In today’s world, privacy and cyber security are headline-grabbing issues. Asides from COVID-19, they are the headline grabbers. Whether linked to state espionage, foreign election manipulation, hacking of financial accounts or the commercialization of our social media data, these stories prominently and regularly appear in the press.
As the internet has matured, consumers have learnt to live with the fact that there is no such thing as a free service - when something web related is free it is usually the consumer who is the product! However, for those of us working in telecommunications, whilst privacy and security may make the front-page headlines, the theme of signaling security has remained relatively obscure and mostly followed by specialists within the telecommunications industry.
However, December 2020 may be remembered as the month when that relative obscurity was side-lined and SS7 vulnerabilities hit the press worldwide. It started on 1 December with a paper published by The Citizen Lab based out of the University of Toronto. “Running in Circles Uncovering the Clients of Cyberespionage Firm Circles” is a lengthy paper that explains how at least 25 countries, from Australia through to Zimbabwe, are using the product of a company called Circles to “snoop on calls, texts, and the location of phones around the globe”. Circles is related to the rather more well-known NSO Group (see below). Their solution exploits well-known vulnerabilities in the SS7 signaling protocol (and Diameter too). The article is full of recommendations that operators and regulators would do well to heed to, which I will address later in this blog.
Two weeks later, reports from the UK addressed two other interesting stories. One alleged that China was spying on Americans by exploiting SS7. The second story explained the role of global titles and how these are leased to third parties. Remember, it is those global titles that are the gateway into SS7 manipulation and abuse. The article quoted a network stating that they lease global titles to businesses “who provide ‘legitimate services’ such as anti-fraud detection for banks and other services”. However, the article also explains that this is a potential area of great risk. A Whitehall source (for non-UK readers this is a euphemism for British Government) is quoted as stating that “the SS7 protocol as ‘toxic, horrendous – yet one the world relies on’, adding ‘it can be abused to geolocate people’ but is complex to make secure because ‘if you get it wrong, you disconnect yourself from the rest of the world’”.
So what risks was that article referring to? Just days later, The Bureau of Investigative Journalism “TBIJ” published a very long article titled “Spy companies using Channel Islands to track phones around the world”. This is yet another blockbuster article that really shone light onto the murky business of global title leasing and includes some very upsetting real case studies. Some of you may be familiar with the story of the alleged kidnapping of Princess Latifa of Dubai in 2018. Amongst the many details in the TBIJ paper is the evidence that global attempts were made to track the location of the captain of the yacht carrying Princess Latifa just minutes before the yacht was raided by commandoes. Those attempts exploited the same well-known vulnerabilities in the SS7 protocol mentioned earlier. Further into the article, they reveal that revenues associated with one contract for leasing global titles were as high as $13,000 per month. Finally, the article reveals that Rayzone has targeted users in over 130 networks in 60 countries, and leased global titles from operators in Iceland, Sweden and Switzerland amongst others.
For the next news story, we return back to The Citizen Lab. “The Great iPwn - Journalists Hacked with Suspected NSO Group iMessage ‘Zero-Click’ Exploit” deals with the activities of the aforementioned NSO Group and their Pegasus spyware solution. Apparently this was deployed against a variety of Middle Eastern focussed journalists. This story is not directly related to signaling security or hacking but nonetheless, should be of interest to readers of this blog. It is abundantly clear that even using applications that encrypt communications can be no match for the most advanced adversaries.
I had finished this blog on Christmas Eve, confident that there would be no more relevant stories. In fact, I was wrong, and, yet another story of interest appeared on TechCrunch, just before New Year’s Eve. “NSO used real people’s location data to pitch its contact-tracing tech, researchers say”. This story revisits an earlier incident in which NSO failed to secure a database containing subscriber information, used as part of a potential COVID-19 tracking solution, allegedly relating to a large number of individuals from multiple countries. When TechCrunch reported the leak, NSO dismissed their concerns, stating that the data was “not based on real and genuine data.”
TechCrunch shared the data with Forensic Architecture, an academic unit at Goldsmiths, University of London that studies and examines human rights abuses. They assessed the data and stated it was likely to be real data. Obviously, it is important that we can trust suppliers that handle sensitive data. However, for me, the points of interest here was they described NSO Group. I had previously noticed various reports referring to NSO Group’s Pegasus software as “spyware”. Forensic Architecture go significantly further, describing NSO Group as a “cyber-weapons manufacturer”. To me this makes clear that mobile networks face a significant adversary when they address network protection. This is an adversary that is far more sophisticated than mere fraudsters or ad-hoc hackers.
With our whistle-stop tour of December’s news stories I think it is appropriate to make two further observations.
- I have only listed a small sample of stories that hit the press. Each of these articles triggered dozens more news reports and local articles around the world.
- Mobileum welcomes coverage on well-documented vulnerabilities of telecommunications signaling. It is only right and proper that this important issue is brought to the public’s attention. However, as a policy, Mobileum will never publicly name any threat actors or sources of attacks.
Finally, I will return to the very first story – the one that The Citizen Lab published on 1 December. I circulated that story to an industry mailing list and included some extracts from that report into my email. I feel that the points in that article are absolutely critical so I repeat them below. The emphasis is my own but the words are from The Citizen Lab.
- 1. “we believe that the vulnerabilities inherent in the global telecommunications system require urgent action by governments and telecommunications providers. The global telecommunications sector provides significant opportunity for abuse by the surveillance industry and its customers in light of the continued failure of telecommunications operators and states to prevent such exploitation.”
- 2. “Governments across the globe should take action to protect their citizens and their own operations. Telecommunications regulatory bodies should conduct regular audits of national networks and mandate carriers to identify, disclose, and address vulnerabilities.”
- 3. “Wireless Carriers: Do This Now. We urgently recommend that telecommunication companies examine SS7 and Diameter traffic originating from providers in countries where we have identified a Circles deployment for patterns of abuse.”
- 4. “every major wireless carrier should receive an independent SS7 and Diameter audit every 12-18 months, and should address any identified vulnerabilities.”
- 5. “We are aware that some providers, such as a number of U.S. companies, are experimenting with SS7 firewalls, which show promise in reducing some types of attacks. We urge providers to publicly disclose their roadmaps for addressing SS7 and Diameter vulnerabilities, and believe that information about SS7 threats should be included in telco companies’ transparency reporting going forward.”
- 6. “Sounding the Alarm: Recommendations for High Risk Users… we urge you to migrate away from SMS-based two factor authentication immediately for all accounts where it is possible.”
If perhaps you are in an Operator and you still doubt the severity of this issue, I hope this blog prompts you to reconsider. I hope this persuades you that the various GSMA recommendations addressing signaling vulnerabilities should be taken extremely seriously. These vulnerabilities cover multiple protocols, and if you haven’t yet taken action, your customers remain at real risk. If you are leasing global titles to third parties, it is imperative you implement both contractual and technological controls to restrict the use of those global titles to legitimate and authorized purposes only.
To quote Forensic Architecture one more time, you may well be protecting your network, your customers, and your reputation from a “cyber-weapons manufacturer”.