Dem lawmakers push for FCC to tackle major cellphone security flaw
Rep. Ted Lieu (D-Calif.) and Sen. Ron Wyden (D-Ore.) are calling on the FCC to take "swift action" on a known cellphone security flaw.
“It is clear that industry self-regulation isn’t working when it comes to telecommunications cybersecurity,” Wyden and Lieu wrote in a letter they cosigned, on Tuesday.
At issue is Signaling System 7 (SS7), which allows cellphone networks to communicate with one another - among other purposes, letting cellphones roam from one network to another. In 2014, German security researcher Karsten Nohl determined that there was a bug in SS7 that could allow an attacker to record phone calls, place calls from other accounts, and create other mischief. The relatively obscure phone protocol, though, now has the attention of Congressional lawmakers.
Lieu volunteered to have his phone hacked on an episode of "60 Minutes" in April last year.
Lieu has made multiple requests for the FCC, Department of Homeland Security and House IT to tackle SS7 security, including convincing the FCC to assemble a research report on the subject, finally released last week. Despite Lieu's efforts, though, the security hole has sill not been plugged.
SS7 may be vulnerable, but accessing SS7 systems is difficult - they often reside behind layers of other security measures. For the "60 Minutes" segment, hackers were given access to SS7 by a phone company.
Lieu and Wyden wrote the DHS last month to ask that the agency inform the public of the potential threats of SS7.
In the new letter to the FCC, Lieu and Wyden noted the results of the agency's report, which said the vulnerability was real, and would likely still exist in upcoming 5G networks.
They suggested that the FCC respond in three ways: Informing the public, encouraging the use of encrypted chat apps (which the report suggests might mitigate some of the of surveillance), and forcing cell phone networks to determine more permanent solutions.
"The continued existence of these vulnerabilities - and the industry's lax approach to cybersecurity - does not just harm the liberty of Americans, it also poses a threat to our national and economic security," Lieu and Wyden wrote.