Two Democratic legislators are pushing the FCC to close security flaws across telecom infrastructure, including issues in Signaling System 7 (SS7) that were highlighted in a 60 Minutes report last year.
In a letter sent to new FCC Chairman Ajit Pai on Tuesday, Rep. Ted Lieu (D-Calif.) and Sen. Ron Wyden (D-Ore.) urged the FCC to swiftly rectify “the industry’s lax approach to cybersecurity” and address “fundamental security threats to our mobile phones.” The lawmakers said security threats in the telco space – SS7 included – “are no less dangerous than those cybersecurity threats that receive far more attention from other government agencies.”
The missive follows the FCC’s release of a report from its Communications Security, Reliability and Interoperability Council (CSRIC), which was responsible for investigating SS7 cybersecurity issues showcased in the 60 Minutes report last April. The news report drew attention to a flaw first discovered in 2014 that can allow hackers to gain access to a cell phone user’s information using nothing more than the device’s cellular number.
SS7 is a set of protocol standards that controls signaling for the public switched telephone network. The flaw in SS7 impacts all phones that function on a cellular network.
The CSRIC found complicit or compromised operators put all telecommunications protocols used to interconnect networks at risk, and set out a series of recommendations – including a layered approach to security and improved firewalls – to remedy the situation.
While the lawmakers commended the FCC for initiating the CSRIC investigation, they said there were a number of addition security issues not addressed by the Council. Lieu and Wyden said the FCC should establish a new CSRIC working group with an expanded scope to review the remaining issues. The previous CSRIC’s charter ended on March 18.
“It is clear that industry self-regulation isn’t working when it comes to telecommunications cybersecurity,” they wrote. “We urge you to take swift action in this area in three ways. First, by forcing the cellular industry to address these serious cybersecurity vulnerabilities. Second, by warming the American public that their movements, communications, and devices may be vulnerable to foreign governments and hackers. And third, by promoting the use of end-to-end encryption apps, which, as the CSRIC working group stated, can be used to mitigate some of the SS7 risks.”
This isn’t the first time Lieu has chimed in on SS7.
Back in August, Lieu encouraged the FCC to hasten its CSRIC investigation in light of foreign hacks of the Democratic and Republican Congressional Campaign Committees.
“The SS7 problem is no longer a theoretical threat,” Lieu wrote at the time. “We now have a mass release of cell phone numbers of Members of Congress likely caused by a Russian government that has full access to utilize the SS7 flaw.”
Filed Under: Cybersecurity, Infrastructure