Feds finally decide to do something about years-old SS7 spy holes in phone networks

And Diameter, too, for good measure

The FCC appears to finally be stepping up efforts to secure decades-old flaws in American telephone networks that are allegedly being used by foreign governments and surveillance outfits to remotely spy on and monitor wireless devices.

At issue are the Signaling System Number 7 (SS7) and Diameter protocols, which are used by fixed and mobile network operators to enable interconnection between networks. They are part of the glue that holds today's telecommunications together.

According to the US watchdog and some lawmakers, both protocols include security weaknesses that leave folks vulnerable to unwanted snooping. SS7's problems have been known about for years and years, as far back as at least 2008, and we wrote about them in 2010 and 2014, for instance. Little has been done to address these exploitable shortcomings.

SS7, which was developed in the mid-1970s, can be potentially abused to track people's phones' locations; redirect calls and text messages so that info can be intercepted; and spy on users.

The Diameter protocol was developed in the late-1990s and includes support for network access and IP mobility in local and roaming calls and messages. It does not, however, encrypt originating IP addresses during transport, which makes it easier for miscreants to carry out network spoofing attacks.

"As coverage expands, and more networks and participants are introduced, the opportunity for a bad actor to exploit SS7 and Diameter has increased," according to the FCC [PDF].

On March 27 the commission asked telecommunications providers to weigh in and detail what they are doing to prevent SS7 and Diameter vulnerabilities from being misused to track consumers' locations.

The FCC has also asked carriers to detail any exploits of the protocols since 2018. The regulator wants to know the date(s) of the incident(s), what happened, which vulnerabilities were exploited and with which techniques, where the location tracking occurred, and — if known — the attacker's identity.

This time frame is significant because in 2018, the Communications Security, Reliability, and Interoperability Council (CSRIC), a federal advisory committee to the FCC, issued several security best practices to prevent network intrusions and unauthorized location tracking.

Interested parties have until April 26 to submit comments, and then the FCC has a month to respond.

'Grave threats posed by carriers' lax security'

The FCC's call for comments comes in response to a request from US Senator Ron Wyden (D-OR) who last month asked that the White House "address the grave threats posed by wireless carriers' lax cybersecurity practices [PDF]."

These threats, according to Wyden, are caused by flaws in SS7 and Diameter, and have been abused by "authoritarian governments to conduct surveillance" and obtain people's information.

"America needs to ramp up our defenses against mercenary surveillance companies that help foreign dictators threaten US national security, human rights and journalists working to expose wrongdoing," Wyden said in a statement. "I look forward to working with the FCC to secure America's phone networks through mandatory minimum cybersecurity standards."

This isn't the first time Senator Wyden has demanded the government address vulnerabilities in SS7 — or the first time he's called the protocol flaws a national security issue.

In April 2023, the senator accused AT&T of "concealing vital cybersecurity reporting" about its FirstNet phone network used by first responders and the US military.

In a letter sent to the US government's CISA and NSA, Wyden called for an annual cybersecurity audit of FirstNet because of SS7 misuse.

"These phone network vulnerabilities are being actively exploited to conduct cross-border surveillance," Wyden wrote. ®

Send us news

FCC names and shames Royal Tiger AI robocall crew

Agency is on the lookout for a Prince among men

Microsoft fixes a bug abused in QakBot attacks plus a second under exploit

Plus: Google Chrome, Apple bugs also exploited in the wild

AWS CISO tells The Reg: In the AI gold rush, folks are forgetting application security

'Everybody's learning as they go. But there's a rush to get these apps out'

68 tech names sign CISA's secure-by-design pledge

Security's an uphill battle ... does this latest move have teeth?

Three-year-old Apache Flink flaw under active attack

We know IT admins have busy schedules but c'mon

70% of CISOs worry their org is at risk of a material cyber attack

Wait, why do you want this job again?

'Cyberattack' shutters Christie's website days before $840M art mega-auction

Going once, going twice, going offline

Here's yet more ransomware using BitLocker against Microsoft's own users

ShrinkLocker throws steel and vaccine makers into the hurt locker

FCC boss wants political ads to admit when they were made using AI

How about just flag up the adverts not using machine learning

Aussie cops probe MediSecure's 'large-scale ransomware data breach'

Throw another healthcare biz on the barby, mate

First LockBit, now BreachForums: Are cops winning the war or just a few battles?

TLDR: Peace in our time is really really hard

Crims abusing Microsoft Quick Assist to deploy Black Basta ransomware

Spoiler alert: it's not really IT support controlling your device