Can Congress do anything to address SS7 risks? Some say yes
May 9, 2017
By Daniel B. Garrie & Elad Yoran
Politicians are becoming increasing aware and concerned about cybersecurity issues. One need look no further than two recent letters written by Senator Ron Wyden (D-Ore), senior member of the Senate Intelligence Committee, and Representative Ted Lieu (D-Calif.). Both are leading congressional advocates for stronger cybersecurity and privacy measures.
The first letter was sent on March 15, 2017 to John Kelly, Secretary of Homeland Security. The second letter was sent on March 28, 2017 to Ajit Pai, Chairman of the Federal Communications Commission. The letters focus on the specific risks introduced by Signaling System 7 (SS7), suggesting that the executive branch may not be moving fast enough to address this risk, and asserting, among other things, that the “FCC has not to date, prioritized cybersecurity.”
SS7 is a set of 1970s era protocols used by most of the world’s telephone networks. Its original purpose was to establish and disconnect calls made over the public switched telephone network (PSTN). Today, SS7 protocols are used in providing a broad array of mobile device services, including global roaming and SMS text messaging.
In early 2006, a major flaw in the SS7 protocol, allowing sophisticated hackers to intercept cell phone conversations, data and text messages, was exposed. This led the FCC to open up an investigation into the SS7 flaw, and, on March 15, 2017, an expert report commissioned by the FCC — Communications Security, Reliability and Interoperability Council (CSRIC) V working group 10 Final Report (“Final Report”) — confirmed that bad actors, including criminals, hackers, and foreign countries, readily could exploit a number of SS7 vulnerabilities to track, surveil and hack Americans’ mobile phones.
To read the full article, go to SC Magazine.