About fifteen years ago, the federal government set up one of its famous task forces. This one was to establish how vulnerable the Defense Department might be to a cyber attack. The conclusions, all 180 pages of them, declared that there were vulnerabilities all over the place. What does that have to do with the security of your cell phone conversations?
Plenty, it seems. In the early olden days of cell phones, the 1980’s, the Defense Department, and everyone else, could do everything with regard to security but still had to transmit phone calls over the phone companies technology. Sometime during the 1980’s, the phone companies upgraded their technology and put in place engineering protocols that have become known as Signaling System Number 7 (SS7).
Prior to the establishment of SS7, cell calls moved efficiently all around the world. The new system architecture that was put into place worked quite well. Customers were happy and the phone companies raked in the profits. The SS7 was developed so that there would be a playbook for how all of the communications systems worked together. Something had to keep track of all the different systems and ensure that they all ran together smoothly.
SS7 is now the default system for the world. One of things it does is to make certain that calls are not dropped when a call moves from one carrier’s territory into another’s. There, it seems, is the rub and the security disaster just waiting to happen. That old task force report said that there were “several points of attack” that could be breached by hackers who decide to enter the SS7 system.
Because of those vulnerabilities in the system, hackers are pretty free to intercept any phone call on the planet fairly easily and quickly. The problem, it seems, is that the old land based equipment is still being used by the phone companies even though they have designed new mobile systems and software. It is the land based systems that are open to attach, the task force said. So, it doesn’t matter what new super technology comes into play, it still must go through vulnerable ground systems.
Apparently, this is not a secret to either the feds, the hackers of the world, or the phone companies. Even security specialists and engineers know that there are flaws and vulnerabilities in the system that still remain in place today. The challenge for everyone is that without SS7 in place, it would be extremely difficult to actually place a cell phone call. And, the call would be dropped the exact moment the phone left its carrier’s coverage area. Like a quarterback handing the ball off to the running back, the play simply would not be there.
In 2014, German researchers proved the systems flaws once and for all and the results were even published in The Washington Post. Governments, and goodness knows who else, had developed or bought surveillance technology that was bypassing SS7 and intercepting calls and putting people under surveillance anywhere in the world.
Access to the SS7 system can be bought on a monthly basis so if someone knows the flaws, they are in and can spy on anyone they want to. The hackers, said the researchers, have an easy time of it because the phone companies have done nearly all of the work for them.
Karsten Nohl, one of the German researchers, was on 60 Minutes in April of 2016 and told them that all she needed was a phone number and she could track anyone anywhere in the world, listen to their calls, and even read their text messages. The 60 Minutes reporter gave Ms. Nohl the phone number of a congressman. Nohl proceeded to intercept a call the U.S. Rep was receiving from that 60 Minutes reporter who was in Berlin.
Even Edward Snowden mentioned that the NSA spies on phone calls and has paid special attention to SS7.
So, it seems that the question of “to encrypt or not to encrypt” has, perhaps, been answered?
PHOTO CREDIT: Matthew Kane / Unsplash.com