A Wednesday report in The Washington Post detailed a letter from the Department of Homeland Security (DHS) to Senator Ron Wyden, indicating that the department had received reports that "nefarious actors may have exploited" mobile phone networks "to target the communications of American citizens."
Wyden is now pressing FCC Chairman Ajit Pai for answers about a breach of SS7 reported by an (unidentified) mobile network operator because, as he wrote in the letter, he feels that the FCC "has failed to address this ongoing threat to national security."
Signaling System No. 7—otherwise known as SS7—is a telephone signaling protocol first developed in 1975. Few affordances for security were considered when the protocol was designed, making it a prime target for hackers. At the Chaos Computer Congress 31C3 in 2014, presenters outlined the capabilities of SS7 hacking, noting that it was possible to intercept basically any communication, as well as determine the location of subscriber handsets.
SEE: Information security policy (Tech Pro Research)
The use of SS7 potentially explains how Securus, a company that provides smartphone tracking tools for US law enforcement was able to gain access to subscriber information. Reports earlier this month indicated that the company was hacked, after account information—including login user names and MD5-hashed passwords for 2800 subscribers—was leaked. While Securus focused on the law enforcement market, the backend service provider of that company was LocationSmart, according to a ZDNet report.
LocationSmart also had poor security practices, as detailed in a report by veteran security reporter Brian Krebs. The company's website featured a product demo that prompted prospective customers to input the target phone number, as well as a name and email address. Under normal operation, the demo would text the target phone number first to gain consent for tracking, but the underlying API was completely unsecured, making it possible for anyone to directly interact with the API without authentication, allowing for theoretically unlimited tracking without the tracker.
The Washington Post report also names an Israeli vendor, Ability, which claimed that their ULIN tracking system is capable of eavesdropping on targets in the United States, though the Post quotes a "person familiar with its operations" as indicating those marketing materials are "for demonstration purposes," and that the software is not used in the US.
With only a minor amount of hand-wringing, Ability can be described as a front—a Forbes report indicates that the company "faces an SEC investigation and investor-led lawsuits in the U.S. and Israel, all asking if Ability presented false or misleading statements about its surveillance arsenal and financials." The report cites SEC filings that ULIN was developed by an "unnamed third-party" in Singapore.
While the Post reports that American, Chinese, Israeli, and Russian intelligence groups are the primary users of SS7 surveillance, these private firms have given the same abilities to smaller governments. However, these commercial products, and the ability to track users in general, is stymied by the adoption of firewalls to prevent abuse of SS7. While some US carriers have deployed these mitigations, this is not universal, which makes it rather porous. For example, a given user on Carrier A, which deployed a firewall, would be vulnerable to tracking if roaming on Carrier B.
That said, the risk continues. The Post indicates that the DHS had stated in a report from April 2017 that "SS7 attack types can be used to target key U.S. Federal Government personnel both in the United States and traveling or working overseas."
The revelations about the potential abuse of SS7 also highlight the critical need for enterprises to vet the vendors they work with, especially when it comes to data procurement.
The big takeaways for tech leaders:
- Private companies may be selling access to mobile subscriber information through SS7 abuse.
- SS7 is a telephone signaling protocol developed in 1975. Few affordances for security were considered when the protocol was designed, making it a prime target for hackers.
- Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)
- Two-factor security is so broken, now hackers can drain bank accounts (ZDNet)
- EU General Data Protection Regulation (GDPR): A cheat sheet (TechRepublic)
- How to hack Facebook with just a phone number (ZDNet)
- Phone tracking service LocationSmart exposed API, allowing anyone to track you (TechRepublic)
James Sanders is a Tokyo-based programmer and technology journalist. Since 2013, he has been a regular contributor to TechRepublic and Tech Pro Research.