What Is SS7? Legislators Ask FCC To Examine Security Flaw In Communications Infrastructure


Democratic Representative Ted Lieu of California and Democratic Senator Ron Wyden of Oregon are asking the Federal Communications Commission to address a known cell phone security vulnerability that poses serious concern to users around the world.

At issue is Signaling System 7 (SS7), which suffers from a security flaw that, when exploited, allows hackers to intercept communications—including reading text messages, listening to phone calls and tracking a person’s location.

SS7 is an international telecommunications standard that defines how mobile devices connect and exchange number over mobile networks. The protocol allows phones to send and receive information like text messages and pass on calls. The standardization also allows for phones to connect to another network when roaming.

There are a number of variants of SS7, which was first established in 1975—most of which are defined by the American National Standards Institute and the European Telecommunications Standards Institute. In the United States, it’s known as the Common Channel Signaling System 7 (CCSS7).

While SS7 has provided consistency across global networks, it also suffers from a fatal flaw discovered in 2014 by German security researcher Karsten Nohl.

Nohl found that an attacker could exploit a vulnerability in the network. Though it would take a sophisticated attack to bypass the security measures of the networks, once in an attacker would be able to record phone calls, intercept texts, place and forward calls to other devices, and track the location of an individual device.

Since the discovery of the vulnerability, there have been some steps taken by members of the industry to protect against an attack. The GSM Association, a trade group that represents mobile operators, monitors the networks for any breaches of the security systems.

However, Congressman Lieu and Senator Wyden believe that isn’t enough. “It is clear that industry self-regulation isn’t working when it comes to telecommunications cybersecurity,” the legislators said in a joint letter sent to FCC chairman Ajit Pai on Tuesday.

The letter marks the latest effort by the duo to get the issue resolved before it causes considerable problems. The pair w rote to the Department of Homeland Security about the issue last month.

The FCC has already acknowledged the potential vulnerability of SS7 and noted in a Communications, Security, Reliability and Interoperability Council (CSRIC) that the issue would likely still exist as carriers start deploying 5G networks.

Read full story…