Privacy SOS

Is the FCC’s coziness with Big Telecom making Americans vulnerable to hacking and surveillance?

The Supreme Court will soon decide whether law enforcement must get a warrant to obtain historical cell site location records, which show where mobile phones (and their users) have been over a period of months or years. But even if SCOTUS mandates a warrant in the Carpenter case, hundreds of millions of people in the United States will remain vulnerable to inappropriate, nonconsensual, widespread, and secret mobile phone surveillance.

Since at least 2008, security experts have publicly warned that malicious actors and government intelligence agencies can track sensitive data from billions of cell phones worldwide by accessing the technical system underpinning mobile networks. Despite the gravity of these warnings, government officials have done little to address the problems with the network, known as Signaling System No 7 (SS7).

In a letter a year ago, Senator Ron Wyden (D-OR) urged FCC Chairman Ajit Pai to take decisive action to secure phone networks. Last week, Wyden wrote another letter to Pai, this time blasting him for failing to act on the SS7 problem, and demanding information about its scope and details about what—if anything—the FCC has done to fix it. The recent Wyden letter points out that an FCC working group created to address mobile network insecurity is stacked with telecommunications industry reps, and strongly implies that its weak (and in Wyden’s view insufficient) recommendations indicate the agency has been captured. (Big Telecom’s regulatory capture of this FCC is not hard to imagine; Ajit Pai is the former Verizon lawyer who killed net neutrality regulations, a decision the telecoms strongly backed.)

Two weeks ago, the Department of Homeland Security responded to a separate Wyden inquiry about the issue in a letter admitting that nefarious actors may have tapped into the vulnerable SS7 system to access sensitive data. But according to Wyden, the federal agency with the power to do something about it hasn’t done squat. “One year ago I urged you to address serious cybersecurity vulnerabilities in U.S. telephone networks,” Wyden wrote to the FCC’s Pai last week, after reviewing the DHS letter. “To date, your [FCC] has done nothing but sit on its hands, leaving every American with a mobile phone at risk.”

SS7’s insecurity enables mass surveillance, but the FCC Chairman doesn’t seem concerned

Signaling System No 7 (SS7) plays a critical but largely unknown role in telecommunications, by connecting phone networks to transmit calls and texts. Developed in 1975, the system allows telecommunications companies worldwide to share their networks, and routs every phone call, text message, and data transmission. In order to function, the SS7 system needs to know the physical location of every phone attempting to access a network. The system keeps records of these historical location data points, as well as mobile phone subscriber information.

Early on in the history of mobile phones, only a few major carriers had access to this extremely sensitive SS7 data, which they relied on to ensure their services functioned. But with the introduction of services like VoIP and third party text messaging services, there’s been explosive growth in the number of people and companies that can access the SS7 system. At least one Israeli spy firm, called Verint, reportedly has access to it, enabling the firm to track in real time and historically the movements of untold numbers of people worldwide, entirely in secret and with no judicial process.

Despite their explosive growth over the past four decades, telecommunications companies have not updated SS7 with necessary security protections. As a result, experts say, nefarious actors can masquerade as legitimate networks to access the system and obtain sensitive user information, read text messages, listen to and record calls, and track a phone’s location in historical and real time. Experts estimate that instances of illegitimate access occur millions of times a month, with American, Chinese, Israeli, and Russian intelligence agencies the most frequent attackers. A mercenary-style hacking economy enables smaller nation states (and likely criminal organizations) to pay hackers to help them get inside SS7.

Regulatory capture endangers all mobile phone users

The problem is not new, and it is not going away. Wyden’s letter last week reveals that “one of the major wireless carriers” was subject to a recent SS7 breach that exposed customer data. According to the senator, when the FCC in 2016 finally put together a working group to address concerns about SS7, its members were primarily “wireless industry insiders with serious conflicts of interest.” While a few representatives from DHS’s National Coordinating Center for Communications also participated, their edits to the final report were rejected, and they were not invited to join the second working group, Wyden says. The result was recommendations that ignored the wireless industry’s culpability in the problem and did not ask the FCC to force the industry to act.

According to Wyden, Pai thought those weak recommendations would suffice. In his letter to Pai last week, the senator chastises the former telecom lawyer for “dismiss[ing] [Wyden’s] request for the FCC to use its regulatory authority to force the wireless industry to address the SS7 vulnerabilities.” Evidently exasperated, Wyden questions whether Pai “agree[s] with DHS and NSA that SS7 vulnerabilities pose a significant national threat” and requests an explanation if Pai disagrees. He also demands to know how many data breaches have been reported to the FCC in the past five years, and which of those involved misuse of SS7. For those breaches that did involve SS7, Wyden wants to know whether the FCC investigated each breach or notified the people whose data was compromised.

Experts say Americans are the leading targets for SS7 hacks and surveillance, but the federal agency tasked with overseeing telecommunications companies appears disinterested. Wyden has demanded Pai respond to his inquiries by July 9. Let’s see what the “most reviled man on the internet” has to say for himself.

© 2018 ACLU of Massachusetts.