A Major Wireless Network Flaw Is Still Being Exploited To Track User Locations

from the fix-your-shit dept

In 2017, hackers and security researchers highlighted long-standing vulnerabilities in Signaling System 7 (SS7, or Common Channel Signalling System 7 in the US), a series of protocols first built in 1975 to help connect phone carriers around the world. While the problem isn't new, a 2016 60 Minutes report brought wider attention to the fact that the flaw can allow a hacker to track user location, dodge encryption, and even record private conversations. All while the intrusion looks like ordinary carrier to carrier chatter among a sea of other, "privileged peering relationships."

Telecom carriers and lobbyists have routinely downplayed the flaw and their multi-year failure to do much about it. In 2018, the CBC noted how Canadian wireless providers Bell and Rogers weren't even willing to talk about the flaw after the news outlet published an investigation showing how (using only a mobile phone number) it was possible to intercept the calls and movements of Quebec NDP MP Matthew Dubé.

Now there's yet another wake up call: a new report from the Guardian indicates that Rayzone, an Israeli corporate spy agency that provides its government clients with “geolocation tools," has been exploiting the flaw for some time to provide clients access to user location information and, potentially, the contents of communications. Apparently, the company first leased an access point in the network of Sure Guernsey, a mobile operator in the Channel Islands. From there, it appears to have exploited the SS7 flaw to track users in numerous additional countries:

"Industry sources with access to sensitive communications data say there is recent evidence of a steady stream of apparently suspicious signaling messages directed via the Channel Islands to phone networks worldwide, with hundreds of messages routed via Sure Guernsey and another operator, Jersey Airtel, to phone networks in North America, Europe and Africa in August."

Of course, as with other past reveals of this type (like when Saudi Arabia was also found to be doing something similar to track targets inside the U.S.), the companies involved either insist they know nothing about such exploitation, or that they're vaguely aware of it, and have done everything possible to prohibit it from happening. Though one reason many telcos may not have been particularly keen on cracking down on the practice is that numerous western governments very likely exploit the SS7 flaw as well.

Senator Ron Wyden demanded answers as early as 2017 from mobile phone companies as to why they haven't done more to thwart the practice, and, last I checked, is still awaiting a response. For smaller carriers it can also be expensive and complicated to remedy the problem, which makes them even easier targets for exploitation. Experts say the U.S. FCC, as you might expect, hasn't done much of anything to coordinate a response to the threat:

Instead, as the SolarWinds supply chain hack illustrates, America under Trump spent countless calories hyperventilating over nonsense like TikTok instead of focusing on the vast number of very real cybersecurity threats that actually pose a risk to international consumer, government, and business privacy.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: geolocation, location data, privacy, ss7, surveillance


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 23 Dec 2020 @ 4:48pm

    well why even be concerned about serious, legitimate, long-term issues when you can have a moral panic-of-the-week over made-up nonsense? it simply defies - wait, no, not reason... what's that other thing?

    reply to this | link to this | view in chronology ]

    • icon
      Anonymous Monkey (profile), 26 Dec 2020 @ 2:36pm

      Re:

      if you're looking for "logic" ... it's been shoved in the Fridge.

      reply to this | link to this | view in chronology ]

    • icon
      Tanner Andrews (profile), 26 Dec 2020 @ 11:37pm

      Re: [serious, legitimate, long-term issues]

      The first reason is mentioned in the article, the utility of the flaw to U.S. government spooks. Probably also to other five-eyes spooks as well.

      The other reason is more compelling. It would cost money, which would initially have to be paid by friends of the present administration, to fix things. Whereas it costs nothing and may even be profitable to fulminate over tik-tok.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.