Security experts have been warning for years about dangerously insecure technology at the heart of global communications. There is now evidence that it has been used to spy on citizens in the United States.
Kevin Briggs, an official with the US Cybersecurity and Infrastructure Security Agency, told the Federal Communications Commission (FCC), a regulatory body, earlier this year that there had not only been “numerous incidents of successful attempts and unauthorized” to steal location data and spy on voice and text messages in the United States, but also to distribute spyware (software that can take control of a phone) and influence American voters from abroad through of text messages. These comments were recently published by 404 Media, a website specialized in technology issues.
Read also
The hacks are linked to an obscure protocol known as Signaling System 7 (SS7). Developed in the 1970s to allow telecommunications companies to exchange data to establish and manage calls, today SS7 has more users than the Internet. When it was introduced, security was not a major issue because only a few landline operators could access the system. Everything changed in the age of mobile phones. SS7 and Diameter, a newer protocol, are already crucial for a wide range of tasks, including roaming. According to the United States Department of Homeland Security, SS7 constitutes a special risk because there are “tens of thousands of entry points around the world, many of them controlled by states that support terrorism or espionage.”
Security experts have known for more than 15 years that the protocol is vulnerable in various aspects. In 2008, Tobias Engel, a security researcher, demonstrated that SS7 could be used to identify a user’s location. In 2014, German researchers went further and showed that it could also be exploited to listen to calls or record and store voice and text data. Attackers could forward the data to themselves or, if they were close to the phone, take over the device and tell the system to provide the decryption key. Spy agencies have known all this for much longer. Many have taken advantage of it.
Read also
In April 2014, Russian hackers exploited SS7 to locate and spy on Ukrainian political figures. In 2017, a German telecommunications company acknowledged that attackers had stolen money from its customers by intercepting authentication codes sent by SMS from banks. In 2018, an Israeli private intelligence company used a mobile operator in the British territory of the Channel Islands to gain access to SS7 and, from there, users around the world. That route is believed to have been used to locate an Emirati princess kidnapped by the United Arab Emirates in 2018. And in 2022 Cathal McDaid of ENEA, a Swedish telecommunications and cybersecurity company, revealed that Russian hackers had long been locating and listening to Russian dissidents abroad by the same means.
In 2014, Chinese hackers stole massive amounts of data from the Office of Personnel Management, the government agency that manages the US federal civil service. The most sensitive data was security clearance records, with very personal details about the officials. However, phone numbers were also stolen. According to partially declassified documents published by the Department of Homeland Security, US officials detected “anomalous traffic” in the summer of that year that they considered related to the leak.
Read also
Briggs’ comments to the FCC highlight the extent of the SS7 problem. “Overall,” he said, the incidents he reported were “just the tip of the massive iceberg of successful SS7- and Diameter-based tracking and monitoring exploits.” That reminds us that, although unencrypted phone calls and SMS have become less frequent, the backbone of mobile networks remains highly insecure. Mobile network operators can block some of these attacks, but most have not taken adequate precautions, experts say.
Phone users can protect themselves from SS7-based eavesdropping (but not location identification) by using end-to-end encrypted apps such as WhatsApp, Signal or iMessage. However, those apps can also be outwitted by spyware that takes over a device and records movements on the keyboard and screen. In April, Apple warned users in 92 countries that they had been targeted by a “mercenary spyware attack.” On May 1, Amnesty International released a report alleging that “a murky ecosystem of surveillance providers, brokers and resellers” from Israel, Greece, Singapore and Malaysia had put powerful spyware into the hands of multiple Indonesian state agencies. . That’s also the tip of the iceberg.
Read also
© 2024 The Economist Newspaper Limited. All rights reserved
Translation: Juan Gabriel López Guix
#dangerously #easy #hack #phones #world
