Skip to main content
https://www.highperformancecpmgate.com/rgeesizw1?key=a9d7b2ab045c91688419e8e18a006621

Saudi spies tracked phones using flaws the FCC failed to fix for years

Lawmakers and security experts have long warned of security flaws in the underbelly of the world’s cell networks. Now a whistleblower says the Saudi government is exploiting those flaws to track its citizens across the U.S. as part of a “systematic” surveillance campaign.

It’s the latest tactic by the Saudi kingdom to spy on its citizens overseas. The kingdom has faced accusations of using powerful mobile spyware to hack into the phones of dissidents and activists to monitor their activities, including those close to Jamal Khashoggi, the Washington Post columnist who was murdered by agents of the Saudi regime. The kingdom also allegedly planted spies at Twitter to surveil critics of the regime.

The Guardian obtained a cache of data amounting to millions of locations on Saudi citizens over a four-month period beginning in November. The report says the location tracking requests were made by Saudi’s three largest cell carriers — believed to be at the behest of the Saudi government — by exploiting weaknesses in SS7.

SS7, or Signaling System 7, is a set of protocols — akin to a private network used by carriers around the world — to route and direct calls and messages between networks. It’s the reason why a T-Mobile customer can call an AT&T phone, or text a friend on Verizon — even when they’re in another country. But experts say that weaknesses in the system have allowed attackers with access to the carriers — almost always governments or the carriers themselves — to listen in to calls and read text messages. SS7 also allows carriers to track the location of devices to just a few hundred feet in densely populated cities by making a “provide subscriber information” (PSI) request. These PSI requests are typically to ensure that the cell user is being billed correctly, such as if they are roaming on a carrier in another country. Requests made in bulk and excess can indicate location tracking surveillance.

But despite years of warnings and numerous reports of attacks exploiting the system, the largest U.S. carriers have done little to ensure that foreign spies cannot abuse their networks for surveillance.

One Democratic lawmaker puts the blame squarely in the Federal Communication Commission’s court for failing to compel cell carriers to act.

“I’ve been raising the alarm about security flaws in U.S. phone networks for years, but FCC chairman Ajit Pai has made it clear he doesn’t want to regulate the carriers or force them to secure their networks from foreign government hackers,” said Sen. Ron Wyden, a member of the Senate Intelligence Committee, in a statement on Sunday. “Because of his inaction, if this report is true, an authoritarian government may be reaching into American wireless networks to track people inside our country,” he said.

A spokesperson for the FCC, the agency responsible for regulating the cell networks, did not respond to a request for comment.

A long history of feet-dragging

Wyden is not the only lawmaker to express concern. In 2016, Rep. Ted Lieu, then a freshman congressman, gave a security researcher permission to hack his phone by exploiting weaknesses in SS7 for an episode of CBS’ 60 Minutes.

Lieu accused the FCC of being “guilty of remaining silent on wireless network security issues.”

The same vulnerabilities were used a year later in 2017 to drain the bank accounts of unsuspecting victims by intercepting and stealing the two-factor authentication codes necessary to log in sent by text message. The breach was one of the reasons why the U.S. government’s standards and technology units, NIST, recommended moving away from using text messages to send two-factor codes.

Months later the FCC issued a public notice, prompted by a raft of media attention, “encouraging” but not mandating that carriers make efforts to bolster their individual SS7 systems. The notice asked carriers to monitor their networks and install firewalls to prevent malicious requests abuse.

It wasn’t enough. Wyden’s office reported in 2018 that one of the major cell carriers — which was not named — reported an SS7 breach involving customer data. Verizon and T-Mobile said in letters to Wyden’s office that they were implementing firewalls that would filter malicious SS7 requests. AT&T said in its letter that it was in the process of updating its firewalls, but also warned that “unstable and unfriendly nations” with access to a cell carrier’s SS7 systems could abuse the system. Only Sprint said at the time that it was not the source of the SS7 breach, according to a spokesperson’s email to TechCrunch.

