US congresscritter's iPhone hacked (with, er, the cell networks' help)

Panic over SS7 flaw resurfaces on 60 Minutes telly news probe


America's flagship news program 60 Minutes has demonstrated how to "hack" a US congressman's smartphone. One little thing to bear in mind about this incredible scoop: the vulnerability has been in circulation since 2014 ... and it requires high-level access to global phone networks.

House representative Ted Lieu (D-CA) loaned the 60 Minutes team an iPhone and asked them to do their worst. The investigators subsequently exploited a flaw in the cellular networks' Signaling System 7 (SS7) protocol to track the congressman's location, read his text messages, and monitor and record his phone calls.

"First, it's really creepy. And second, it makes me angry," Lieu said, after hearing a conversation that had been recorded.

"Last year, the president of the United States called me on my cellphone. And we discussed some issues. So if hackers were listening in, they would know that phone conversation. And that's immensely troubling."

How was this possible? Firstly, the phone connects to what appeared to be a hotel's Wi-Fi. The handset then leaks its phone number over the wireless network to eavesdroppers – an app in this case gave up the info, but really anything that gets you the device's phone number is enough.

Then the SS7 flaw was exploited by the 60 Minutes team to collect the handset's calls and texts, using only its phone number. SS7 is like a glue for mobile networks: it provides the signaling to start and end calls, forward calls, route connections, exchange location and billing data, transfer SMS texts, and so on. It is integral to mobile traffic.

The SS7 flaw exploited in the attack was first detailed in December 2014, when researchers Tobias Engel and Karsten Nohl presented their findings to the Chaos Communication Congress in Hamburg, Germany. Nohl was a member of the hacking team hired by 60 Minutes for last weekend's program.

The SS7 weakness affects all phones – iOS, Android, whatever – and is a major security issue, and one that network operators seem unwilling or unable to patch.

The problem with SS7 is that it was developed in the 1980s before the industry really got serious about security. By exploiting flaws in SS7, hackers can use a forwarding function to set up a man-in-the-middle attack and get a key to decrypt conversations. Specific details of the hole leveraged by the 60 Minutes team were not disclosed for obvious reasons.

Some have suggested that mobile networks have been tardy in dealing with this issue because it would involve massive costs; others assume that the intelligence services are blocking a fix because the design flaws are so useful to them.

Lieu, who is one of the few people in US Congress who actually has a computing background and isn't afraid to use that knowledge, said that if the latter scenario was true, then heads should roll in the intelligence services.

"You cannot have 300-something million Americans – and really the global citizenry – at risk of having their phone conversations intercepted with a known flaw, simply because some intelligence agencies might get some data. That is not acceptable," Lieu said.

It must also be said that Nohl and the investigative team were granted access to the SS7 system by international cell networks so they could carry out their work legally. This gave them a foothold from which to attack Lieu's iPhone on a US carrier. It very much sounds as though 60 Minutes obtained more or less carrier status, and used that to drill into Lieu's iPhone comms.

Mobile operators should, in theory, have measures in place to prevent criminals from blagging their way into such a privileged position. In a way, this whole affair demonstrates that this sort of snooping is out of reach of legions of common and/or garden crooks, but within the grasp of corrupt insiders, powerful crime gangs, and government agents.

John Marinho, vice president of cybersecurity and technology at cell network group the CTIA, said: "While we are aware of the research hackers’ manipulation to exploit SS7 technology in the international wireless networks, it’s important to note that they were given extraordinary access to a German operator’s network.

"That is the equivalent of giving a thief the keys to your house; that is not representative of how US wireless operators secure and protect their networks. We continue to maintain security as a top industry priority." ®

Similar topics

Broader topics


Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022