Network flaws expose cellphones to state surveillance
An Irish mobile security firm detected sophisticated systems designed to tap into the backbone of the global cellphone networks and surveil calls, texts, and location data.
Reuters/File
Security flaws in networks that route cellphone calls and text messages around the world are leavingÌýbillions of cellphone users vulnerable to surveillance, according to an Irish cybersecurity firm.
The firm Adaptive Mobile has detected at least four sophisticated computer systems that have tapped into theÌýSignaling System 7 (SS7) network, a fundamental part of the mobile communications infrastructure, to eavesdrop on callers' conversations, texts, and location data.
While attacksÌýon SS7 have been spotted by other security researchers in the past, Adaptive Mobile says the advanced nature of the machines it detected infiltrating SS7 suggests nation-states are eavesdropping on sections of the global mobile network.
"We see a lot of tracking systems, but these systems are really at the pinnacle of the technology," saidÌýCathal McDaid, head of Adaptive Mobile’s threat intelligence unit. "These are platforms in place around the world that are doing sophisticated operations to track people around the world in a way that can bypass mobile defenses."
Mr. McDaid said the technically advanced nature of the surveillance systems his firm detected on the SS7 network suggests "these platforms must have had a considerable amount of investment behind them to make them as sophisticated as they are."
The systems thatÌýAdaptive discovered appear to be designed toÌýcapture billions of gigabytes of location data to perform surveillance on specific intelligence targets, potentially giving spy agencies a detailed view into their targets without their knowledge.
The nefarious systems detected by the firm are locatedÌýin Western Europe, the Middle East, and North Africa. But so far, the firm detected only a handful of cellphone users who were targeted by such surveillance practices, suggesting theÌýSS7 breaches could have been part of a targeted surveillance campaign. ÌýÌý
Though Adaptive does not point to specific countries or companies involved in the mobile snooping, similar activity has beenÌýÌýin Ukraine, where investigators spotted mobile users getting hit with suspicious SS7 attacks over a three day period in April 2014 –Ìýallowing Russian network providers to potentially snap up calls and location data.
Since most SS7 networks are closed systems and not connected to the open Internet, it had been traditionally difficult to getÌýinside the network without access to high-grade telecommunications equipment and the proper permits. But that has changed in recent years as businesses are now reselling access to the mobile backbone.
"There are a lot of websites that we see nowadays that offer SS7 access," says Hassan Mourad, a mobile security researcher and senior advisor at an Egyptian telecommunications company. "You give them the number you want to track and they will point you to the location of the subscriber."
But Mr. Mourad says he’s never before seen multipleÌýsurveillance systems that can track the same user, such as thoseÌýdiscovered by Adaptive, which will present its research Tuesday at Ìý
Adopted in the 1980s as aÌýclosed network with connecting nodes controlled by phone carriers and national operators,ÌýSS7Ìýdirects mobile traffic from cellphone towers to the Internet.ÌýEven though thousands of companies have access to SS7 and , security experts say that SS7 has few internal security mechanisms.
In 2014, German researchers SS7 functions that maintain call connections by switching between cell towers to listen to calls or steal text messages –Ìýeven those that are end-to-end encrypted. Broken encryption protocols between radio networks and callers could hackers to break into SS7 using interception equipment.
has identified several computers involved in carrying out attacks around the world aimed at tracking users and nabbing location data.
"You can steal cell IDs that can tell you where someone is," said Adaptive's McDaid. "With call interception, you can simply disable [a victim’s] IP connectivity to disable encrypted apps. You can intercept phone calls and text messages."
By analyzing network traffic made available to Adaptive Mobile by telecommunications providers, McDaid and his team detected systems on SS7 that are responsible forÌýlocation tracking, denial-of-service attacks, call interception, andÌýattacks that are designed to steal cellphone users' encryptionÌýkeys.
In most cases, said McDaid, the victims of these kinds of attacks would have no idea their phones are being tracked or hacked into. Ìý
Ìý