Don't Be Scared Of That 60 Minutes Report On Phone Hacking

If you own a mobile phone, "you can be bugged, tracked and hacked from anywhere in the world". That was the throughline of a particularly problematic story on the 60 Minutes program last night. It's now being hailed as "the end of privacy" for all Australians, but let me assure you, that moment passed a long time ago.

"How it has been done, has never been shown before", claimed the 20-minute report which demonstrated how a vulnerability in a global forwarding network can be "hijacked" to listen in on a user's calls and text messages in real time.

After a lot of teasing and set-up, the report eventually took us to a basement in Germany, where security researcher Luca Melette demonstrated how he could intercept a phone call between the reporter and Australian Senator Nick Xenophon. Luca was able to intercept the call (if we're to believe that there wasn't any camera trickery going on), as well as a text message sent between the pair. Big drums. The hack has been reveeeeeeealed.

Luca was able to do that by jacking into a vulnerability in the SS7 signalling system. SS7 is used for a whole bunch of things, including cell tower handover and international roaming between networks. It's almost universal in the world of GSM.

Here's the thing: Luca was given access to the network by the German government for the demonstration. So that demonstration as far as I'm concerned is next to useless. Show me a hacker boosting phone calls in the wild, without authorised access to the SS7 system, and I'll believe you that this is something for people to be concerned about.

The SS7 hack also isn't really news. Security researcher Tobias Engel demonstrated SS7 interception at the Chaos Computer Conference last year.

Here's the presentation below:

For what it's worth, SS7 intercepts should be pretty far down on the list of things to worry about if you own a mobile phone. Carrying one opens you up to a whole world of security hurt. Newsflash: you're already being tracked by pretty much everyone. Google, Facebook, Apple, Microsoft. Everyone tracks you. Despite the fact that you're already being tracked, however, you have to understand that not everyone wants to hear you calling up your mates to tell them how wasted you got on the weekend. You've got to figure out how important you are in the scheme of things, and once you realise that it's probably not much, you'll start to breathe easier.

Hackers really only target high-profile targets. For example, the 60 Minutes report did mention that the Prime Minister Tony Abbott's phone is vulnerable to these sorts of intercepts, which is kind of funny when you think about it. Instead of listening in on our calls in real time, hackers coming after you and me are already trying to clean us out via phishing scams and the occasional man-in-the-middle attack, perhaps, designed to separate you from your credit card details.

"Mobile phone security" is a particularly nebulous term. You could be talking about Android malware, SMS vulnerabilities, secret interceptor towers, PRISM. Anything. So when you have a 20-minute story on primetime TV talking about how "mobile phone security" is fundamentally compromised, you're running into problems from the very start.

The issue here is that saying there's a vulnerability in the SS7 protocol that can give intelligence and law enforcement agencies access to your calls isn't sexy enough for primetime TV. Instead, to get people really scared, 60 Minutes decided to splice in footage from Skyfall -- which featured dubious infosec nonsense as a plot device -- while parading infosec researchers and their sexy quotes around.

Don't get me wrong: this is an issue. A security hole in the phone routing protocol is no joke, and probably needs to be dealt with, but it's irresponsible of 60 Minutes to do this to people at home after dinner on a Sunday night.

It's irresponsible to make them think they have to run into the kitchen and boil their phone in a pot of water to keep their families safe. It's irresponsible to make people scared of the devices they're carrying around in their pockets. It's irresponsible to make real life look like a bullshit fictional spy movie to make sure they keep watching until the next ad break.

If you want to cover a real security story, 60 Minutes, we've got a few suggestions. Why not tackle the government's metadata collection program and get a few people on the record saying how terrible it is for privacy that all of our data is being archived for no good reason? Why not look at the government's push to wrest control of Australia's mobile networks in the name of national security? What about figuring out what the Pine Gap station does? Or what Australia is using big, hulking security drones for? Or how the government is rolling out site blocking because rights holders asked them nicely?

Next time you feel like scaring people who don't know enough about their phone to know you're full of it, 60 Minutes, don't.



