CLOAK & DAGGER
Here’s Why Anyone Could Hack Your Phone
For years, national security officials have known about a vulnerability in cell networks that leave citizens vulnerable to hackers but stayed silent. Why? They use it too.
In March 2001, a task force set up to determine whether the Defense Department would be able to carry out its mission in the face of a cyber attack delivered its assessment to the Pentagon’s top technology official. Perhaps fearing no one would read the 180-plus page report (PDF), the authors stated their conclusion at the top, bluntly: “[The Defense Department] cannot today defend itself from an Information Operations attack by a sophisticated nation state adversary.”
The report went on to detail the various ways a determined hacker could compromise the security and the operations of the department’s communications systems. There was plenty to bemoan about the sorry state of Defense Department security. But something seemed to worry the researchers even more.
While the Defense Department used some proprietary technology to transmit messages or move and store secret information, it also relied upon the public telecommunications network, which is run by phone companies and provides services to billions of people and to businesses and governments around the world.
As the report explained, in the 1980s the phone companies switched over to a new “system architecture” that fundamentally changed how phone calls are initiated and routed around the world. This was a boon for customers because it made placing a call much easier and faster. The system was reliable. And it was efficient, which meant bigger profits for the phone companies.
This new architecture, however, also introduced new technologies to route all those calls and keep things running smoothly. To make sure the devices worked together properly, the companies needed a kind of rulebook, or a set of “protocols,” as engineers call them. And that rule book was called Signaling System No. 7.
The SS7 network became a vital component of global communications. It ensures that calls can be transferred from one carrier to another. But SS7 also presented a potential security weakness that a foreign government or a hacker could exploit to intercept people’s communications, the report’s authors warned.
In their research, the authors had found a particularly troubling vulnerability that could affect cellular phone users. There were “several points of attack,” they wrote, in the system that companies were using to transmit cell calls. At the time, cell phones weren’t nearly as abundant as they are today, but the researchers understood that mobile communication was the way of the future. By attacking weak points in the SS7 network, an intruder could access the communications of subscribers within a particular cellular network, or potentially launch “wider ranging network attacks” on communications in SS7.
Even if phone companies built new networks for their mobile services to run, they still relied on older land-based equipment to function. (Eventually, cell signals moving through the air connect to equipment that runs in the ground.)
“The key point to note,” the authors wrote, “is that while commercial wireless services may give the appearance of infrastructure independence, they are in truth a vulnerable extension of a vulnerable infrastructure.” The whole interconnected apparatus was weak at the core.
While the Defense Department began taking steps to shore up its own exposure to vulnerable commercial systems, the phone companies didn’t solve all the problems posed by SS7.
The weakness was no secret. Indeed, the defense report wasn’t even the first instance of government researchers sounding an alarm. In 1998, the Committee on Information Systems Trustworthiness, part of the National Research Council, warned of potential malicious attacks via SS7 and said that existing security defenses were “neither adequate nor reliable in the face of the anticipated threat.”
Not only were the defenses weak, but it was also getting much easier for people to physically get access to the system. After the telecommunications industry was deregulated, phone companies were required to allow just about anyone to connect to the SS7 network for a fee, the report’s authors explained. This was intended to spur competition, but it ended up giving a “much larger community” access to SS7, which had originally been designed for use by a “closed community” of experts.
Accidents were bound to happen—and did. In 1997, the report noted, a vendor incorrectly loaded a set of data into an SS7 processor that triggered a 90-minute network outage for AT&T’s toll-free telephone service. The likelihood that someone could cause wider scale disruptions on purpose, say by introducing malicious software into equipment, “has increased dramatically because of the substantially lower threshold now associated with connection into the SS7 system,” the report found.
Officials paid new attention to the threat of a communications blackout in the first days after the 9/11 attacks. Washington scrambled to shore up emergency communications systems, many of which were overwhelmed during the attacks. The possibility that a terrorist group might disable vital communications systems was discussed within the White House, and soon a new homeland security office was put in charge of protecting emergency communications systems.
For the next several years, researchers would document and discuss the problems posed by SS7, the most frightening of which for average cell phone users was that someone could listen in on their calls without their knowledge.
And yet, to this day, the flaws in the system remain. Why?
Engineers and security researchers have understood for years that there’s a big hole in the heart of the global communications system. But from the phone companies’ perspective, SS7 is a feature, not a bug. Without it, the relatively easy task of placing a phone call or sending a text message anywhere in the world would become cumbersome and likely more expensive.
