America's flagship news program 60 Minutes has demonstrated how to "hack" a US congressman's smartphone. One little thing to bear in mind about this incredible scoop: the vulnerability has been in circulation since 2014 ... and it requires high-level access to global phone networks.
House representative Ted Lieu (D-CA) loaned the 60 Minutes team an iPhone and asked them to do their worst. The investigators subsequently exploited a flaw in the cellular networks' Signaling System 7 (SS7) protocol to track the congressman's location, read his text messages, and monitor and record his phone calls.
"First, it's really creepy. And second, it makes me angry," Lieu said, after hearing a conversation that had been recorded.
"Last year, the president of the United States called me on my cellphone. And we discussed some issues. So if hackers were listening in, they would know that phone conversation. And that's immensely troubling."
How was this possible? Firstly, the phone connects to what appeared to be a hotel's Wi-Fi. The handset then leaks its phone number over the wireless network to eavesdroppers – an app in this case gave up the info, but really anything that gets you the device's phone number is enough.
Then the SS7 flaw was exploited by the 60 Minutes team to collect the handset's calls and texts, using only its phone number. SS7 is like a glue for mobile networks: it provides the signaling to start and end calls, forward calls, route connections, exchange location and billing data, transfer SMS texts, and so on. It is integral to mobile traffic.
The SS7 flaw exploited in the attack was first detailed in December 2014, when researchers Tobias Engel and Karsten Nohl presented their findings to the Chaos Communication Congress in Hamburg, Germany. Nohl was a member of the hacking team hired by 60 Minutes for last weekend's program.
The SS7 weakness affects all phones – iOS, Android, whatever – and is a major security issue, and one that network operators seem unwilling or unable to patch.
The problem with SS7 is that it was developed in the 1980s before the industry really got serious about security. By exploiting flaws in SS7, hackers can use a forwarding function to set up a man-in-the-middle attack and get a key to decrypt conversations. Specific details of the hole leveraged by the 60 Minutes team were not disclosed for obvious reasons.
Some have suggested that mobile networks have been tardy in dealing with this issue because it would involve massive costs; others assume that the intelligence services are blocking a fix because the design flaws are so useful to them.
Lieu, who is one of the few people in US Congress who actually has a computing background and isn't afraid to use that knowledge, said that if the latter scenario was true, then heads should roll in the intelligence services.
"You cannot have 300-something million Americans – and really the global citizenry – at risk of having their phone conversations intercepted with a known flaw, simply because some intelligence agencies might get some data. That is not acceptable," Lieu said.
It must also be said that Nohl and the investigative team were granted access to the SS7 system by international cell networks so they could carry out their work legally. This gave them a foothold from which to attack Lieu's iPhone on a US carrier. It very much sounds as though 60 Minutes obtained more or less carrier status, and used that to drill into Lieu's iPhone comms.
Mobile operators should, in theory, have measures in place to prevent criminals from blagging their way into such a privileged position. In a way, this whole affair demonstrates that this sort of snooping is out of reach of legions of common and/or garden crooks, but within the grasp of corrupt insiders, powerful crime gangs, and government agents.
John Marinho, vice president of cybersecurity and technology at cell network group the CTIA, said: "While we are aware of the research hackers’ manipulation to exploit SS7 technology in the international wireless networks, it’s important to note that they were given extraordinary access to a German operator’s network.
"That is the equivalent of giving a thief the keys to your house; that is not representative of how US wireless operators secure and protect their networks. We continue to maintain security as a top industry priority." ®