Senator Demands Answers From Telecom Giants on Phone Spying

Update: This article has been updated to include comment from Sprint.

Despite spies exploiting a major hole in the mobile-data backbones for years, questions still remain around what exactly major telecommunications companies, including AT&T, Verizon, or Sprint, have done to keep hackers out of their networks. On Thursday, Sen. Ron Wyden demanded answers from America’s four giants.

The vulnerabilities exist in a network and set of protocols called SS7. By attacking the network, governments, for-profit surveillance companies, or financially motivated criminals can geo-locate phones around the world, or sometimes intercept text messages and calls, armed with just a target’s phone number.

Wyden sent letters to the CEOs of T-Mobile U.S., Sprint, Verizon, and AT&T. Wyden’s office shared copies of the letters with The Daily Beast.

“As such, the continued existence of these vulnerabilities and the ease with which they can be exploited by hackers and foreign governments poses a serious threat to U.S. national and economic security,” the letters read.

The Oregon Democrat asks the telecoms whether they have retained any outside security experts to conduct SS7-focused penetration tests of their networks; whether the companies have refused to give the Department of Homeland Security (DHS) permission to conduct their own tests on the telecoms’ network security; and whether they have installed a so-called SS7 firewall that may protect against some SS7 exploitation techniques. Wyden gave the companies a deadline of Oct. 13 to answer his questions.

“I understand that some wireless carriers are further along in the process of implementing protections against SS7 attacks than others. However, information about the progress that each carrier has made, and the extent to which their customers remain vulnerable to SS7 spying is not currently available to the general public, nor even to DHS. This means that the U.S. government and American consumers cannot currently vote with their wallets,” the letters continue.

“If wireless carriers were more transparent about the severity of SS7 vulnerabilities and their progress in defending against such attacks, the market could reward those companies who have the most secure networks. Just as carriers openly compete on the speed and reach of their networks, they should also be competing on cybersecurity,” Wyden adds.

A spokesperson for Sprint told The Daily Beast in an email: “Our relevant teams are already working on responses to his questions and will work directly with his office.” The other telecommunications companies did not respond to a request for comment.

Wyden also sent a letter to Adm. Michael S. Rogers, the director of the National Security Agency, asking him to describe all incidents known to the agency in which foreign governments or criminals have exploited SS7 to monitor employees of U.S. companies or nonprofits; journalists and human-rights activists, as well as U.S. government workers. Wyden also asked what U.S. Cyber Command has done to protect military personnel from SS7 surveillance.

SS7 is certainly not a new issue, but telcos and the wider industry have arguably ignored it. The telecommunications community has known what risk SS7 attacks pose for nearly two decades, judging by a 1998 document, as The Daily Beast recently reported.

“There is no adequate security in SS7. Mobile operators’ needs [sic] to protect themselves from attack by hackers and inadvertent action that could stop a network or networks operating correctly,” the document reads. A core issue is that SS7 typically does not authenticate where messages came from: Anyone with access to the network can send a message.

Various parts of the U.S. government have published reports on the threats SS7 poses. Earlier this year, the DHS wrote that gaining unauthorized access to the SS7 network “is a risk since there are tens of thousands of entry points worldwide, many of which are controlled by countries or organizations that support terrorism or espionage.” Researchers have also publicly demonstrated how hackers can leverage SS7 since at least 2014.

Despite the recent attention, SS7 is still largely open to attackers. Earlier this year in Europe, cybercriminals used SS7 to intercept text messages of online banking users, and then logged into their accounts. Suspected Russian-backed hackers allegedly deployed SS7 attacks to target politicians in 2014; someone subsequently posted an intercepted, and embarrassing, phone call between then-U.S. Ambassador to Ukraine and U.S. Assistant Secretary of State Victoria Nuland on YouTube, revealing her less-than-favorable opinion of the European Union.

The Daily Beast found around a dozen companies offering SS7 services to law enforcement and intelligence agencies, through a review of the firms’ websites and brochures. Some of these companies appear to be based in Pakistan, Russia, and other countries that may wish to spy on the U.S.