How insecure is America's FirstNet emergency response system? Seriously, anyone know?
Senator Wyden warns full probe needed into vital comms network
AT&T is "concealing vital cybersecurity reporting" about its FirstNet phone network for first responders and the US military, according to US Senator Ron Wyden (D-OR), who said the network had been dubbed unsafe by CISA.
In a letter [PDF] sent to the US government's Cybersecurity and Infrastructure Security Agency (CISA) and NSA, the senator called for an annual cybersecurity audit of FirstNet, citing a nearly half-century old phone signalling protocol that miscreants and spies can exploit to track mobile devices and intercept their calls and texts. Those same techniques could be used to disrupt FirstNet, it's feared.
"These phone network vulnerabilities are being actively exploited to conduct cross-border surveillance," Wyden wrote.
At issue is Signaling System No. 7 (SS7), a protocol developed in the mid 1970s and used by network operators to connect one network to another. It's rather vulnerable to misuse, and has been abused to determine a cellphone's location, redirect and read its incoming text messages, snoop on calls, and more.
"These security flaws are also a national security issue, particularly if foreign governments can exploit these flaws to target US government personnel," Senator Wyden said in his April 12 letter, adding he's "particularly concerned about FirstNet."
AT&T operates FirstNet under a $6.5 billion contract with the US government. It's a nationwide network intended to allow police, firefighters, and paramedics to transmit data and communications across multiple regions and jurisdictions without worrying about the transmissions being lost to overcrowded networks, particularly during disasters.
This is all good in theory — until it's compromised or abused by criminals and foreign governments via things like SS7.
Wyden says he met an expert at CISA on the matter in February 2022 who told him that America's cybersecurity agency "had no confidence in the security of FirstNet, in large part because they have not seen the results of any cybersecurity audits conducted against this government-only network."
This, according to Wyden, is because AT&T is "unwilling" to share the results of independent cybersecurity audits of FirstNet with CISA, the NSA, other government agencies, or even Congress.
AT&T did not respond to The Register's specific inquiries about the FirstNet cybersecurity audits, though a FirstNet Authority spokesperson emailed us the following statement:
The FirstNet Authority prioritized cybersecurity in the planning for the public safety broadband network, and it continues to be a top priority for us today. The FirstNet network is designed with a defense-in-depth strategy that goes well beyond standard commercial network security measures. The FirstNet Authority performs robust and ongoing cybersecurity reviews of the network and will continue to work with its contractor, AT&T, as well as our public safety and federal partners, to deliver a highly secure, reliable network for America's first responders.
Wyden, however, has a different point of view.
"Concealing vital cybersecurity reporting is simply unacceptable," Wyden wrote. "As the lead agencies responsible for the government's cybersecurity, CISA and NSA need to have access to all relevant information regarding the cybersecurity of FirstNet, and Congress needs this information to conduct oversight."
- Whistleblower claims NSO offered 'bags of cash' for access to US phone networks
- Court papers indicate text messages from HMRC's 60886 number could snoop on Brit taxpayers' locations
- Secret Service, ICE break the law over and over with fake cell tower spying
- US border cops harvest info from citizens' phones, build massive database
Further, if the government agencies and Congress can't get access to the FirstNet audits commissioned by AT&T, then these public bodies should commission their own annual audits, Wyden added. "If you lack the resources or authority to conduct such audits, please indicate as much, so that Congress can take the necessary steps to address this gap."
In closing, he also requests a copy of a report commissioned by CISA ominously titled "US telecommunications insecurity 2022." CISA has thus far refused Wyden's "multiple requests" for a copy. For the record: we'd like a copy, too. It sounds like a great bedtime read.
When asked about Wyden's letter, a CISA spokesperson told The Register: "CISA does not comment on congressional correspondence; we will respond to the Senator directly."
The NSA did not respond to The Register's request for comment. At press time, Wyden's office had not heard back from either agency. ®