We Saw It Coming

Telecoms Knew About Spying Loophole for Decades, Did Nothing

Issues with the SS7 network only really entered the public consciousness a few years ago. But the telecom community has known about the issues for a lot longer.

Spies and hackers are actively exploiting a backbone of how mobile phones communicate—and telecoms have known about it for 19 years.

By targeting a network and set of related protocol known as SS7, for-profit surveillance companies and financially motivated criminals can track phones across the planet, or intercept calls and text messages.

In recent years, security researchers and the media have highlighted these problems, with one news outlet even eavesdropping on the calls of Congressman Ted Lieu to demonstrate the vulnerabilities. Despite high-profile coverage, generally the problems in SS7 persist.

But at least some members of the telecom community have known about the serious security issues in SS7 for nearly two decades, according to a document reviewed by The Daily Beast. The news highlights the snail’s pace at which the industry has addressed glaring holes in the world’s mobile infrastructure, leaving U.S. citizens and others around the world open to spying.

“There is no adequate security in SS7. Mobile operators’ needs [sic] to protect themselves from attack by hackers and inadvertent action that could stop a network or networks operating correctly,” a recently unearthed, 1998 document from the European Telecommunications Standards Institute (ETSI) reads.

ETSI is a nonprofit organization that today has over 800 members from the telecom industry, including giants such as T-Mobile, Vodafone, and Orange. ETSI developed versions of SS7 for the European market, organization spokesperson Claire Boyer told The Daily Beast. The document itself is a report from a meeting of ETSI’s “Special Mobile Group.”

The 1998 document adds that “the problem with the current SS7 system is that messages can be altered and injected into the global SS7 networks in an un-controlled manner.”

Not all that much has changed since. The main issue with the SS7 network is that it typically doesn’t properly check whether a message is coming from a legitimate telecom trying to route communications to its customers, or from a surveillance company leveraging SS7 to geolocate phones. Hackers have also exploited SS7 to break into European bank accounts.

The 1998 document also shows ETSI, and presumably other telecom community members who read the report, knew of the specific risks SS7 flaws could lead to. Another page of the document explicitly mentions “intercept” and “location” as potential attacks on users.

To be clear, ETSI is not the sole reason for the vulnerability—another page says ETSI decided to continue to work on SS7 security—but it does highlight that these fundamental flaws largely remain exposed nearly two decades later. A 1998 paper from the National Research Council also mentioned SS7 issues.

“Security of SS7 is no longer simply a question of standardization. Network operators can deploy security measures such as firewalls to protect their networks and their customers, and SS7 security products and services exist on the market to meet these needs,” Boyer, the ETSI spokesperson, continued.

As the industry around using SS7 to spy across borders has grown, so has a parallel, for-profit business focused on protecting networks and customers from such attacks. While researching firms that sell SS7 geolocation and interception services, The Daily Beast also found several offering countermeasures, too.

Get The Beast In Your Inbox!

Daily Digest

Start and finish your day with the top stories from The Daily Beast.

Cheat Sheet

A speedy, smart summary of all the news you need to know (and nothing you don't).

By clicking “Subscribe,” you agree to have read the Terms of Use and Privacy Policy
Thank You!
You are now subscribed to the Daily Digest and Cheat Sheet. We will not share your email with anyone for any reason.

Telecoms, it seems, have only paid more attention to SS7 security in recent years. Cathal McDaid, chief intelligence officer at cybersecurity firm AdaptiveMobile and who has researched SS7 extensively, told The Daily Beast it took documented evidence of real-life events for telecoms to act.

McDaid pointed to suspected Russian-backed attacks on a Ukrainian network; details of commercial, worldwide tracking systems for sale; and demonstrations of researchers’ work on SS7 attack methods.

“From our experience—like many other potential cybersecurity risks—it unfortunately takes concrete examples to get the industry to recognize the true risk and change,” McDaid said in an email.

McDaid added that rather than focusing on what should have been done in the past two decades, “the key now is to focus on a mind-set change.”

“The mobile operator [should] invest fully in advanced, intelligence-led security solutions to secure their signaling network, and this time to cover all eventualities, both current and future.”

Sen. Ron Wyden, who has repeatedly tried to get the U.S. government to pay more attention to SS7’s issues, told The Daily Beast in a statement that the industry “failed to heed experts’ warnings and secure their networks.”

“As a result, today companies openly sell surveillance services that use these same vulnerabilities, enabling foreign governments, hackers, and others who intend harm, to track and spy on innocent people around the world,” Wyden wrote.

Last week, the Federal Communications Commission encouraged telecoms to deploy security measures to protect against SS7 attacks.

“The FCC says it won’t force wireless carriers to fix these weaknesses, instead arguing that voluntary measures will be sufficient,” Wyden added. “I disagree—self-regulation has clearly failed. The FCC needs to force carriers to secure their networks and protect America’s critical communications infrastructure.”