US congressman calls for investigation into vulnerability that lets hackers spy on every phone. Vulnerabilities within SS7 mobile phone network brokerage system allow attackers to listen to calls, read messages and track location using just a phone number.
A US congressman hacked as part of a demonstration showing that all you need is someone’s phone number to record their calls, texts and location, has called for an oversight committee investigation into the “significant vulnerability.”
The security flaws within the system that brokers connections, billing and transfers messages between phone networks – called Signaling System No 7 (SS7), also known as C7 in the UK or CCSS7 in the US – allow remote access to mobile phone users’ data anywhere in the world regardless of the security of their smartphone, using just their phone number.
The Californian congressman Ted Lieu said: “The applications for this vulnerability are seemingly limitless, from criminals monitoring individual targets to foreign entities conducting economic espionage on American companies to nation states monitoring US government officials.”
While encrypted messaging services such as WhatsApp are unaffected, SMS messages and calls placed across the mobile phone network can be listened in to, read and recorded, while the location of the phone can be tracked using the mobile network’s location services independent of GPS or other location technologies on the phone.
Lieu said: “The vulnerability has serious ramifications not only for individual privacy, but also for American innovation, competitiveness and national security. Many innovations in digital security – such as multi-factor authentication using text messages – may be rendered useless.”
The hackers demonstrating the attack in 2014, and again for 60 Minutes, explained that it is an “open secret” that law enforcement and security services, including the US National Security Agency, were aware of and use it to spy on targets using just their phone number.
(Makes you wonder about the FBI claims about the San Bernardino case, doesn’t it? Not to mention their continued assault on Apple.)
As the vulnerability is within the mobile phone network infrastructure, there is nothing users can do to protect themselves beyond switching off their phone.
Read Article (Samuel Gibbs | theguardian.com | 04/19/2016)
This should be an eye-opener! The Europeans got it right in getting tougher on Internet data privacy for individuals with their recent legislation. If you need to communicate private information, this is ANOTHER, example of why NOT to make it mobile.
There’s another practice the US should adopt from the EU and it’s that individuals (members of society) come before businesses. The first concern after a data breach should always be the individual, businesses come second, and all press statements should reflect this order of precedence.
Master Level High-Tech Webinars