Editor’s Note (2/1/19): For years hackers have exploited a vulnerable telecommunications protocol, Signaling System 7 (SS7), in order to intercept text messages and phone calls. Most recently digital bank robbers have used SS7’s weaknesses to foil the protection of two-factor authentication. Our explanation of this protocol, written in 2016, demonstrates what it is and why it is so insecure.
Apple’s ongoing standoff with the government over passcode-protected iPhones is still raising unprecedented alarms over smartphone security and privacy. For example, a 60 Minutes segment this week outlined several ways hackers can hijack phones from anywhere in the world to listen in on private conversations, read e-mails and even use phone cameras to spy on their owners. That hacking method exploited an unsecured, decades-old telecom protocol called Signaling System 7 (SS7) to tap into U.S. Rep. Ted Lieu’s (D–Calif.) mobile phone and listen to his conversations. Lieu gave his permission for the demonstration and now wants the House Committee on Oversight and Government Reform to investigate the problem.
The hack caused such consternation in Congress that a fellow House member appears ready to butt heads with Lieu over the right to call a hearing. Rep. Greg Walden (R–Ore.) claimed the House Energy and Commerce Committee’s Subcommittee on Communications and Technology, which he chairs, has jurisdiction over the matter.
The good news: Although the SS7 system will indeed work for spying on older phones, it is useless against encrypted communications such as Facebook’s Whatsapp, Apple iMessage and phone calls made over 4G (and newer) networks. And the SS7 hack can only poach data in transit—it cannot be used to access data stored on a smartphone. “The ability to exploit SS7’s lack of security has been known for some time,” says Dan Kaufman, founder and chief technology officer of Brooklyn Labs, a software company that builds mobile apps for the iOS and Android operating systems. He says security researchers first described phone hacking via SS7 in late 2014 but Apple’s high-profile battle with the U.S. Department of Justice caused the issue to resurface recently. “Now everyone I know is trying to exploit the iPhone,” Kaufman adds.
Signaling protocols enable different telephone networks to exchange routing, billing, location and other information about a call as well as the actual conversation. When phone networks were first created, all of this information traveled on the same path together. Telecom engineers developed SS7 in the 1970s with separate signaling paths for the call and its associated information. This improved performance and enabled services such as call forwarding, voice mail and call screening.
Engineers upgraded SS7 in subsequent years to accommodate signaling information about mobile phone roaming and text messaging. But they did not build in security measures—such as a firewall or other monitoring device to block unauthorized snoopers—largely because the networks were run by a handful of heavily regulated phone companies who relied mostly on trust to protect their systems, according to Tobias Engel, founder and managing partner of Berlin-based cybersecurity firm sternraute GmbH. Engel pointed out SS7 security flaws at a December 2014 conference hosted by Germany's Chaos Computer Club, a hackers’ association. Calls and texts mostly travel unencrypted over phone lines, making them easy pickings for hackers and law enforcement alike. Also, a mobile network needs to know a caller’s position so it can determine the closest base station, according to Engel, who during his presentation noted that Karsten Nohl, a security researcher with a PhD in computer science from the University of Virginia featured in the 60 Minutes segment, was performing similar SS7 research. “In cities the location of the [closest] cell tower gives a pretty good idea of where you are,” Engel said.
Research like that of Engel, Nohl and their colleagues stayed largely under the radar until earlier this year, when Apple touched off an intense smartphone security debate by refusing to help the FBI crack into the locked iPhone 5c used by accused San Bernardino mass shooter Syed Rizwan Farook. Even though SS7’s security flaws still offer law enforcement officials opportunities for snooping—particularly if callers connect over networks 3G and older—it is unlikely that carriers will do much to fix that. “The FBI and other agencies have been intercepting communications this way forever, which is probably why the vulnerability has not been fixed,” Kaufman says. “You have to wonder if it’s set up this way to give law enforcement access.”