Network flaws expose cellphones to state surveillance

An Irish mobile security firm detected sophisticated systems designed to tap into the backbone of the global cellphone networks and surveil calls, texts, and location data. 

Reuters/File

February 22, 2016

Security flaws in networks that route cellphone calls and text messages around the world are leaving billions of cellphone users vulnerable to surveillance, according to an Irish cybersecurity firm.

The firm Adaptive Mobile has detected at least four sophisticated computer systems that have tapped into the Signaling System 7 (SS7) network, a fundamental part of the mobile communications infrastructure, to eavesdrop on callers' conversations, texts, and location data.

While attacks on SS7 have been spotted by other security researchers in the past, Adaptive Mobile says the advanced nature of the machines it detected infiltrating SS7 suggests nation-states are eavesdropping on sections of the global mobile network.

Why Apple's pushback against the FBI isn't a technical issue

"We see a lot of tracking systems, but these systems are really at the pinnacle of the technology," said Cathal McDaid, head of Adaptive Mobile’s threat intelligence unit. "These are platforms in place around the world that are doing sophisticated operations to track people around the world in a way that can bypass mobile defenses."

Mr. McDaid said the technically advanced nature of the surveillance systems his firm detected on the SS7 network suggests "these platforms must have had a considerable amount of investment behind them to make them as sophisticated as they are."

The systems that Adaptive discovered appear to be designed to capture billions of gigabytes of location data to perform surveillance on specific intelligence targets, potentially giving spy agencies a detailed view into their targets without their knowledge.

The nefarious systems detected by the firm are located in Western Europe, the Middle East, and North Africa. But so far, the firm detected only a handful of cellphone users who were targeted by such surveillance practices, suggesting the SS7 breaches could have been part of a targeted surveillance campaign.   

Though Adaptive does not point to specific countries or companies involved in the mobile snooping, similar activity has been reported in Ukraine, where investigators spotted mobile users getting hit with suspicious SS7 attacks over a three day period in April 2014 – allowing Russian network providers to potentially snap up calls and location data.

Tracing fentanyl’s path into the US starts at this port. It doesn’t end there.

Since most SS7 networks are closed systems and not connected to the open Internet, it had been traditionally difficult to get inside the network without access to high-grade telecommunications equipment and the proper permits. But that has changed in recent years as businesses are now reselling access to the mobile backbone.

"There are a lot of websites that we see nowadays that offer SS7 access," says Hassan Mourad, a mobile security researcher and senior advisor at an Egyptian telecommunications company. "You give them the number you want to track and they will point you to the location of the subscriber."

But Mr. Mourad says he’s never before seen multiple surveillance systems that can track the same user, such as those discovered by Adaptive, which will present its research Tuesday at the Mobile World Congress in Barcelona. 

Adopted in the 1980s as a closed network with connecting nodes controlled by phone carriers and national operators, SS7 directs mobile traffic from cellphone towers to the Internet. Even though thousands of companies have access to SS7 and can legally share it with third parties, security experts say that SS7 has few internal security mechanisms.

In 2014, German researchers found that hackers could exploit SS7 functions that maintain call connections by switching between cell towers to listen to calls or steal text messages – even those that are end-to-end encrypted. Broken encryption protocols between radio networks and callers could also allow hackers to break into SS7 using interception equipment.

The report from Adaptive Mobile has identified several computers involved in carrying out attacks around the world aimed at tracking users and nabbing location data.

"You can steal cell IDs that can tell you where someone is," said Adaptive's McDaid. "With call interception, you can simply disable [a victim’s] IP connectivity to disable encrypted apps. You can intercept phone calls and text messages."

By analyzing network traffic made available to Adaptive Mobile by telecommunications providers, McDaid and his team detected systems on SS7 that are responsible for location tracking, denial-of-service attacks, call interception, and attacks that are designed to steal cellphone users' encryption keys.

In most cases, said McDaid, the victims of these kinds of attacks would have no idea their phones are being tracked or hacked into.