INSUBCONTINENT EXCLUSIVE:
Officials say the government must do more to protect cellphone users by documenting SS7 breaches
Surveillance systems that track the locations of cellphone users and spy on their
calls, texts and data streams are being turned against Americans as they roam the country and the world, say security experts and U.S
officials.Federal officials acknowledged the privacy risk to Americans in a previously undisclosed letter from the Department of Homeland
Ron Wyden, D-Ore., last week, saying they had received reports that "nefarious actors may have exploited" global cellular networks "to
target the communications of American citizens."The letter, dated May 22 and obtained by The Washington Post, described surveillance systems
that tap into a global messaging system that allows cellular customers to move from network to network as they travel
The decades-old messaging system, called SS7, has little security, allowing intelligence agencies and some criminal gangs to spy on
unwitting targets - based on nothing more than their cellphone numbers."I don't think most Americans realize how insecure U.S
telephone networks are," Wyden said in a statement
"If more consumers knew how easy it is for bad guys to track or hack their mobile phones, they would demand the FCC and wireless companies
These aren't just hypotheticals."Wyden also revealed in a separate letter Tuesday that a major American cellular carrier has referred an
"SS7 breach" involving customer data to federal law enforcement officials for investigation
He chastised the Federal Communications Commission in the letter, saying it had "failed to address this ongoing threat to national
security."The FCC declined to comment on the letter, which was addressed to Chairman Ajit Pai.SS7, which stands for Signaling System 7, was
created in the 1970s as a way for telecommunications carriers to exchange information as they routed calls
Over the years, SS7 expanded to serve a sprawling global cellular system that allowed users to move from network to network - within their
own nations and across international borders - without missing calls, losing service or having to make payments to each carrier that routed
a signal to their phones.But as the number of companies with access to SS7 grew from a handful to many thousands, the lack of built-in
security became a growing problem
It was easy for anyone with access to the network to pretend to be a carrier making legitimate requests for information about
customers.Early research of SS7 surveillance focused on its use in tracking user locations through cellphones
But in recent years, a more serious issue has emerged around its ability to intercept calls, texts and data.Researchers say SS7 tracking
systems around the world now create millions of "malicious queries" - meaning messages seeking unauthorized access to user information -
each month.One Israeli surveillance vendor, Ability, said in an online marketing video posted last year that its ULIN interception system
can eavesdrop on cellphone calls on targets in New York or Los Angeles while agents are "sitting at your desk
anywhere in the world." A 2016 brochure for the company depicted phones being tracked in Massachusetts.Ability declined to comment about SS7
interception or where the company conducts surveillance, but a person familiar with its operations, who spoke on the condition of anonymity
to describe private corporate details, said the ULIN system is not used in the United States
The video, this person said, is used "for demonstration purposes."The company says on its website that it has had 50 government clients
around the world and does not have private-sector clients
Public financial documents listed Ability's major areas of operation as Latin America, Asia and Africa, but it does not name nations
Forbes has previously reported on Ability's capabilities and sales, including to a client in Mexico.The company, which has struggled
financially in recent years, according to news reports, has several competitors, including in Israel, in Eastern Europe and in other parts
of the world, say experts in SS7 surveillance.Wyden said the risks posed by SS7 surveillance go beyond privacy to affect national security
American, Chinese, Israeli and Russian intelligence agencies are the most active users of SS7 surveillance, experts say, and private-sector
vendors have put systems within the reach of dozens of other governments worldwide
Sophisticated criminals and private providers of business intelligence also use the surveillance technology."America is the Number One
Everyone wants to know what's happening in America," said Brian Collins, chief executive of AdaptiveMobile Security, a cellular security
"You will always be a target, whether at home or away."Other experts said SS7 surveillance techniques are widely used worldwide, especially
in less developed regions where cellular networks are less sophisticated and may not have any protection against tracking and interception
But the experts agreed that Americans are significant targets, especially of rival governments eager to collect intelligence in the United
States and other nations where Americans use their cellphones.Collins said his firm detected a surge in SS7 queries in U.S
networks in late 2014 that it thinks was related to the Office of Personnel Management hack in which intruders - widely reported to be
Chinese - gained access to the files of millions of federal workers, including in some cases their phone numbers
(Although publicly reported in 2015, the hack began at least a year earlier.)AdaptiveMobile Security also detected an uptick in malicious
SS7 queries this month in the Middle East, in the days after President Trump announced the U.S
withdrawal from the Iran nuclear agreement, Collins said
This surveillance probably was the work of intelligence agencies studying how the U.S
move would affect oil prices and production, Collins said.CTIA, a wireless industry group based in Washington, said carriers have worked to
implement recommendations from federal officials to protect against SS7 surveillance
"The wireless industry is committed to safeguarding consumer security and privacy and collaborates closely with DHS, the FCC and other
stakeholders to combat evolving threats that could impact communications networks," CTIA said in a statement.Firewalls installed by carriers
in recent years block many of the malicious queries, but many others are successful in eliciting unauthorized information from cellular
carriers worldwide."It does happen, and it does happen thousands of times a month," said Karsten Nohl, a telecommunications security expert
with Security Research Labs in Berlin.The most advanced SS7 surveillance systems can monitor the movements of dozens of people for hours at
a time, sending alerts if they get close to select areas or to one another, experts say.German telecommunications researcher Tobias Engel
first warned of the potential for SS7 surveillance at a security conference in 2008, during which he demonstrated how to locate a cellphone
provided by a volunteer from the audience
Engel also located the cellphone of a Washington Post reporter in 2014, at The Post's request, for an article about the growing availability
and effectiveness of such systems.Researchers have continued to detail SS7 vulnerabilities in recent years, including call, data and text
A site reachable on Tor, an encrypted Internet browsing tool, offers SS7 tracking and interception of cellphones for a few hundred dollars a
month.Criminals last year used SS7 to intercept security codes that a bank texted to its customers in Germany, allowing the criminals to
steal money from accounts, according to news reports.Carriers worldwide have gradually added better security, but SS7 does not have any way
to verify that carriers sending data requests are who they claim to be
The firewalls increasingly installed by carriers, meanwhile, protect their own customers but typically not people who are roaming on the
network, said Engel, the German researcher who first reported the security and privacy risks of SS7."It's much simpler to protect your own
subscribers," said Engel, now a researcher for GSMK, a mobile communications security company based in Berlin
"It could be that you're vulnerable as soon as you enter somebody else's network, domestic or foreign."Calls for an aggressive federal
response grew after The Post's 2014 article and a "60 Minutes" report in 2016 in which Nohl, one of the German researchers, demonstrated SS7
surveillance risks by intercepting a call to the cellphone of Rep
Ted Lieu, D-Calif., with his permission.DHS, which declined to comment for this article, issued a report on SS7 cellphone security in April
2017 that noted the risk to federal personnel, "SS7 attack types can be used to target key U.S
Federal Government personnel both in the United States and traveling or working overseas."The DHS report recommended that carriers adopt new
An FCC group, the Communications Security, Reliability and Interoperabilty Council, issued recommendations for improving SS7 security in
carriers have largely adopted.But Wyden and some other officials say the government must do more to protect American cellphone users by
documenting SS7 breaches and commissioning independent testing of the vulnerabilities in national cellular networks - a step that Britain
and some other nations have taken."The FCC has been studying SS7 vulnerabilities for nearly two years
Enough," said FCC Commissioner Jessica Rosenworcel, a Democrat
