Recent events have combined to raise awareness about the serious vulnerabilities in the cellular communications infrastructure and the myriad ways that adversaries are taking advantage of them. And while these weaknesses are far from new and have been documented by researchers for years, the problems are beginning to draw significant attention from some people in Washington.
The networks and protocols that carry the wireless communications traffic of billions of people around the world were designed and implemented decades ago and researchers have documented a number of critical issues with it. There are known attacks and techniques that can allow attackers to intercept calls and data traffic with readily available tools and equipment. And there also are considerable problems with the Signaling Systems Seven (SS7) protocols, the core methods that allow various telecom networks to communicate with each other, problems that attackers have been able to exploit to compromise a major wireless provider’s network recently.
People in the security and telecom industries have known of these vulnerabilities for many years, and they’re not news to federal authorities, either. The FCC and federal law enforcement agencies have looked into attacks on the cellular networks, with little effect. But one lawmaker who has been pressuring the government relentlessly to pay attention to the fragility of the cellular infrastructure and the threat it poses to consumers, enterprises, and the government itself: Ron Wyden.
Wyden, a Democratic senator from Oregon, is a senior member of the Senate Select Committee on Intelligence and has been an outspoken voice on information security and privacy issues for many years. He has sent letters to the chairman of the FCC expressing concerns about the SS7 problems and last week again wrote to Chairman Ajit Pai, asking for answers on SS7 security and details about how many network providers have been breached through SS7.
“It is high time for the FCC and this administration to act immediately to protect American national security."
“This threat is not merely hypothetical--malicious attackers are already exploiting SS7 vulnerabilities,” Wyden wrote in his May 29 letter to Pai. “Although the security failures of SS7 have long been known to the FCC, the agency has failed to address this ongoing threat to national security and to the 95% of Americans who have wireless service.”
Wyden’s letter to Pai came a few days after Christopher Krebs, the nominee to lead the Department of Homeland Security’s National Protection and Program Directorate, responded in a letter to questions the senator raised in a private meeting about both the SS7 problems and foreign intelligence services using IMSI catchers to intercept cell traffic in and around Washington, D.C. In that letter, Krebs acknowledged that the NPPD had found apparently malicious use of IMSI catchers in Washington last year, but said DHS wasn’t able to attribute the activity any specific adversary. He also said DHS had received reports from outside organizations that “nefarious actors may have exploited Signaling Systems Seven (SS7) vulnerabilities to target the communications of American citizens.”
Wyden and a handful of others have been pushing the federal government for several years to address the problems with not just SS7 but the overall vulnerability of the cellular infrastructure. But there hasn’t been much in the way of movement from either the FCC or other regulators on this, something that Wyden pointed out on Friday.
“I’ve spent the past year fighting to reveal what a terrible job the telephone companies and FCC are doing at protecting Americans from being spied on, tracked, or scammed. This letter is yet more evidence that these threats are absolutely real and they are already attacking Americans,” Wyden said.
Krebs said in his letter to Wyden that the NPPD doesn’t have any authority to investigate the SS7 attacks, something that would fall to the FBI. But the regulatory aspect of it is up to the FCC, and Wyden has continued to apply pressure to the commission to make a move.
“It is high time for the FCC and this administration to act immediately to protect American national security,” Wyden said.