neutrality or eliminating consumer privacy protections at Comcast and AT&T's behest. Wireless carriers have been downplaying the flaw, in part because of the cost of fixing it. But they also worry it will be used to justify more meaningful privacy protections here in the States. When the DHS published a 125 page report (pdf) detailing the scope of the problem, lobbyists for the industry called the problem "theoretical," and the report "unhelpful," calling the report's advocacy for regulatory and legislative solutions "alarming."

And while carriers have implemented some security standards to address the SS7 probem, at its core SS7 lacks a mechanism to ensure that carriers sending data requests are who they claim to be. And while some of the firewall solutions carriers have adopted can protect some of their own consumers, these fixes don't extend to users who may be roaming on their networks. By and large, a large chunk of the problem is that these companies don't want to spend the necessary time and money to engineer a real solution, especially if their intelligence partners are benefiting from it.

In a follow up report over at the Washington Post, the paper notes how the flaw at this point is far from theoretical, and is routinely exploited en masse by numerous intelligence agencies (including the United States):

"Wyden said the risks posed by SS7 surveillance go beyond privacy to affect national security. American, Chinese, Israeli and Russian intelligence agencies are the most active users of SS7 surveillance, experts say, and private-sector vendors have put systems within the reach of dozens of other governments worldwide. Sophisticated criminals and private providers of business intelligence also use the surveillance technology.

Other experts said SS7 surveillance techniques are widely used worldwide, especially in less developed regions where cellular networks are less sophisticated and may not have any protection against tracking and interception. But the experts agreed that Americans are significant targets, especially of rival governments eager to collect intelligence in the United States and other nations where Americans use their cellphones.

And again, that's a particular problem for a country whose President thinks basic phone security is too much of a hassle. For a country that's currently spending an ocean of calories trying to blacklist Chinese network vendors under breathless claims of national security, you'd think a massive problem with global privacy and security implications would get a little more attention.

Reader Comments

Subscribe: RSS

View by: Time | Thread

  • identicon
    I.T. Guy, 31 May 2018 @ 12:22pm

    "you'd think a massive problem with global privacy and security implications"

    NSA and the like call that a feature, not a bug.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 May 2018 @ 12:52pm

    Not only is the flaw well known, but the fixes for it are well known as well. Rejecting a few key SS7 messages would limit much of the damage, and there are tools and systems available to deal with all the others.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 31 May 2018 @ 1:29pm


      Not only is the flaw well known, but the fixes for it are well known as well.

      That doesn't do much when the telcos are straight-up selling your location data, as we saw with LocationSmart a few weeks ago. At this point, any "fix" would be to protect a revenue source rather than customer privacy. This SS7 thing is effectively bypassing their paywall.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 May 2018 @ 1:23pm


    Firewalls installed by carriers in recent years block many of the malicious queries, but many others are successful in eliciting unauthorized information from cellular carriers worldwide.

    Just to be clear about what this is saying: the software is designed to respond to these queries from anyone. Rather than fixing the software, such as by requiring authentication or disabling these queries altogether, they'd be adding another layer of software on top to just block people from making those requests.

    Such solutions are problematic for at least two reasons:

    • It means you're adding one more message parser, which could itself be exploitable. If that system is watching over multiple SS7 endpoints, an exploit there might reveal more data than an exploit of an endpoint.
    • If the parser isn't exploitable per se, any difference from the endpoint parsers can still be a problem—interesting things happen when the firewall and endpoint disagree on the meaning of a message. (TTLs and fragmentation have been used for this with TCP/IP firewalls.)

    reply to this | link to this | view in chronology ]

  • icon
    Tonkinite (profile), 1 Jun 2018 @ 5:44am

    Could there be a surveillance reason for not fixing this?

    Anyone know if this could be related to Stingray use? Or something similar? That would certainly explain why the governments of the world are in no rush to fix this...

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 Jun 2018 @ 7:01am

      Re: Could there be a surveillance reason for not fixing this?

      Karl quoted the part saying intelligence agencies are major users. This isn't really related to Stingrays; it's much simpler to do (no hardware needed).

      reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 1 Jun 2018 @ 2:04pm


    Anyone think our National sec. agency hasnt known about this..???

    reply to this | link to this | view in chronology ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.