[HACKED] Is Someone Listening to Your Calls?
The April 17, 2016, edition of “60 Minutes” featured a deeply disturbing segment entitled, “Hacking Your Phone.” In it, a German white-hat hacker named Karsten Nohl chillingly demonstrated how easily he could track and eavesdrop on a U. S. Congressman's mobile phone. Is your mobile phone also vulnerable to the same hack...?
All Hackers Need Is Your Phone Number
In the 60 Minutes segment, Nohl gave a brand-new smartphone to Congressman Ted Lieu (D-CA). Lieu used the phone as he would normally use his personal phone. Nohl demonstrated on-camera that he was able to listen in on live conversations between Lieu, his staff, and other contacts.
Not only that, he could track Lieu’s movements through several California districts, using cell tower triangulation. Nohl also intercepted text messages and emails that originated or landed on Lieu’s phone.
The flaw is not in Android, iOS, or any other phone-based software. It’s not in hardware made by any handset maker. It’s not in an app. It's not limited to smartphones. It’s not the fault of Verizon, AT&T, T-mobile, or any other carrier. It’s in a system that underlies all of that; every cellular device on Earth is vulnerable.
The flawed system is called “SS7,” which stands for Signaling System No. 7. When cellular traffic moves between networks (Verizon to T-mobile, Sprint to AT&T, etc.), SS7 mediates the exchange, and other technical aspects of trans-network traffic. SS7 has access to every phone number on every carrier. And it's riddled with security holes.
There is little that consumers can do to protect themselves, because SS7 is far beyond their control. Nohl said during the 60 Minutes segment:
“The mobile network is independent from the little GPS chip in your phone, it knows where you are. So any choices that a congressman could’ve made - choosing a phone, choosing a pin number, installing or not installing certain apps - have no influence over what we are showing because this is targeting the mobile network. That, of course, is not controlled by any one customer.”
Not a New Problem
You know what’s really disturbing? Nohl demonstrated the same vulnerability two years ago, at a hackers conference in Hamburg, Germany. He described the vulnerability in detail, publicly. Yet it still exists, and no one is doing anything to fix it. In fact, SS7 was developed in the 1980s, so this is nothing new at all.
SS7 is not controlled by carriers, phone makers, or software developers. Effectively, in the U. S., the Federal Communications Commission has responsibility for and authority over how SS7 is implemented. The FCC has been studying the SS7 flaw ever since Nohl revealed it, but no action has been taken.
Perhaps the reason the FCC is in no hurry to fix the SS7 flaw is that it is very, very useful to the FBI, NSA, and other law enforcement snoops. We have no evidence that law enforcement is exploiting the flaw, but it seems extremely unlikely that they wouldn’t.
Is There Anything YOU Can Do?
The one thing you can do to protect your voice and data traffic from eavesdropping is to encrypt them from end to end; that is, from your phone to the recipient or sender’s phone.
Over two years ago, I wrote about Silent Circle's Blackphone which offes built-in encryption to protect phone calls and text messages. The downsides are cost and coverage. The Blackphone costs $800 and runs only on GSM networks, which limits you to AT&T or T-Mobile in the U.S.
But there are other options for encryption. “End to end encryption” is offered by the free messaging app WhatsApp, which has over a billion users worldwide. ChatSecure offers apps for iOS and Android that encrypt messages, Web traffic, and more, without tying a user to any particular network.
Using secure web connections (addresses that start with https) for all Webmail and other Web traffic provides the most basic level of encryption protection. Your email provider may or may not keep your email encrypted while it’s stored on the provider’s servers. All email between Gmail users is encrypted while it’s in transit or at rest on Google servers. (If Gmail sends email to another email service provider, that provider may or may not use encryption.)
It’s disgraceful that this SS7 flaw has been allowed to persist for so long. This is the time to write to your Congressperson and the FCC, demanding that it be fixed immediately. It's been "studied" long enough, don't you think?
Were you aware of the SS7 issue? Do you (or will you) use encryption on your mobile phone, now that you know about it? Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 19 Apr 2016
|For Fun: Buy Bob a Snickers.|
[QUICK] Uninstall QuickTime for Windows
The Top Twenty
Geekly Update - 20 April 2016
There's more reader feedback... See all 27 comments for this article.
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- [HACKED] Is Someone Listening to Your Calls? (Posted: 19 Apr 2016)
Copyright © 2005 - Bob Rankin - All Rights Reserved