Hacking phones is too easy. Time to make it harder

In the mid-1960s enterprising hackers realised that if they blew a particular toy whistle down the phone, they could trick the network into routing their call anywhere, free. When phone networks got wind of this, they changed how the system worked by splitting the channel carrying the voice signal from the one managing the call. One result was the Signalling System 7, which became a global standard in 1980. ss7 stopped “phone phreaks”, as they were known. But the system, built when there were only a handful of state-controlled telecoms companies, has become woefully inadequate for the mobile age, leaving dangerous vulnerabilities at the heart of international phone networks. It is time to fix them.

For more than 15 years experts have known that SS7 (or, occasionally, a later system called Diameter) could be abused to locate a phone user, intercept their text or voice data, or send texts or spyware to a device. Russia has exploited SS7 to track dissidents abroad. In 2018 the United Arab Emirates is thought to have used it to find and then abduct a fugitive princess. Earlier this year an American cyber-security official told the Federal Communications Commission (FCC), a regulator, that similar attacks had taken place in America.

Much like the internet, SS7 was built on the basis of trust, not security. That was reasonable when the protocol was introduced and only a few telecoms companies could access it. Today, many thousands of such firms can do so, the vast majority of them private. The complexity of the networks has also increased. Handsets roam from the jurisdiction of one provider to another, requiring a handover. Text messages are routinely used for vital transactions: think of the sms authentication codes in global banking. And providers in one country can use SS7 to connect to others—the Emirati attack in 2018 appears to have involved the Channel Islands, lightly regulated British territories, as well as America, Cameroon, Israel and Laos.

Short of using burner phones and donning a tinfoil hat, ordinary people cannot completely escape the dangers of SS7. One sensible step would be to routinely use end-to-end encrypted messaging apps like iMessage, Signal or WhatsApp for texts and calls. Companies could ensure that codes for two-factor authentication come via an app, rather than SMS text messages, which can be easily intercepted. However, because phones still have to connect to mobile-network towers, these precautions cannot conceal where a caller is.

In March the FCC announced that it was at last exploring “countermeasures” to location-tracking via SS7 and Diameter. Most big American mobile operators have retired SS7. But much of the world still uses it. And Diameter is still vulnerable. These systems can be secured by using filters that detect and block suspicious traffic. Many telecoms firms have resisted this, however. One reason is that filtering is technically complicated and can easily go wrong if important commands are blocked. Another is that firms have balked at the expense. Few want to make it harder or costlier for data to flow from their network into others.

Underlying all this is a collective-action problem. If only a handful of firms deal with SS7 but others ignore it, the system will remain insecure. That is why national regulators need to step in. They have avoided action for too long. 

© 2024, The Economist Newspaper Limited. All rights reserved. From The Economist, published under licence. The original content can be found on www.economist.com