An international team of cybersecurity experts hacked into an iPhone loaned to a U.S. congressman who sits on a key technology committee, in a 60 Minutes demonstration of how easy it is for a criminal to spy on callers by exploiting an international mobile phone network vulnerability. The segment aired Sunday.
The hackers were able to listen in on a call by Rep. Ted Lieu, D-Calif., who sits on the House Oversight and Reform Subcommittee, just by getting the actual phone number he was using, according to the program.
The team, led by German security researcher Karsten Nohl, easily penetrated the Signalling System No. 7 network, which it then could use for everything from listening in on calls to tracking the caller’s movements and intercepting text messages.
Lieu, who volunteered to participate in the hacking demonstration, characterized the ease with which the researchers were able to access the phone data as “creepy,” and said demonstration left him feeling angry.
Call for Investigation
“The congressman is exploring policy fixes for the SS7 flaw,” said Jack d’Annibale, senior advisor to Lieu.
In fact, he has called for an investigation by the House Committee on Oversight and Government Reform, he told TechNewsWorld.
“The applications for this vulnerability are seemingly limitless, from criminals monitoring individual targets to foreign entities conducting economic espionage on American companies to nation states monitoring U.S. government officials,” Lieu wrote in a letter sent Monday to Rep. Jason Chaffetz, R-Utah, chairman of the OGR committee.
“The vulnerability has serious ramifications not only for individual privacy, but also for American innovation, competitiveness and national security,” Lieu wrote. “Many innovations in digital security — such as multifactor authentication using text messages — may be rendered useless.”
Network Still Vulnerable
The computer security team that carried out the 60 Minutes demo first uncovered the SS7 vulnerability at a German hacking conference in 2014.
“These vulnerabilities are quite serious, and they certainly warrant immediate action by nearly every phone company which is part of the SS7 system,” said Cooper Quentin, staff technologist at the Electronic Frontier Foundation.
“It is a near certainty that criminals and spies are exploiting this vulnerability for nefarious purposes,” he told TechNewsWorld.
The U.S. government cannot solve the problem on its own, Quentin added, because the vulnerability is shared by phone companies around the globe, who must work together to fix the problem.
Network vs. Device
Discussions about phone security generally center on one of two issues, noted Christopher Budd, global threat communications manager at Trend Micro. Those issues boil down to either the security of the device or the security of the network.
Some of the issues raised by the 60 Minutes piece relate to the network as opposed to the device.
“By and large, while these are interesting and even scary sometimes, they’re not something that most people should worry about,” Budd told TechNewsWorld.
Carrying out an attack requires a degree of focused resources against a target, he pointed out, and most regular phone customers are not targets.
Carriers have security teams that typically focus 24x7x365 on the security of their networks, Budd noted. The thing that most people can control is the security of their individual device, which requires running mature security software to keep it up to date.
“That last in particular is important,” he said, “because so many Android devices have been abandoned for updates by the carriers and manufacturers that it’s impossible to keep them up to date.”
It’s also advisable to keep multiple layers of security on a phone.
“As a security company, we see an increasingly large number of requests for details about how we protect sensitive customer data from third-party access,” said GreatHorn Vice President Chris Fraser.
“Encryption is part of that narrative,” he told TechNewsWorld.
Cybercriminals can find subtle and creative ways to bypass security controls that are put into place, Fraser pointed out, and the best way to prevent against such an exploit is never to rely on one method of cyberprotection as the failsafe.
“Relying on encryption, or any single security approach or tool — whether it’s a passcode on a mobile device or an antivirus tool — is a flawed and seemingly failure bound strategy,” he said. “What you need is defense in depth.”