Tech

Telecom Lobbyists Downplayed ‘Theoretical’ Security Flaws in Mobile Data Backbone

In a white paper sent to members of Congress and the Department of Homeland Security, CTIA, a telecom lobbying group that represents Verizon, AT&T, and other wireless carriers, argued that “Congress and the Administration should reject the [DHS] Report’s call for greater regulation” while downplaying “theoretical” security vulnerabilities in a mobile data network that hackers may be able to use to monitor phones across the globe, according to the confidential document obtained by Motherboard. However, experts strongly disagree about the threat these vulnerabilities pose, saying the flaws should be taken seriously before criminals exploit them.

SS7, a network and protocol often used to route messages when a user is roaming outside their provider’s coverage, is exploited by criminals and surveillance companies to track targets, intercept phone calls or sweep up text messages. In some cases, criminals have used SS7 attacks to obtain bank account two-factor authentication tokens, and last year, California Rep. Ted Lieu said that, for hackers, “the applications for this vulnerability are seemingly limitless.”

Videos by VICE

In May, the DHS published an in-depth, 125-page report on government mobile device security, which noted that SS7 “vulnerabilities can be exploited by criminals, terrorists, and nation-state actors/foreign intelligence organizations.” DHS noted that it currently doesn’t have the authority to require carriers to perform security audits on their network infrastructure, or the authority to compel mobile carrier network owners to provide information to assess the security of these communication networks.

CTIA took several issues with the report. In its own white paper responding to the DHS, CTIA told US politicians in May that focusing on some SS7 attacks is “unhelpful,” said the report “focuses on perceived shortcomings” in the protocol, and claimed that talking about the issues may help hackers, according to the white paper obtained by Motherboard. Specifics from the paper were discussed by Motherboard with CTIA officials.

A section of CTIA’s response to the DHS report.

The DHS’ report “includes theoretical vulnerabilities without addressing that likelihood of exploitation or industry mitigation efforts,” CTIA’s confidential response to the DHS report reads, before pointing specifically to SS7. The DHS report, according to CTIA, also “provides a roadmap of risks—present and future—that may be useful to hackers, cybercriminals, and nation-state actors.”

“The vulnerability of SS7 is a sincere threat to communications privacy and it is extremely irresponsible of CTIA to claim otherwise”

However, security researchers and experts with knowledge of SS7 attacks say the protocol’s current implementation is indeed a major issue. The issue with SS7 is that the protocol does not authenticate messages; anyone with access to SS7 can send a routing message, and the network will comply without checking that a legitimate body, such as a user’s telecom company, was the one behind the message.

“The vulnerability of SS7 is a sincere threat to communications privacy and it is extremely irresponsible of CTIA to claim otherwise,” Cooper Quintin, a security researcher and technologist at the Electronic Frontier Foundation (EFF), told Motherboard in an email.

Recently, financially-motivated hackers broke into European bank accounts by intercepting victims’ two-factor authentication codes. And at least half a dozen companies advertise SS7 surveillance capabilities to governments around the world.

To be clear, in addition to concrete research into already exploited vulnerabilities, the DHS report does include some SS7 attacks that are theoretical, at least today. But experts say that should not undermine the wireless industry’s response, and some highlighted the small leap from theoretical to actual SS7 threats. Cathal McDaid, chief intelligence officer at cybersecurity firm AdaptiveMobile, pointed to a section of the DHS report that claimed the agency had carried out a successful penetration test of a US carrier, so clearly the threat was not purely theoretical.

“Sure, there are still more attacks that for the moment remain theoretical, but only until the criminals find a good use for those attacks, too,” Karsten Nohl, who provided the research for a CBS 60 Minute special in which he used SS7 vulnerabilities to intercept a US politician’s phone calls, told Motherboard in an email.

Notably, the CTIA paper advises against the idea that DHS should be allowed to regulate the industry: “Most alarming is the Report’s move toward regulation and legislation,” the paper states. “There is no need for regulation.”

When Motherboard asked CTIA to elaborate on its criticism of the DHS report’s theoretical attacks, CTIA pointed to another US government study on SS7. Earlier this year, the FCC released its own report into SS7 attacks, a report that CTIA preferred, according to a spokesperson for the group.

“The time to fix theoretical concerns is before they become practical”

“The FCC CSRIC Working Group 10 Report was a collaborative effort of industry, research and government experts. It focused on the U.S. environment and addressed SS7 based on a real-world risk assessment,” John Marinho, vice president of technology and cybersecurity at CTIA told Motherboard in an email. “Instead of using hypothetical, abstract or speculative scenarios that may not be relevant to U.S. networks, this report provides practical mitigation schemes and recommendations.”

CTIA does support several ideas in the DHS report: “CTIA agrees that the government should support R&D [research and development] and actively participate in mobile security related standards bodies, including international efforts,” the CTIA document reads.

Daniel Kahn Gillmor, senior staff technologist at the American Civil Liberties Union, told Motherboard in an email, “The time to fix theoretical concerns is before they become practical, and it would have been irresponsible of DHS to ignore theoretical concerns just because industry doesn’t want to spend the time or money to adequately secure their systems against future attack.”

Got a tip? You can contact this reporter securely on Signal at +44 20 8133 5190, OTR chat at jfcox@jabber.ccc.de , or email joseph.cox@vice.com