Cell phone use would also become painfully unreliable. As soon as a caller left the coverage area of one company, say while driving down the highway, his call would drop. Without SS7, there would be no hand off from one company’s network to another. That new “system architecture” the phone companies developed in the 1980s—and which the world has come to take for granted—would devolve into a disjointed mess.
For years, doomsday scenarios about spying hackers and massive phone outages were mostly speculative, and that may explain the apparent lack of urgency on the part of phone companies, lawmakers, and presidential administrations to find a solution to the problem.
But then, in 2014, a group of German computer security researchers proved decisively that the threat posed by SS7 was real, and perhaps worse than previously imagined.
The researchers, working independently of one another, had been studying weaknesses in SS7 following a report in The Washington Post that found that dozens of countries’ governments had purchased surveillance technology that used the SS7 network to locate people anywhere in the world, effectively turning their mobile phones into tracking devices. The researchers, Tobias Engel and Karsten Nohl, had verified that SS7 could be used to intercept calls in real time, snatch text messages, locate people, and could even be used to decrypt coded messages, by requesting that a phone carrier release the key needed to unlock a supposedly private communication.
When Engel presented his findings at a conference in Berlin that December, he said that access to SS7 could be purchased from telecom companies for as little as “a few hundred euros a month.” That meant that anyone who knew how to exploit the flaws in SS7 could get access to the system from the very companies that were managing it—and had long been aware of its flaws.
Usually, hackers have to work much harder to catch their prey. Here, the phone companies had done much of the work for them.
Nearly two years have passed since the German researchers proved the relative ease of exploiting SS7. And if anything, it’s gotten easier.
Last Sunday, CBS News’ 60 Minutes profiled Nohl, who claimed that with just a phone number, he had all the information needed to essentially monitor someone 24/7. “Track their whereabouts, know where they go for work, which other people they meet when. You can spy on whom they call and what they say over the phone. And you can read their texts,” Nohl told correspondent Sharyn Alfonsi.
60 Minutes put Nohl to the test, providing him with the phone number of a new iPhone that the program had given to Rep. Ted Lieu, a member of Congress from California. Nohl intercepted a call that Alfonsi made to Lieu from Berlin. She later played it back for the congressman in the U.S.
The realization that he could be spied upon so easily shook Lieu. In an interview this week, he told The Daily Beast that, like a lot of people, “I had this vague sense that nothing I say or write is private. I just had no idea it was this disturbingly easy to listen to a private cell phone conversation in real time... It was really disturbing and creepy.
“I was sort of angry that a lot of people didn’t know about this,” Lieu said The Daily Beast. He worries that a hacker could obtain information about proprietary business matters and use it to place illegal stock trades. Or that foreign companies will monitor their competitors and steal trade secrets. The implications are practically limitless, he said.
This week, Lieu wrote the chairman of the House Committee on Oversight and Government Reform, Rep. Jason Chaffetz, asking him to conduct an investigation into the SS7 vulnerability, which he said threatened “personal privacy, economic competitiveness, and U.S. national security.”
But Lieu’s quest may be quixotic. For starters, there’s no obvious movement within the telecom industry to fix the problem, owing largely to the fact that SS7 is so ingrained in the way people communicate.
The GSMA, an industry group that represents mobile phone operators around the world, is aware of the SS7 flaw and has set up a working group to address it. But it’s one item on a long list of other threats the group is dealing with, including malicious software targeting mobile phones, consumer fraud protection, and the security of the millions of apps now available for people to download onto their phones.
“We have developed security alerts and guidelines highlighting the risks to networks and their customers and have provided these to all GSMA members,” Claire Cranton, a spokesperson for the group, told The Daily Beast. “We have also provided guidance on how to monitor and identify suspicious activity on signalling links and have worked with security solution providers to ensure the necessary protection is available to network operators.”
But those are all steps to mitigate the potential damage from the flaw, not to fix the flaw itself. Today, that responsibility would fall to the many different phone carriers and telecom operators around the world that use SS7. But even if the biggest companies were to make a commitment to addressing the vulnerability, it’s not clear that governments would want them to do so.
Among the numerous secret surveillance programs exposed by Edward Snowden is one called Operation Aurora Gold, run by the National Security Agency. Essentially, it’s a global program to spy on cellular phone communications and to ensure that the NSA is up to speed on the latest developments in the telecom industry, so that the agency always has an understanding of how to exploit phone technology.
