SS7 Cell Network Extensively Exploited by “Nefarious Actors”

“I don’t think most Americans realize how insecure US telephone networks are. If more consumers knew how easy it is for bad guys to track or hack their mobile phones, they would demand the FCC, and wireless companies do something about it. These aren’t just hypotheticals.”

The above statement was made last week by Senator Ron Wyden (D-Ore.) after getting a letter from the Department of Homeland Security warning that “nefarious actors may have exploited” worldwide cellular networks “to target the communications of American citizens.”

Wyden on Tuesday explained the issue in a separate letter to Ajit Pai, chairman of the Federal Communications Commission (FCC) responsible for regulating interstate communications:

“Hackers can exploit SS7 flaws to track Americans, intercept their calls and texts, and hack their phones to steal financial information, know when they are at home or away, and otherwise prey on unsuspecting consumers. Moreover, according to multiple news reports, SS7 spying products are widely available to both criminal and foreign governments.”

Disturbingly, the letter reveals that:

“This threat is not merely hypothetical – malicious attackers are already exploiting SS7 vulnerabilities. One of the major wireless carriers informed my office that it reported an SS7 data breach, in which customer data was accessed, to law enforcement.”

There is no clarity whether the warning refers to state-sponsored entities acting for political gain or criminal hackers for financial benefit. It is also unclear who the wireless carrier is and the extent of the breach.

What is SS7?

Signaling System No. 7 (SS7) is a set of signaling protocols that provide the backbone for all mobile phone communication everywhere in the world. It enables phone networks to communicate among themselves to connect users and pass messages between systems, ensure correct billing, and to grant users to roam on other networks.

Image result for ss7

 

SS7 system, first developed in the 1970s is old in technological terms. Critically, no-one at the time thought of building any security measures into it.

It was known to be insecure at least 2008 onwards, and the situation has worsened in recent years. Previously there were only a few mobile networks, and now there are literally thousands worldwide. The industry made no changes as the risks were accepted to be purely theoretical.

This altered in 2014 when vulnerabilities in SS7 enabled hackers to record a somewhat embarrassing secret unencrypted phone conversation between the US ambassador to Ukraine, Geoffrey Pyatt, and US Assistant Secretary of State, Victoria Nuland, in which Pyatt was highly critical of the EU.

It was believed that using encrypted messaging apps such as WhatsApp, Facebook Messenger, Google Hangouts, and Viber, would secure communications.

However, in 2016, a security researcher showcased how hackers with access to the SS7 network could spoof users’ identities and set up fake accounts which would grant them access to messages belonging to users of many messaging apps that rely on phone numbers to authenticate users.

In 2017 O2 Telefonica in Germany confirmed that criminals used the SS7 network to bypass SMS-based two-factor authentication (2FA) to steal money from bank accounts.

Action Time?

Wyden lettered to the FCC urging the regulator to address the problem accurately and to compile a list of SS7 violations known to have happened over the last five years.

This is not the first instance for a call-to-action as in 2016, US congressman Ted Lieu (D-Calif.) made a similar plea, calling for an oversight committee investigation into SS7:

“The applications for this vulnerability are seemingly limitless, from criminals monitoring individual targets to foreign entities conducting economic espionage on American companies to nation states monitoring US government officials. … The vulnerability has serious ramifications not only for individual privacy but also for American innovation, competitiveness, and national security. Many innovations in digital security – such as multi-factor authentication using text messages – may be rendered useless.”

The investigation took place, but the FCC working group responsible for it mainly comprised of telecoms industry lobbyists and not a single academic expert.

The SS7 -Spies Love It!

Initial concerns over the SS7 network was tracking; now there are fears of personal data being accessed from just about every phone user in the world.

As said earlier, it can be used to intercept encrypted communications and 2FA security measures.

According to the Washington Post, “American, Chinese, Israeli and Russian intelligence agencies are the most active users of SS7 surveillance.”

Just this month news came out that US police can find the location of any phone in the country in seconds thanks to SS7. Worse still, barely days after this revelation came to light it was reported that this information was quite easy for hackers to access.

