Skip to main content

Daily Beast: Telecoms Knew About Spying Loophole for Decades, Did Nothing

September 1, 2017

Spies and hackers are actively exploiting a backbone of how mobile phones communicate—and telecoms have known about it for 19 years.

By targeting a network and set of related protocol known as SS7, for-profit surveillance companies and financially motivated criminals can track phones across the planet, or intercept calls and text messages.

In recent years, security researchers and the media have highlighted these problems, with one news outlet even eavesdropping on the calls of Congressman Ted Lieu to demonstrate the vulnerabilities. Despite high-profile coverage, generally the problems in SS7 persist.

But at least some members of the telecom community have known about the serious security issues in SS7 for nearly two decades, according to a document reviewed by The Daily Beast. The news highlights the snail's pace at which the industry has addressed glaring holes in the world's mobile infrastructure, leaving U.S. citizens and others around the world open to spying.

"There is no adequate security in SS7. Mobile operators' needs to protect themselves from attack by hackers and inadvertent action that could stop a network or networks operating correctly," a recently unearthed, 1998 document from the European Telecommunications Standards Institute (ETSI) reads.

ETSI is a nonprofit organization which today has over 800 members from the telecom industry, including giants such as T-Mobile, Vodafone, and Orange. ETSI developed versions of SS7 for the European market, organization spokesperson Claire Boyer told The Daily Beast. The document itself is a report from a meeting of ETSI's "Special Mobile Group."

The 1998 document adds that "the problem with the current SS7 system is that messages can be altered and injected into the global SS7 networks in an un-controlled manner."

Not all that much has changed since. The main issue with the SS7 network is that it typically doesn't properly check whether a message is coming from a legitimate telecom trying to route communications to its customers, or from a surveillance company leveraging SS7 to geolocate phones. Hackers have also exploited SS7 to break into European bank accounts.

The 1998 document also shows ETSI, and presumably other telecom community members who read the report, knew of the specific risks SS7 flaws could lead to. Another page of the document explicitly mentions "intercept"and "location" as potential attacks on users.

To be clear, ETSI is not the sole reason for the vulnerability—another page says ETSI decided to continue to work on SS7 security—but it does highlight that these fundamental flaws largely remain exposed nearly two decades later. A 1998 paper from the National Research Council also mentioned SS7 issues.

"Security of SS7 is no longer simply a question of standardisation. Network operators can deploy security measures such as firewalls to protect their networks and their customers, and SS7 security products and services exist on the market to meet these needs," Boyer, the ETSI spokesperson, continued.

As the industry around using SS7 to spy across borders has grown, so has a parallel, for-profit business focused on protecting networks and customers from such attacks. While researching firms that sell SS7 geolocation and interception services, The Daily Beast also found several offering countermeasures, too.

Telecoms, it seems, have only paid more attention to SS7 security in recent years. Cathal McDaid, chief intelligence officer at cybersecurity firm AdaptiveMobile and who has researched SS7 extensively, told The Daily Beast it took documented evidence of real-life events for telecoms to act.

McDaid pointed to suspected Russian-backed attacks on a Ukrainian network; details of commercial, worldwide tracking systems for sale; and demonstrations of researchers' work on SS7 attack methods.

"From our experience—like many other potential cyber security risks—it unfortunately takes concrete examples to get the industry to recognise the true risk and change," McDaid said in an email.

McDaid added that rather than focusing on what should have been done in the past two decades, "the key now is to focus on a mindset change."

"The mobile operator (should) invest fully in advanced, intelligence-led security solutions to secure their signaling network, and this time to cover all eventualities, both current and future."

Senator Ron Wyden, who has repeatedly tried to get the U.S. government to pay more attention to SS7's issues, told The Daily Beast in a statement that the industry "failed to heed experts' warnings and secure their networks."

"As a result, today companies openly sell surveillance services that use these same vulnerabilities, enabling foreign governments, hackers and others who intend harm, to track and spy on innocent people around the world," Wyden wrote.

Last week, the Federal Communications Commission encouraged telecoms to deploy security measures to protect against SS7 attacks.

"The FCC says it won't force wireless carriers to fix these weakness, instead arguing that voluntary measures will be sufficient," Wyden added. "I disagree—self-regulation has clearly failed. The FCC needs to force carriers to secure their networks and protect America's critical communications infrastructure."