For many many years, experts have warned about massive longstanding flaws in Signaling System 7 (SS7, or Common Channel Signaling System 7), a series of protocols hackers can exploit to track user location, dodge encryption, and even record private conversations. Governments and various bad actors routinely exploit the flaw to covertly spy on wireless users around the planet without them ever knowing.
It's extremely bad, and we've know about the problem for a long while. 60 Minutes aired a profile on the issue back in 2016. Senator Ron Wyden demanded answers as early as 2017 from mobile phone companies as to why they haven't done more to thwart the abuse. I'd always lazily assumed we weren't rushing to fix the problem because it was also being broadly exploited by the U.S. government.
Last year a Cybersecurity and Infrastructure Security Agency (CISA) official broke ranks with the NSA and finally formally acknowledged for the first time that yes, the U.S. has exploited flaws in SS7 for years, going so far as to use it to track and surveil folks within the U.S.
Senator Ron Wyden, ever the champion on consumer privacy issues, this week released more Department Of Homeland Security (DHS) warnings that China, Russia, Iran, and Israel are also happily exploiting the flaw to spy on people inside the United States. The information came in a response to Wyden's ongoing inquiries by the Department of Defense (DoD):
"Karsten Nohl, founder and chief scientist of cybersecurity company Security Research Labs and who has extensively researched SS7, told 404 Media in an email that "We definitely observe geopolitical adversaries abusing SS7 weaknesses with impunity."
Security Research Labs founder Karsten Nohl tells 404 Media that the amount of time people have spent talking about the SS7 flaw consistently exceeds the amount of time folks have actually put toward trying to fix it:
"It's amazing that we are still talking about SS7. Solving these issues takes a focused multi-months project at each telco to configure a signalling firewall. It's not a trivial undertaking; and yet is dwarfed by the amount of time people talk about SS7 security rather than fixing the issues already." He said that while some countries are sending hundreds of pings per target each day, and that many of those malicious requests will be blocked by SS7 firewalls, it's "safe to assume that other state actors and criminals are leveraging SS7 for a similar information gain without creating this unnecessary noise."
Which is to say the problem is worse than what's already known. And we've known it's been really really bad for decades. We have the money to address it, so the question becomes, why haven't we?
I can remember reading about this flaw back in the early 2000s. Public officials drove more attention toward the TikTok moral panic than they did toward fixing a massive security hole in our comms networks.
Our failure to hold telecom companies and executives accountable for being lazy cheapskates also continues to bite us on the ass. Telecoms and free market libertarian types insisted for years that gutting corporate oversight of telecoms would result in Utopian outcomes; here's another arena where those deregulatory voices are suddenly nowhere to be found when the real world check for their ideology comes due.
It hasn't been a banner year for telecom security in the wake of the Salt Typhoon hack (which the Wyden team is also raising a ruckus about), but the ongoing incompetence to tackle this SS7 flaw long ago tread well beyond embarrassment.