    I'm pretty sure (or I hope at least) anyone who reads Giz is smart enough to not watch 60 minutes.

      i didnt even know that people still watch 60mins and ACA and TT. i would thought that after the amount of shit the chaser has put them that people would of learnt by now

        Your point is accurate, except its based on the assumption the sheeple of this world are smart enough to enjoy the humour and satire from the Chaser in the first place. Its easier to distract them with unreality TV, home reno dreams, soaps or cooking shows

        True? I didn't realise these programs were still on TV.
        WOW! No wonder we take forever to evolve!

      I was going to watch 60 minutes but then I remembered that I had braincells. If it's being advertised on channel nine then you can rest assured that it's pretty dodgy. I was going to ask A current Affair to do a story on Jeep dealers because my Jeep has been in there workshop for 4 months. Then I remembered one of there sponsors is Jeep. Pretty soon I'm going to have a broken down jeep and no rego.

    It was nothing more than 15 minutes of alarmist journalism.

    And there wasn't much journalism in the "investigation".

    It's on 60 minutes. They haven't done any true journalism in over 10 years.

      more like 30 years and i say as a 34 year old

    Well written and astutely argued
    expect to see a few idiots on youtube boiling their phones in pots of water, lol.

    Last edited 17/08/15 10:28 am


    Thank you for your take on the hacking story. However a few things need to be clarified here. Luca works for SR Labs of Germany. I'm sure you would of heard Karsten Knols talk on SS7 vulnerabilities at the Chaos Computer Clubs Conference straight after the presentation by Tobias Engel. And I give Tobias a lot of credit, he does after all work for our German office "GSMK Cryptophone" and the research we have conducted was completely funded by the German government under what has been known as the SMOG Project.

    We were asked to perform the hack at our USA office and we declined. On our advice our German office (Tobias) also respectfully declined. Over the past few years under the SMOG Project we have built a intrusion detection system for cellular carrier switches to address the many ways some state owned telcos, governments and anyone willing to pay 20k to gain access to the SS7 network. With this access they can listen to calls, read messages and deny service, and all without the networks targeted seeing it.

    The reason we agreed to the story was much to do with the reluctance by telcos in Australia to address the issue. Even some simple filtering they would reduce the ability of foreign actors to track government officials and other high profile targets. In Europe and the USA we are seeing great success in Telcos acknowledging the problem from both fraud and espionage standpoint. In a number of European countries we have seen 100% adoption of our recommendations. This has resulted in a massive reduction of location tracking and man in the middle attacks.

    ESD America has briefed more than 100 Telcos worldwide on the threat and in most cases the information about current attacks has been very well received. In fact we were asked to brief all USA telcos on a call for the US Department of Homeland Security.

    Regrading IMSI Catchers, yes we in the industry have been aware of them for a long time. But never before has anyone been able to locate them with any accuracy. We have succesfully located foreign surveillance against US allies using our system. Knowing there are IMSI Catchers and actually being able to prevent their use by foreign governments or industry is a massive leap forward.

    As a company we are not looking to alarm people, but an aware and knowledgable society applying pressure on telcos and governments to fix what can easily fixed should be of interest. There is no reason why China should be listening to the phone calls of Australian government officials and industry. Not if this can be fixed without replacing SS7.

    And I am yet to see any reason why Syria and Iran should have roaming agreements with Australian telcos. This is giving people we don't want access privileges that should be reserved for trusted partners.

    If you would like to have a further discussion on this I encourage you to contact our office.

    Les Goldsmith
    ESD America

      Just to clarify Les, if I pay 20k and I have the required skills, I could gain access to calls and messages of "specific" targets on australian mobile networks and the network operator would not be aware of what I was doing?

        20k is the price reported that some bad eggs are charging to give ss7 access.

      probably also worth pointing out that since ss7 allows rerouting of calls, your product (and any properly designed encryption system) provides authentication so you actually know who you ae connected to.
      MACs are so trivial to impliment, it boggles the mind they arent universal in communication endpoints.

        The vulnerabilities that were allegedly discovered in 2014 and 2016 have been discussed (at least in US RBOC circles) since the 90's, especially during the Bellcore TSARS meetings. There are at least two reports issued by Bellcore to the RBOC's around mid-90's (TM-25454 "Common Channel Signaling (CCS) Security Solutions" and TM-25676 "Security Analysis of Common Channel Signaling (CCS) Over SONET") which discuss in detail several weaknesses in SS7 (MTP/SCCP/TCAP/ISDN-UP/BISUP) along with recommendations to address them. OPC (Originating Point Code) verification will address some of this issues. I always support efforts to raise concerns related to TelcoSec but at the same time it's somewhat misleading to position old issues as "ground breaking". Similarly, if an 8 year old discovers in 20 years from now, that the MAC/ARP protocols are insecure and an enterprise switch can be attacked to bring down a network or eavesdrop VoIP calls...

