In the mid-1960s, enterprising hackers realized that by blowing a certain whistle into a telephone, they could trick the network into routing their call anywhere for free. When phone networks caught wind of this, they changed the way the system worked by splitting the channel carrying the voice signal from the channel carrying the call. One of the results was Signaling System 7, which became a global standard in 1980. SS7 stopped “phone phreaks,” as they were called. But the system, built when there were only a handful of state-controlled telecom companies, has become woefully inadequate for the mobile age, leaving dangerous vulnerabilities at the heart of international phone networks. It's time to fix them.
For more than 15 years, experts have known that SS7 (or, occasionally, a later system called Diameter) can be abused to locate a phone user, intercept their text or voice data, or send text messages or spyware to a device. Russia has abused SS7 to track dissidents abroad. In 2018, the United Arab Emirates reportedly used it to find and then kidnap a fugitive princess. Earlier this year, a U.S. cybersecurity official told the Federal Communications Commission (FCC), a regulator, that similar attacks had occurred in America.
Like the internet, SS7 is built on trust, not security. That was reasonable when the protocol was first introduced, when only a few telecoms had access to it. Today, thousands of such companies can, the vast majority of them private. The complexity of the networks has also increased. Handsets roam from one provider’s jurisdiction to another, requiring a handoff. Text messaging is routinely used for essential transactions: think of the SMS authentication codes in global banking. And providers in one country can use SS7 to connect to others: the 2018 attack in the Emirates appears to have affected the Channel Islands, a lightly regulated British territory, as well as the Americas, Cameroon, Israel and Laos.
Unless they use burner phones and don a tinfoil hat, ordinary people can’t completely escape the dangers of SS7. A sensible step would be to routinely use end-to-end encrypted messaging apps like iMessage, Signal or WhatsApp for texts and calls. Companies could ensure that two-factor authentication codes come via an app, rather than via text messages, which can be easily intercepted. However, because phones still need to connect to mobile towers, these precautions can’t hide where a caller is.
In March, the FCC announced that it was finally investigating “countermeasures” against SS7 and Diameter location tracking. Most major U.S. wireless carriers have deprecated SS7. But much of the world still uses it. And Diameter is still vulnerable. These systems can be protected by using filters that detect and block suspicious traffic. Many carriers, however, have resisted this. One reason is that filtering is technically complex and can easily go wrong by blocking important commands. Another reason is that companies have resisted the cost. Few want to make it harder or more expensive for data to flow from their network to others.
Underlying all this is a collective action problem. If only a handful of companies are affected by SS7, but others ignore it, the system remains insecure. That’s why national regulators need to step in. They’ve been avoiding action for too long.
© 2024, The Economist Newspaper Limited. All rights reserved. From The Economist, published under license. Original content can be found at www.economist.com