The Department of Homeland Security knows which countries SS7 attacks are primarily originating from. Others include countries in Europe, Africa, and the Middle East.
The Department of Homeland Security (DHS) believes that China, Russia, Iran, and Israel are the “primary” countries exploiting security holes in telecommunications networks to spy on people inside the United States, which can include tracking their physical movements and intercepting calls and texts, according to information released by Senator Ron Wyden.
The news provides more context around use of SS7, the exploited network and protocol, against phones in the country. In May, 404 Media reported that an officialinside DHS’s Cybersecurity Insurance and Security Agency (CISA) broke with his department’s official narrative and publicly warned about multiple SS7 attacks on U.S. persons in recent years. Now, the newly disclosed information provides more specifics on where at least some SS7 attacks are originating from.
The information is included in a letter the Department of Defense (DoD) wrote in response to queries from the office of Senator Wyden. The letter says that in September 2017 DHS personnel gave a presentation on SS7 security threats at an event open to U.S. government officials. The letter says that Wyden staff attended the event and saw the presentation. One slide identified the “primary countries reportedly using telecom assets of other nations to exploit U.S. subscribers,” it continues.
“Those countries, according to the DHS presentation, are Russia, China, Israel and Iran,” it adds. The presentation also listed other countries where telecom assets are used to attack U.S. subscribers, including “a number of countries in Africa, Central/South America, and Europe, the Middle East.”
Cathal McDaid, VP Technology at Enea, which builds SS7 security products, told 404 Media in an online chat that “We have observed malicious signalling activity that we attributed to be ultimately from one or more of those countries mentioned on the list.”
Enea previously attributed malicious SS7 activity to Russia. Two other countries on the list, China and Iran, are adversaries to the U.S. But the fourth country, Israel, is an ally. Israel has conducted “aggressive” espionage campaigns against American targets for decades, according to a 2014 Newsweek report, citing U.S. intelligence and congressional sources. Israel is also a hotbed for surveillance firms, including those that engage in SS7 exploitation.
Karsten Nohl, founder and chief scientist of cybersecurity company Security Research Labs and who has extensively researched SS7, told 404 Media in an email that “We definitely observe geopolitical adversaries abusing SS7 weaknesses with impunity.”
In the newly released document, Senator Wyden’s office says the DoD confirmed it believes that all U.S. carriers are vulnerable to SS7 and Diameter surveillance, and that DoD has not reviewed third-party audits carried out by U.S. carriers of their own networks. “The DoD has asked the carriers for copies of the results of their third-party audits and were informed that they are considered attorney-client privileged information,” the DoD writes. Diameter is something of an efficiency upgrade to SS7, but it can still be attacked.
SS7 is used to route messages when a phone user roams outside of their area of normal coverage. But it is also leveraged by governments, surveillance contractors, and financially motivated criminals to target phones too. These malicious parties gain access to SS7 through legitimate telecommunications companies or even operating their own. They lease access to a Global Title, which is essentially an address to route messages with. With that access, attackers may be able to track a phone and person’s location, or intercept their communications armed with just their phone number. SS7 attacks are also used to deliver malware that can then infect the target’s mobile device itself.
It is different from other acts of espionage against U.S. telecommunications networks, like the recent hacks by suspected Chinese spies of Verizon and AT&T reported by the Wall Street Journal. Earlier this month, Deputy National Security Advisor for Cyber and Emerging Tech Anne Neuberger told reporters that China hacked “at least eight” U.S. telecoms, freelance journalist Eric Geller reported.
SS7, meanwhile, does not require hacking in the traditional sense, instead relying on fundamental issues in the network and protocol that treats any connection request as legitimate, even if carried out by a malicious party. For that reason, SS7 is a much more available spying tool to governments around the world. In 2020, researchers from Citizen Lab at the Munk School of Global Affairs and Public Policy at the University of Toronto identified many likely clients of SS7 exploitation company Circles. Those included Australia, Belgium, Botswana, Chile, Denmark, Ecuador, El Salvador, Estonia, Equatorial Guinea, Guatemala, Honduras, Indonesia, Israel, Kenya, Malaysia, Mexico, Morocco, Nigeria, Peru, Serbia, Thailand, the United Arab Emirates (UAE), Vietnam, Zambia, and Zimbabwe. Circles previously merged with notorious government malware developer NSO Group. NSO Group closed the Circles Cyprus office in 2020.
That same year, the Guardian reported a whistleblower provided evidence that Saudi Arabia was using SS7 to track its citizens as they traveled around the U.S.
The CISA official 404 Media reported on in May was Kevin Briggs. In a public filing with the Federal Communications Commission (FCC), Briggs laid out details of multiple SS7 attacks against the U.S., and said that he thinks the examples “are just the tip of the proverbial iceberg of SS7 and Diameter based location and monitoring exploits that have been used successfully against targeted people in the USA.”
