The recent “60 Minutes” broadcast on CBS showed how a team of hackers in Germany was able hack a U.S. Congressman’s cellphone, listen to his calls and track his movements with his mobile phone number.
The Berlin-based team is made up of white-hat hackers who look for computer and device vulnerabilities so they can be fixed. They were able to access a test phone provided to U.S. Rep. Ted Lieu of California by using the global phone carrier network called Signaling System Seven (SS7).
However, critics of the 60 Minutes report said the SS7 network is not one that most hackers have access to, meaning the vulnerability is not one most people need to be concerned about. They also said the SS7 vulnerability is not a new discovery or development.
Individual Security Settings Have ‘No Influence’
During last night’s broadcast, Sharyn Alfonsi reported that German hacker Karsten Nohl and his team at Security Research Labs had legal permission from several phone carriers to access the SS7 network for their vulnerability research. “[T]he carriers wanted Nohl to test the network’s vulnerability to attack,” the report stated. “That’s because criminals have proven they can get into SS7.”
Nohl demonstrated how his team was able to listen in on Lieu’s phone calls and even track his movements through the device’s GPS chip. He noted the SS7 vulnerability isn’t one that individual device owners can control through their security settings.
“[A]ny choices that a congressman could’ve made, choosing a phone, choosing a pin number, installing or not installing certain apps, have no influence over what we are showing because this is targeting the mobile network,” Nohl told 60 Minutes. “That of course, is not controlled by any one customer.”
Hoping Media Attention Leads to Fix
Following last night’s broadcast, some users on Reddit offered some criticisms about the implied risks. “To be able to take advantage of SS7, you have to have equipment that talks SS7 (either a simulator or a telephone switch), and convince other telephone companies that you are a telephone company, and get them to link and peer with you,” Redditor isakmp wrote.
Another user wrote, “SS7 switches are both fewer in number and much more protected than even the switches that are routing core traffic for the Internet. This article is kind of like saying this . . . ‘Look at how easy it is to steal the gold from Ft. Knox,’ and then revealing that in order for this gold stealing ‘hack’ to take place all the doors were unlocked and the facility left unmanned.”
In late 2014, the Washington Post reported that Nohl and another German security researcher, Tobias Engel, each discovered the SS7 vulnerabilities earlier that year.
“The researchers did not find evidence that their latest discoveries, which allow for the interception of calls and texts, have been marketed to governments on a widespread basis,” the Post noted at that time. “But vulnerabilities publicly reported by security researchers often turn out to be tools long used by secretive intelligence services, such as the National Security Agency or Britain’s GCHQ, but not revealed to the public.”
Earlier today, hacker/security researcher Dino Dai Zovi noted in a tweet that Nohl “described that each carrier had to fix [the vulnerability] on *their* network individually. Consumers can’t do anything to fix it.” In another tweet, he added, “Maybe with nat’l media and congressional attn, those responsible for vuln will fix it.”