The global telecom network Signal System 7 helps phone carriers across the world, including AT&T and Verizon, route calls and texts. It’s also apparently perforated with security holes that lets hackers and spies listen to your calls and read your texts. It’s so bad the ACLU’s chief technologist told me that people worried about being snooped should just not use their mobile phone to make calls. Privacy: Remember that?
German researchers discovered that SS7’s outdated infrastructure makes it easy as hell to hack, which can lead to huge invasions of privacy, the Washington Post has reported. Researchers will present their findings later this month at a conference in Hamburg. From the Post:
The flaws discovered by the German researchers are actually functions built into SS7 for other purposes — such as keeping calls connected as users speed down highways, switching from cell tower to cell tower — that hackers can repurpose for surveillance because of the lax security on the network.
Carriers like AT&T and Verizon use 3G and 4G networks for calls, messages and texts sent from people within the same network, but they still need to use old, crappy, insecure SS7 when they send data across networks. This means tracing your phone and what you do on it is alarmingly simple for people in the know:
Those skilled at the myriad functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption. There also is potential to defraud users and cellular carriers by using SS7 functions, the researchers say.
SS7’s overall security suckiness isn’t a secret, though this new research should draw attention to how important it is to overhaul the system. In August, the Post published a story highlighting how companies are already building surveillance systems capable of stealth tracking using loopholes in SS7 — and they’re selling these systems to governments and private groups.
One of the companies, Verint, boasts about servicing over 10,000 clients on its website. Not mentioned: How many people these clients violated.
So what can you do to avoid getting hacked or spied on by people exploiting the vulnerabilities of SS7? I asked the ACLU’s principle technologist Christopher Soghoian:
“Don’t use the telephone service provided by the phone company for voice. The voice channel they offer is not secure,” he told me. “If you want to make phone calls to loved ones or colleagues and you want them to be secure, use third-party tools. You can use FaceTime, which is built into any iPhone, or Signal, which you can download from the app store. These allow you to have secure communication on an insecure channel.” For texts, using third parties that provide end-to-end encryption also seals off your messages from SS7 exploits.
So basically, your only line of defence is to not use your phone as a goddamn phone. It’s an imperfect solution, to put it mildly, to a problem that will persist as long as this insecure system remains outdated. More than one thing is rotten in the state of telecom, but this crumbling global infrastructure is practically putrid. [The Washington Post]
Picture: Shutterstock / Getty