“I believe there have been numerous incidents of successful, unauthorized attempts to access the network user location data of communications service providers operating in the USA using SS7 and/or Diameter exploits,” Briggs writes. “Much more could be said, but this ends my public comments,” he concluded.
When asked if the DoD is aware of any incidents in 2022 or 2023 in which DoD personnel, either in the U.S. or outside the country, were surveilled through SS7 or Diameter, the DoD said answering the question “requires a classified response.” The DoD provided the same answer when asked if it was aware of any SS7 or Diameter surveillance against personnel in Guam and Diego Garcia.
Some companies have emerged to try to plug those holes: The Navy contracted with a privacy and security focused phone network called Cape in Guam as part of a pilot program; the Navy previously told 404 Media the technology enhanced “both operational and information security.”
Pointing to how lingering of a security issue SS7 has been over the years, Nohl added “It’s amazing that we are still talking about SS7. Solving these issues takes a focused multi-months project at each telco to configure a signalling firewall. It’s not a trivial undertaking; and yet is dwarfed by the amount of time people talk about SS7 security rather than fixing the issues already.” He said that while some countries are sending hundreds of pings per target each day, and that many of those malicious requests will be blocked by SS7 firewalls, it’s “safe to assume that other state actors and criminals are leveraging SS7 for a similar information gain without creating this unnecessary noise.”
CISA did not respond to a request for comment. AT&T acknowledged a request for comment but ultimately did not provide a statement. Verizon and T-Mobile did not respond. Representatives for the Chinese, Russian, Iranian, and Israeli governments did not respond to requests for comment.
For those wondering, SS7 is Signaling System No. 7.
Signaling System No. 7 is a set of telephony signaling protocols developed in the 1970s that is used to set up and tear down telephone calls on most parts of the global public switched telephone network.
Maybe it’s time to upgrade…
Edit: Latest version, 03/93, is from March 1993.
What could have possibly changed in 30 years?
Backdoors they put for the good guys to spy after the bad guys surely haven’t.
Oh no, I hoped it was SamSho…
I wish! Lol (assuming you meant this SamSho)
Yes. 1-5 are way better than 7 though, especially 2. But whatever.
And the governments response to China, Russia, and Iran? “How dare you!!!”"
And their response to Israel? “Aww, it’s okay boo, you can keep going.”
Well of course, it’s part of 5 eyes. We spy on each other’s citizens and give each other the info so that we aren’t TECHNICALLY spying on our own people
Israel is not apart of 5 eyes…
Correct, Six eyes is proposed though.
Israel is probably the contractor that does the dirty work for the others.
They sell the spyware to the people doing the spying. Amazing software to get info on those pesky human rights lawyers and whistleblowers.
Yep, literally just a terror regime spying on us.
That we are aware of. Israel just so happens to house some of the most powerful intelligence corpos around
Then we spy on our own citizens anyways. We just use 5E as an excuse if we ever find anything we want to use publicly.
These are not the five eyes countries.
Better force everyone to keep installing backdoors for law enforcement. To keep everyone safe.
They forgot to mention the US spying on their citizens
You will never get me to care as much about foreign surveillance of my communications as I do about domestic surveillance of my communications.
Somebody start selling SS7 protection pendants online ASAP
I’ve got some magnetic bracelets that remove all SS7 toxins from your body. DM me if you’re interested. $50 is nothing compared to peace of mind from state-of-the-art tech.
What I really need is something to remove all the PFAs from my blood. I used a lot of metal utensils on old non stick pans in my life.
This is only an issue now that foreign adversaries are doing it too much.
Last 20 years with all this tech starting to look like a mega psyop… They didn’t microchip us but whatever this shit we got is about there in principle between corpos, domestic regime and foreign regime… Somebody is checking on your well being lol
They don’t need to microchip us, most people already carry around a phone everywhere 😅
Micrpchiping was psyop so we accept cellphones…
5g cancer is psyop so we accept 5g which can pin point your location within a 3d space.
I wonder why government wants to be able to do this…
5g can’t pinpoint shit cos it never has a stable connection 😂
I am sure once they add 5 more antennas, it will work fine. But yeah deployment is spotty now. Where is speed and latency improvements that were promised.
It’s an inherent physical limitation of higher frequencies, they bounce around and off buildings more, and less off the atmosphere, so I guess they will have better tracking just from there needing to be more cell towers and fewer of them visible to your phone at any given time, I’m not convinced that’s the main motivation for switching off 3g towers though 😅, just a coincidental opportunity for the surveillance state.
Veritasium had a good video recently about SS7, and how users can be tracked: https://www.youtube.com/watch?v=wVyu7NB7W6Y
No shit.
spiderman meme
. . . As well as DHS spying on us. They’re jealous.
Yet companies are still pushing 2FA over the PSTN. IMO, it’s worse than no 2FA since some companies have processes that essentially trust the outcome as a full validation. I can’t think of a less secure channel.