Congress May Investigate Flaws That Allow Mobile Phone Hacking
Hackers and security experts have known for more than a year about critical flaws in global cellphone networks that allow surreptitious tracking and recording of calls. But after a 60 Minutes piece on Sunday, Congress is waking up to the problem, which has gone largely unaddressed.
The television program demonstrated how easily hackers could track any phone and record its calls by enlisting Rep. Ted Lieu (D- Calif.) to play a target. While Lieu used an ordinary iPhone, hackers working with 60 Minutes obtained his location and recorded some of his calls by exploiting flaws in a portion of mobile networks called Signaling System Number 7, or SS7, which is intended to help track and bill customers as they roam among different carriers’ systems.
On Monday, Lieu called for a congressional investigation of the SS7 flaws by the House Oversight and Government Reform Committee, where he is a member.
“The applications for this vulnerability are seemingly limitless, from criminals monitoring individual targets to foreign entities conducting economic espionage on American companies to nation states monitoring U.S. government officials,” he wrote in a letter to the leaders of the committee. “The vulnerability has serious ramifications not only for individual privacy, but also for American innovation, competitiveness and national security.”
Get Data Sheet, Fortune’s technology newsletter.
The flaws in SS7 have been public at least since December 2014, when several German hackers presented their research at a conference in Hamburg. The hackers showed how they could break into an SS7 system and issue commands to have a phone secretly forward all voice calls to them for recording. The hackers also got the system to send them copies of digital keys used to encrypt the cell phone calls. The calls could be hacked using the SS7 method despite security measures taken by consumers, such as requiring a passcode to unlock a phone or encrypting its contents.
On the television program, Lieu said he was concerned that government intelligence agencies knew about the flaws and used them for spying purposes, while failing to report the security vulnerabilities to the phone companies.
The CTIA, the U.S. wireless industry trade group, said the problem was mainly with overseas networks.
“U.S. wireless providers remain vigilant to protect their networks and their customers,” the group said in a statement. “While we are aware of the research hackers’ manipulation to exploit SS7 technology in the international wireless networks, it’s important to note that they were given extraordinary access to a German operator’s network. That is the equivalent of giving a thief the keys to your house; that is not representative of how U.S. wireless operators secure and protect their networks. We continue to maintain security as a top industry priority.”