The Federal Communications Commission said this week it will take up an investigation into Signal System Seven (SS7) in the wake of a 60 Minutes report that highlighted security flaws in the network.
The 60 Minutes report, which aired Sunday, exposed a vulnerability in SS7 that allows hackers to gain access to a user’s emails, texts, contacts, phone conversations, location information and more using nothing more than their phone number. The flaw was first demonstrated by German hacker Karsten Nohl in 2014, but has apparently not been fixed since that time.
SS7 is a set of protocol standards that controls signaling for the public switched telephone network, allowing mobile carriers around the world to pass information across their networks.
Though wireless organization CTIA sought to reassure the public that SS7 is subject to the highest security standards by U.S. carriers, the FCC has decided to delve deeper.
FCC Public Safety Bureau Chief Admiral David Simpson said the FCC has tasked its Communications Security, Reliability and Interoperability Council (CSRIC) with looking into the matter.
“The ‘60 Minutes’ report highlights the inherent risk encountered when an end-of-life technology is incrementally replaced by a new one,” Simpson said in a statement. “The demonstration shown in the segment underscores the importance of vigilance by our nation’s communications providers as they phase out SS7 and transition to IP-based networks. The Commission highlighted similar concerns in our Tech Transitions proceeding, and we have made clear that we expect communications providers to proactively assess security risks and take affirmative steps to address vulnerabilities. We will task the CSRIC to examine the end-of-life transition of SS7 to IP-based technologies.”
According to Gigamon Director of Service Provider Solutions Andy Huckridge, the transition from SS7 to IP-based technologies is exactly the reason why operators haven’t yet addressed the vulnerability.
“This is nothing new as we’ve known about the issues with SS7 for some time,” Huckridge said. “While the flaw really should be fixed, today it’s at the bottom of the pile in terms of mobile security concerns.”
Huckridge said SS7 protocols are used for text messages and phone calls, but have no impact on 4G or Wi-Fi services. Since services increasingly IP-based – with the data flowing over the open internet – carriers have turned their attention to mitigating the greater hacking risks there.
Huckridge said one way operators can halt hackers is by increasing visibility into their networks and subscriber activity so tools designed to spot suspicious activity can do their job better.
“There is always the possibility that hackers will get in, but network operators can severely hinder their chances by increasing visibility,” Huckridge said. “The SS7 issue is a serious flaw, there’s no argument there, but it most certainly isn’t the biggest security challenge operators are facing today or will face in the future and that needs to be considered urgently.”
Filed Under: Infrastructure