Lawmakers and security experts have long warned of security flaws in the underbelly of the world's cell networks. Now a whistleblower says the Saudi government is exploiting those flaws to track its citizens across the U.S. as part of a "systematic" surveillance campaign.
It's the latest tactic by the Saudi kingdom to spy on its citizens overseas. The kingdom has faced accusations of using powerful mobile spyware to hack into the phones of dissidents and activists to monitor their activities, including those close to Jamal Khashoggi, the Washington Post columnist who was murdered by agents of the Saudi regime. The kingdom also allegedly planted spies at Twitter to surveil critics of the regime.
The Guardian obtained a cache of data amounting to millions of locations on Saudi citizens over a four-month period beginning in November. The report says the location tracking requests were made by Saudi's three largest cell carriers — believed to be at the behest of the Saudi government — by exploiting weaknesses in SS7.
SS7, or Signaling System 7, is a set of protocols — akin to a private network used by carriers around the world — to route and direct calls and messages between networks. It's the reason why a T-Mobile customer can call an AT&T phone, or text a friend on Verizon — even when they're in another country. But experts say that weaknesses in the system have allowed attackers with access to the carriers — almost always governments or the carriers themselves — to listen in to calls and read text messages. SS7 also allows carriers to track the location of devices to just a few hundred feet in densely populated cities by making a "provide subscriber information" (PSI) request. These PSI requests are typically to ensure that the cell user is being billed correctly, such as if they are roaming on a carrier in another country. Requests made in bulk and excess can indicate location tracking surveillance.
But despite years of warnings and numerous reports of attacks exploiting the system, the largest U.S. carriers have done little to ensure that foreign spies cannot abuse their networks for surveillance.
One Democratic lawmaker puts the blame squarely in the Federal Communication Commission's court for failing to compel cell carriers to act.
"I've been raising the alarm about security flaws in U.S. phone networks for years, but FCC chairman Ajit Pai has made it clear he doesn't want to regulate the carriers or force them to secure their networks from foreign government hackers," said Sen. Ron Wyden, a member of the Senate Intelligence Committee, in a statement on Sunday. "Because of his inaction, if this report is true, an authoritarian government may be reaching into American wireless networks to track people inside our country," he said.
A spokesperson for the FCC, the agency responsible for regulating the cell networks, did not respond to a request for comment.
A long history of feet-dragging
Wyden is not the only lawmaker to express concern. In 2016, Rep. Ted Lieu, then a freshman congressman, gave a security researcher permission to hack his phone by exploiting weaknesses in SS7 for an episode of CBS' 60 Minutes.
Lieu accused the FCC of being "guilty of remaining silent on wireless network security issues."
The same vulnerabilities were used a year later in 2017 to drain the bank accounts of unsuspecting victims by intercepting and stealing the two-factor authentication codes necessary to log in sent by text message. The breach was one of the reasons why the U.S. government's standards and technology units, NIST, recommended moving away from using text messages to send two-factor codes.
Months later the FCC issued a public notice, prompted by a raft of media attention, "encouraging" but not mandating that carriers make efforts to bolster their individual SS7 systems. The notice asked carriers to monitor their networks and install firewalls to prevent malicious requests abuse.
It wasn't enough. Wyden's office reported in 2018 that one of the major cell carriers — which was not named — reported an SS7 breach involving customer data. Verizon and T-Mobile said in letters to Wyden's office that they were implementing firewalls that would filter malicious SS7 requests. AT&T said in its letter that it was in the process of updating its firewalls, but also warned that "unstable and unfriendly nations" with access to a cell carrier's SS7 systems could abuse the system. Only Sprint said at the time that it was not the source of the SS7 breach, according to a spokesperson's email to TechCrunch.
T-Mobile did not respond to a request for comment. Verizon (which owns TechCrunch) also did not comment. AT&T said at the time it "continually works with industry associations and government agencies" to address SS7 issues.
Fixing the problems with SS7 is not an overnight job. But without a regulator pushing for change, the carriers aren't inclined to budge.
Experts say those same firewalls put in place by the cell carriers can filter potentially malicious traffic and prevent some abuse. But an FCC working group tasked with understanding the risks posed by SS7 flaws in 2016 acknowledged that the vast majority of SS7 traffic is legitimate. "Carriers need to be measured as they implement solutions in order to avoid collateral network impacts," the report says.
In other words, it's not a feasible solution if it blocks real carrier requests.
Cell carriers have been less than forthcoming with their plans to fix their SS7 implementations. Only AT&T provided comment, telling The Guardian that it had "security controls to block location-tracking messages from roaming partners." To what extent remains unclear, or if those measures will even help. Few experts have expressed faith in newer systems like Diameter, a similar routing protocol for 4G and 5G, given there have already been a raft of vulnerabilities found in the newer system.
End-to-end encrypted apps, like Signal and WhatsApp, have made it harder for spies to snoop on calls and messages. But it's not a panacea. As long as SS7 remains a fixture underpinning the very core of every cell network, tracking location data will remain fair game.