America’s cellular network is as vital to society as the highway system and power grids. Vulnerabilities in the mobile phone infrastructure threaten not only personal privacy and security, but also the country’s. According to intelligence reports, spies are eavesdropping on President Trump’s cellphone conversations and using fake cellular towers in Washington to intercept phone calls. Cellular communication infrastructure, the system at the heart of modern communication, commerce and governance, is woefully insecure. And we are doing nothing to fix it.
This should be at the top of our cybersecurity agenda, yet policymakers and industry leaders have been nearly silent on the issue. While government officials are looking the other way, an increasing number of companies are selling products that allow buyers to take advantage of these vulnerabilities.
Spying tools, which are becoming increasingly affordable, include cell-site simulators (commonly known by the brand name Stingray), which trick cellphones into connecting with them without the cellphone owners’ knowledge. Sophisticated programs can exploit vulnerabilities in the backbone of the global telephone system (known as Signaling System 7, or SS7) to track mobile users, intercept calls and text messages, and disrupt mobile communications.
These attacks have real financial consequences. In 2017, for example, criminals took advantage of SS7 weaknesses to carry out financial fraud by redirecting and intercepting text messages containing one-time passwords for bank customers in Germany. The criminals then used the passwords to steal money from the victims’ accounts.
How did we get here, and why is our cellular infrastructure so insecure?
The international mobile communications system is built on top of several layers of technology, parts of which are more than 40 years old. Some of these old technologies are insecure, others have never had a proper audit and many simply haven’t received the attention needed to secure them properly. The protocols that form the underpinnings of the mobile system weren’t built with security in mind.
SS7, invented in 1975, is still the protocol that allows telephone networks all over the world to talk to one another. It was built on the assumption that anyone who can connect to the network is a trusted network operator. When it was created, there were only 10 companies using SS7. Today, there are hundreds of companies all over the world connected to SS7, making it far more likely that credentials to the system will be leaked or sold. Anyone who can connect to the SS7 network can use it to track your location or eavesdrop on your phone calls. A more recent alternative to SS7 called Diameter suffers from many of the same problems.
Another protocol, GSM, invented in 1991, allows your cellphone to communicate with a cell tower to make and receive calls and transmit data. The older generation of GSM, known as 2G, doesn’t verify that the tower that your phone connects to is authentic, making it easy for anyone to use a cell-site simulator and impersonate a cell tower to obtain your location or eavesdrop on your communications.
Larger carriers have already begun dismantling their 2G systems, which is a good start, since later generations of GSM such as 3G, 4G and 5G solve many of its problems. Yet our phones all still support 2G and most have no way to disable it, making them susceptible to attacks. What’s more, research has shown that 3G, 4G, and even 5G have vulnerabilities that may allow new generations of cell-site simulators to continue working.
Nobody could have envisioned how deeply ingrained cellular technology would become in our society, or how easy and lucrative exploiting it would be. Companies from China, Russia, Israel and elsewhere are making cell-site simulators and providing access to the SS7 network at prices affordable even to the smallest criminal organizations. It is increasingly easy to build a cell-site simulator at home, for no more than the cost of a fast-food meal. Spies all over the world — as well as drug cartels — have realized the power of these technologies.
So far, industry and policymakers have largely dragged their feet when it comes to blocking cell-site simulators and SS7 attacks. Senator Ron Wyden, one of the few lawmakers vocal about this issue, sent a letter in August encouraging the Department of Justice to “be forthright with federal courts about the disruptive nature of cell-site simulators.” No response has ever been published.
The lack of action could be because it is a big task — there are hundreds of companies and international bodies involved in the cellular network. The other reason could be that intelligence and law enforcement agencies have a vested interest in exploiting these same vulnerabilities. But law enforcement has other effective tools that are unavailable to criminals and spies. For example, the police can work directly with phone companies, serving warrants and Title III wiretap orders. In the end, eliminating these vulnerabilities is just as valuable for law enforcement as it is for everyone else.
As it stands, there is no government agency that has the power, funding and mission to fix the problems. Large companies such as AT&T, Verizon, Google and Apple have not been public about their efforts, if any exist.
This needs to change. To start, companies need to stop supporting insecure technologies such as 2G, and government needs a mandate to buy devices solely from companies that have disabled 2G. Similarly, companies need to work with cybersecurity experts on a security standard for SS7. Government should buy services only from companies that can demonstrate that their networks meet this standard.
Finally, this problem can’t be solved by domestic regulation alone. The cellular communications system is international, and it will take an international effort to secure it.
We wouldn’t tolerate gaping potholes in our highways or sparking power lines. Securing our mobile infrastructure is just as imperative. Policymakers and industries around the world must work together to achieve this common goal.
Cooper Quintin is a senior staff technologist with the Electronic Frontier Foundation, where he investigates digital privacy and security threats to human-rights defenders, journalists and vulnerable populations.