SS7 is a double-edged sword because security companies around the world thrive selling SS7 hacking tools to governments, police forces, and criminals with even benefitting from it. Brian Collins, chief executive of AdaptiveMobile Security, told the Washington Post about this.

Even with the knowledge of SS7 being a threat to US national security, it appears that the US government is least bothered about the problem. The driving factor could be that of SS7’s mass-surveillance capabilities which are too precious to kill off.

 

BPI Calls for Piracy Crackdown Under New UK Internet ‘Clean-Up’ Laws

This week, Matt Hancock, Secretary of State for Digital, Culture, Media, and Sport, stated new measures would be taken to clean up the ‘Wild West’ elements of the Internet.  Music group BPI responded by saying says the government should use the opportunity to tackle piracy with advanced site-blocking measures, repeat infringer policies, and new responsibilities for service providers.Image result for bpi

The UK Government has for the past several years expressed a strong desire to “clean up” the Internet.

There has been an intense emphasis on making the Internet safer for children, but that’s just the tip of the iceberg.

This week, the Government responded to the Internet Safety Strategy green paper, stating unequivocally that more needs to be done to tackle “online harm”

Considering every six out of ten people face “online harm”, the government while working with social media companies to protect users had seen positive results but the overall outlook has been below par.

For this reason, the Government will introduce new legislation, albeit with the assistance of technology companies, children’s charities and other stakeholders.

The Government has cleared that it wishes to tackle “the full range” of online harms, even though the emphasis is being placed on cyberbullying and online child exploitation. This move has been warmly received by UK music group BPI and thereby requesting the Government to introduce new measures to tackle Internet piracy.

BPI chief executive Geoff Taylor in a statement issued this week welcomed the move towards legislative change and urged the Government to encompass the music industry and beyond.

The BPI has published four initial requests.

  • Establish a new fast-track process for blocking unauthorized sites.
  • Compel online platforms to stop content from being re-posted after it’s been taken down while removing the accounts of repeat infringers.
  • Fines for “online operators” who do not give “transparent contact and ownership information.”
  • Pass laws for a new “duty of care” for online mediators and platforms.

To be published later this, the Department for Digital, Culture, Media & Sport and the Home Office will work on a White Paper to pass laws to tackle “online harms”. The BPI and similar entities will hope that the Government will also do the same.

 

Despite US Criticism, Ukraine Cybercrime Chief Gets Few Piracy Complaints

The previous year the MPAA, RIAA and other groups asked the U.S. Government to impose sanctions on Ukraine accusing them of failing to fight against online piracy. The European Commission also warned Ukraine of damaging its relations with the EU. However, Ukraine’s head of cyber-police unit said complaints received by him are few in number and are actually going down.

Ukraine over the past decade has played host to some of the world’s largest pirate sites.Image result for skull enter keyboard

The Pirate Bay, Kickass Torrents, ExtraTorrent, Demonoid and many other streaming portals have taken advantage of laws more favorable than those in the US and EU.

For this reason, Ukraine has been heavily criticized for not doing enough to combat piracy, but when placed under pressure, it does take action.

Over the years Ukraine has launched irregular actions against pirate sites and has taken steps to tighten up copyright law.

The Law on State Support of Cinematography came into effect April 2017 which gave copyright owners new tools to combat infringement.

The IIPA asked the U.S. government to suspend or withdraw Ukraine’s trade benefits until the online piracy situation improves.

But despite the criticism, Sergey Demedyuk, Ukraine cyber police chief says that while his department is committed to tackling piracy, it can only do so when complaints are filed with him.

“Yes, we are engaged in piracy very closely. The problem is that piracy is a crime of private accusation. So here we deal with them only in cases where we are contacted,” Demedyuk said in an Interfax interview.

Demedyuk does not know why complaints are going down but has claimed his unit takes action when asked to do so.

In the meantime, the Office of the United States Trade Representative has maintained Ukraine’s position on the Priority Watchlist.