    As 60 minutes pointed out near the Stock Exchange in Sydney, the known phone to protect against this SS7 is the Cryptophone which was used. This is not an open book device to track.

    If you're company engages in sensitive work, it might be a device worth looking in to perhaps ?

    It’s irresponsible to make them think they have to run into the kitchen and boil their phone in a pot of water to keep their families safe. It’s irresponsible to make people scared of the devices they’re carrying around in their pockets. It’s irresponsible to make real life look like a bullshit fictional spy movie to make sure they keep watching until the next ad break.

    But when have programs like 60 Minutes, ACA, or Today/Tonight ever been about responsible journalism. These programs are made for commercial television, so of course they're going to hype up their stories for better ratings. If they ever have displayed some kind of integrity, it was an exception.

    Security is an on and off process. Honestly, nothing in this world is fully secured, leave alone our personal data and bank/credit card information. It isn’t that developers and companies aren’t aware of the situation and future consequences. It is just that they haven’t been able to come to an effective and substantial solution for the same. The need of the hour is to be aware & proactive towards mobile security.

    At Appknox ( we have been working closely with developers and businesses to help educate them about mobile security and also help them find and fix vulnerabilities in their mobile applications.

    BUT, as the article said, it IS an issue so explain to me how informing people is irresponsible. Yeah they jazz it up but are the base facts true or false? And if true big corporations, filthy politicians or regular Joe, we are all equally susceptible to having bank details etc stolen are we not? Therefore would you not agree telcos are extremely negligent in their actions or lack of.
    I'd rate this article of less use than the 60min one. Neither great from oposite sides.

    The people behind CryptoPhone are active in the intelligence community (military intelligence, etc). That's a matter-o-fact.

    Ironically, on the one hand we have intelligence agencies like the NSA exploiting networks and collecting our data en-mass, then on the other we have the people behind CryptoPhone offering solutions (e.g. cryptophone and SS7 network vulnerability filtering).

    I highly suspect the report is state-sponsored. It goes a little somethin' like this: "we've been exploiting these SS7 vulnerabilities for decades against other countries (note the big three boogeymen: China, Iran and Syria) , but now 'cause they're doing it to us, we need to fix it!".

    Note to Les Goldsmith: you forgot to mention Russia.

    who talks on the phone anymore? does the SS7 vulnerability capture all the data packets too?

    surely using some basic, free messaging apps is enough to foil attempts... even better use one that use heavy encryption..

    Luke, you are dead wrong unfortunately.

    I am anything but a high profile target, yet I have had all the technology a deluded psycho stalker can ever wish for used on me. He works for the Victorian Government in the IT equivalent of a janitor's position. As he is a simpleton, he is assumed to be harmless and honest. For this reason he has privileged insider access to the private information of millions of Victorian women. He is neither smart, nor skilled, yet he can harass multiple women concurrently to within an inch of their lives. How is that for a power trip? And there is no protection whatsoever. The Police either lacks the technical capability, or the resources, or the willingness to protect Joe/Jane Nobody.

    Don't be fooled by the false sense of security that you are safe because you are not a BIG FISH.

    SS7 is only used for call setup, Aussie telcos all use IP for both 3G and 4G unless they can hack the encryption on the MSS side good luck to em

      So the routing setup in that initial messaging doesnt worry you?

    This is an OLD bug publish 2 years ago by a russian research team. Seems this hacker is using 2 years old information , really funny. ALL carriers could read and listen you, as the call is unencrypted. So which is the news here? Come on people, better learn about forwarding calls. This hacker has an SS7 hub access which is EASILY trace back to him.

    This article is COMPLETELY wrong. At one point SS7 was only for elite hackers but because of neglect to fix by telecom companies, now any weekend warrior can do this. I know a 17 year old who does it all the time. Chances are someone in your own community has already used it to spy on you. Articles like this give ppl a false sense of security. Use encryption.

Join the discussion!