To do that, the NSA collects documents, produced by the companies and shared among them, about how their technology works and what new devices and protocols they’re introducing. And among the technologies that the NSA has paid attention to, according to the documents leaked by Snowden, are those that use SS7.
Operation Aurora Gold was collecting information about components of SS7 that handle individual phone subscriber information, which can be used to determine someone’s geographic location based on a cellular signal. The project also tracked an SS7 component used to address messages to specific devices, such as cellular phones, fax machines, or computers.
Another leaked document that purports to show a list of courses taught at the NSA’s National Cryptologic School includes one in SS7 analysis. This suggests that, for an agency full of electronic eavesdroppers, knowing about SS7 is part of basic tradecraft.
And none of this should come as a surprise. Monitoring phone communications is part of the NSA’s core mission. And exploiting commercial technology to spy on people is garden variety espionage. The real shock would be if the NSA were not exploiting the flaw in SS7 to listen to phone calls or read text messages.
It would also be surprising if the NSA, or any other country's intelligence agencies, were especially keen to fix the flaw. If, as the leaked documents suggest, the agency is exploiting SS7 as part of its mission, why would it want to cut off a productive source? The same could be asked of U.S. adversaries, such as China and Russia.
“If our intelligence community knows how to do this, I am absolutely certain that our competitors and foreign governments know,” Lieu said.
At a congressional hearing this week, a top U.S. cybersecurity official told Lieu that he was aware of SS7 and its flaws, and he agreed that they allow, as Lieu put it, “hackers or foreign governments… [to] listen to phone conversations on cell phones, as well as acquire text messages in real time.”
“Do you have a recommendation on how to fix that?” Lieu asked.
“These vulnerabilities were really first publicly highlighted in 2014,” replied Andy Ozment, the assistant secretary for cybersecurity and communications at the Homeland Security Department. That’s the year that the German researchers publicly demonstrated how the flaw, which had been known about for years, could be exploited.
Ozment continued, “I think it's important to note that they are designed vulnerabilities, so essentially, as the system is designed, you cannot fix it per se. What you can do is carriers can monitor their networks for suspicious activity and then block that suspicious activity.”
Ozment didn’t quite say, “The U.S. government wants to keep this problem just as it is.” But by asserting that the flaw was unfixable, and that it was up to phone carriers to try to live with it as best as they can, he left the impression that the U.S. government was in no rush to change the status quo. If it were, it might have acted two years ago when the problem was “first publicly highlighted,” or anytime in the previous decade, when the Pentagon and government researchers were warning that the SS7 vulnerability was potentially dangerous. The lack of action has been telling.
Lieu told The Daily Beast that he would investigate whether the U.S. government exploits the SS7 flaw.
“I don’t know if I’ll get an answer to that,” he said.
Considering that the Defense Department and the intelligence community have known about the SS7 vulnerability for years, they’ve undoubtedly taken steps to protect themselves from prying eyes. Lieu has some advice for U.S. citizens who’d like to do the same: Use encryption.
“I use WhatsApp now. This compelled me to do that,” Lieu said. The popular messaging service announced this month that it now uses end-to-end encryption, meaning that only the parties to a communication can read what’s being sent. Even WhatsApp can’t see what people are texting or sharing. “Your messages, photos, videos, voice messages, documents, and calls are secured from falling into the wrong hands,” the company explains on its website.
Lieu said more people should use apps and services that provide strong encryption if they want to keep themselves safe from anyone who exploits the SS7 flaw. He said his staff are now using encrypted apps and that he has had conversations with other lawmakers about whether they should do the same.
“I told my wife to download WhatsApp,” he said.
Lieu’s suggestion is provocative. Today, the FBI and the Justice Department are locked in a fierce legal and political struggle with Apple over the company’s use of strong encryption and security protocols that officials say are hampering some criminal investigations. FBI Director James Comey has warned that widespread use of strong encryption threatens to put law enforcement in the dark if they can’t decipher messages of criminals and terrorists.
But the SS7 flaw offers a persuasive piece of evidence for technology companies and privacy activists who’ve been on the other side of the encryption battle with the FBI. If hundreds of millions of people really are at risk of having their private conversations intercepted by criminals or spies, why shouldn’t they take steps to guard against that? Wouldn’t they be foolish not to?
Asked if he thought awareness of the SS7 flaw would compel more people to start using encryption in their everyday lives, Lieu said he thought it would. “And that’s a good thing.”