T-Mobile did not respond to a request for comment. Verizon (which owns TechCrunch) also did not comment. AT&T said at the time it “continually works with industry associations and government agencies” to address SS7 issues.

Fixing SS7

Fixing the problems with SS7 is not an overnight job. But without a regulator pushing for change, the carriers aren’t inclined to budge.

Experts say those same firewalls put in place by the cell carriers can filter potentially malicious traffic and prevent some abuse. But an FCC working group tasked with understanding the risks posed by SS7 flaws in 2016 acknowledged that the vast majority of SS7 traffic is legitimate. “Carriers need to be measured as they implement solutions in order to avoid collateral network impacts,” the report says.

In other words, it’s not a feasible solution if it blocks real carrier requests.

Cell carriers have been less than forthcoming with their plans to fix their SS7 implementations. Only AT&T provided comment, telling The Guardian that it had “security controls to block location-tracking messages from roaming partners.” To what extent remains unclear, or if those measures will even help. Few experts have expressed faith in newer systems like Diameter, a similar routing protocol for 4G and 5G, given there have already been a raft of vulnerabilities found in the newer system.

End-to-end encrypted apps, like Signal and WhatsApp, have made it harder for spies to snoop on calls and messages. But it’s not a panacea. As long as SS7 remains a fixture underpinning the very core of every cell network, tracking location data will remain fair game.

Comments

Popular posts from this blog

Uber co-founder Garrett Camp steps back from board director role

Uber co-founder Garrett Camp is relinquishing his role as a board director and switching to board observer — where he says he’ll focus on product strategy for the ride hailing giant. Camp made the announcement in a short Medium post in which he writes of his decade at Uber: “I’ve learned a lot, and realized that I’m most helpful when focused on product strategy & design, and this is where I’d like to focus going forward.” “I will continue to work with Dara [Khosrowshahi, Uber CEO] and the product and technology leadership teams to brainstorm new ideas, iterate on plans and designs, and continue to innovate at scale,” he adds. “We have a strong and diverse team in place, and I’m confident everyone will navigate well during these turbulent times.” The Canadian billionaire entrepreneur signs off by saying he’s looking forward to helping Uber “brainstorm the next big idea”. Camp hasn’t been short of ideas over his career in tech. He’s the co-founder of the web 2.0 recommendatio...

Drone crash near kids leads Swiss Post and Matternet to suspend autonomous deliveries

A serious crash by a delivery drone in Switzerland have grounded the fleet and put a partnership on ice. Within a stone’s throw of a school, the incident raised grim possibilities for the possibilities of catastrophic failure of payload-bearing autonomous aerial vehicles. The drones were operated by Matternet as part of a partnership with the Swiss Post (i.e. the postal service), which was using the craft to dispatch lab samples from one medical center for priority cases. As far as potential applications of drone delivery, it’s a home run — but twice now the craft have crashed, first with a soft landing and the second time a very hard one. The first incident, in January, was the result of a GPS hardware error; the drone entered a planned failback state and deployed its emergency parachute, falling slowly to the ground. Measures were taken to improve the GPS systems. The second failure in May, however, led to the drone attempting to deploy its parachute again, only to sever the line...

How the world’s largest cannabis dispensary avoids social media restrictions

Planet 13 is the world’s largest cannabis dispensary. Located in Las Vegas, blocks off the Strip, the facility is the size of a small Walmart. By design, it’s hard to miss. Planet 13 is upending the dispensary model. It’s big, loud and visitors are encouraged to photograph everything. As part of the cannabis industry, Planet 13 is heavily restricted on the type of content it can publish on Instagram, Facebook and other social media platforms. It’s not allowed to post pictures of buds or vapes on some sites. It can’t talk about pricing or product selection on others.   View this post on Instagram   A post shared by Morgan Celeste SF Blogger (@bayareabeautyblogger) on Jan 25, 2020 at 7:54pm PST Instead, Planet 13 encourages its thousands of visitors to take photos and videos. Starting with the entrance, the facility is full of surprises tailored for the ‘gram. As a business, Planet 13’s social media content is heavily restricted a...