If you own a mobile phone, “you can be bugged, tracked and hacked from anywhere in the world”. That was the throughline of a particularly problematic story on the 60 Minutes program last night. It’s now being hailed as “the end of privacy” for all Australians, but let me assure you, that moment passed a long time ago.
“How it has been done, has never been shown before”, claimed the 20-minute report which demonstrated how a vulnerability in a global forwarding network can be “hijacked” to listen in on a user’s calls and text messages in real time.
After a lot of teasing and set-up, the report eventually took us to a basement in Germany, where security researcher Luca Melette demonstrated how he could intercept a phone call between the reporter and Australian Senator Nick Xenophon. Luca was able to intercept the call (if we’re to believe that there wasn’t any camera trickery going on), as well as a text message sent between the pair. Big drums. The hack has been reveeeeeeealed.
Luca was able to do that by jacking into a vulnerability in the SS7 signalling system. SS7 is used for a whole bunch of things, including cell tower handover and international roaming between networks. It’s almost universal in the world of GSM.
Here’s the thing: Luca was given access to the network by the German government for the demonstration. So that demonstration as far as I’m concerned is next to useless. Show me a hacker boosting phone calls in the wild, without authorised access to the SS7 system, and I’ll believe you that this is something for people to be concerned about.
The SS7 hack also isn’t really news. Security researcher Tobias Engel demonstrated SS7 interception at the Chaos Computer Conference last year.
Here’s the presentation below:
For what it’s worth, SS7 intercepts should be pretty far down on the list of things to worry about if you own a mobile phone. Carrying one opens you up to a whole world of security hurt. Newsflash: you’re already being tracked by pretty much everyone. Google, Facebook, Apple, Microsoft. Everyone tracks you. Despite the fact that you’re already being tracked, however, you have to understand that not everyone wants to hear you calling up your mates to tell them how wasted you got on the weekend. You’ve got to figure out how important you are in the scheme of things, and once you realise that it’s probably not much, you’ll start to breathe easier.
Hackers really only target high-profile targets. For example, the 60 Minutes report did mention that the Prime Minister Tony Abbott’s phone is vulnerable to these sorts of intercepts, which is kind of funny when you think about it. Instead of listening in on our calls in real time, hackers coming after you and me are already trying to clean us out via phishing scams and the occasional man-in-the-middle attack, perhaps, designed to separate you from your credit card details.
“Mobile phone security” is a particularly nebulous term. You could be talking about Android malware, SMS vulnerabilities, secret interceptor towers, PRISM. Anything. So when you have a 20-minute story on primetime TV talking about how “mobile phone security” is fundamentally compromised, you’re running into problems from the very start.
The issue here is that saying there’s a vulnerability in the SS7 protocol that can give intelligence and law enforcement agencies access to your calls isn’t sexy enough for primetime TV. Instead, to get people really scared, 60 Minutes decided to splice in footage from Skyfall — which featured dubious infosec nonsense as a plot device — while parading infosec researchers and their sexy quotes around.
Don’t get me wrong: this is an issue. A security hole in the phone routing protocol is no joke, and probably needs to be dealt with, but it’s irresponsible of 60 Minutes to do this to people at home after dinner on a Sunday night.
It’s irresponsible to make them think they have to run into the kitchen and boil their phone in a pot of water to keep their families safe. It’s irresponsible to make people scared of the devices they’re carrying around in their pockets. It’s irresponsible to make real life look like a bullshit fictional spy movie to make sure they keep watching until the next ad break.
If you want to cover a real security story, 60 Minutes, we’ve got a few suggestions. Why not tackle the government’s metadata collection program and get a few people on the record saying how terrible it is for privacy that all of our data is being archived for no good reason? Why not look at the government’s push to wrest control of Australia’s mobile networks in the name of national security? What about figuring out what the Pine Gap station does? Or what Australia is using big, hulking security drones for? Or how the government is rolling out site blocking because rights holders asked them nicely?
Next time you feel like scaring people who don’t know enough about their phone to know you’re full of it, 60 Minutes, don’t.