SS7 routing-protocol breach of US cellular carrier exposed customer data

Share this…

40-year-old SS7 is being actively used to track user locations and communications.

The US Department of Homeland Security recently warned that malicious hackers may have targeted US phone users by exploiting a four-decades-old networking protocol used by cell phone providers around the world, according to a spokesman for US Senator Ron Wyden (D-Ore.). Meanwhile, the spokesman said, one of the nation’s major cellular carriers recently experienced a breach of that same protocol that exposed customer data.

Short for Signalling System No. 7, SS7 is the routing protocol that allows cell phone users to connect seamlessly from network to network as they travel throughout the world. With little built-in security and no way for carriers to verify one another, SS7 has always posed a potential hole that people with access could exploit to track the real-time location of individual users. In recent years, the threat has expanded almost exponentially, in part because the number of companies with access to SS7 has grown from a handful to thousands. Another key reason: hackers can now abuse the routing protocol not just to geolocate people but, in many cases, to intercept text messages and voice calls.

SS7 already being exploited

In a letter Sen. Wyden received last week, DHS officials warned that “nefarious actors may have exploited” SS7 to “target the communications of American citizens,” Wyden spokesman Keith Chu told Ars, confirming an article published Wednesday by The Washington Post. On Tuesday, Wyden sent a letter to Federal Communications Commission Chairman Ajit Pai that heightened concerns of SS7 hacks on US infrastructure.

“This threat is not merely hypothetical—malicious attackers are already exploiting SS7 vulnerabilities,” Wyden wrote. “One of the major wireless carriers informed my office that it reported an SS7 breach, in which customer data was accessed, to law enforcement through the government’s Customer Proprietary Network Information (CPNI) Reporting Portal.”

Such reports are legally required when carriers believe customer data has been illegally accessed. Chu declined to say who the US carrier is.

It’s not clear if the DHS warning involving nefarious actors is related to the SS7 breach involving the unnamed US carrier. It’s also unknown how many customers are affected by the SS7 breach or whether the nefarious actors the DHS warned of work on behalf of a nation-sponsored espionage operation or as part of a profit-motivated crime operation. Chu said that neither the DHS nor US carriers have provided those details to Wyden’s office.

In 2016, US Representative Ted Lieu (D-Calif.) got a vivid demonstration of the threat posed by SS7. He gave reporters from CBS News magazine 60 Minutes permission to abuse their access to the routing protocol to record his calls and monitor his movements using nothing more than the public 10-digit phone number associated with the handset he used.

A year later, thieves used SS7 to bypass two-factor authentication that banks used to prevent unauthorized withdrawals from online accounts. The hack allowed the attackers to intercept one-time passwords before they could be received by the intended bank customers. Exploit brokers have offered $100,000 payouts for hackers who develop reliable SS7 exploits.