Source: CBS News
The thought of your calls being eavesdropped on, or your location and emails being invaded by anyone who had your phone number alone is indeed a terrifying one. However, it is a very real one as US Congressman Ted Lieu in California experienced first-hand.
CBS News’ ‘60 Minutes’ segment demonstrated just how easy it is for hackers to access vulnerable phones once a hacker has learned a target’s phone number. Congressman Ted Lieu, who is a member of the House Oversight and Reform Subcommittee on Information Technology with a computer science degree from Stanford agreed to participate in the investigations between ’60 Minutes’ and the German researchers from Security Research Labs, a company that looks for security flaws in technology. Lieu was handed an off-the-shelf iPhone to use as his personal device for a week, as well as an assigned phone number with the knowledge that the hackers would try to access the phone from Berlin.
The results of the investigations are unsettling. All it took was Lieu’s phone number and the researchers were able to successfully listen to and record all his phone calls, to read his text messages, view his contacts and to track his location. Unsurprisingly, the experience was unnerving for Lieu as he claimed that when he arrived to tape the segment in Washington, the hackers had even told the producers which hotel he was staying at albeit his GPS was turned off and he regularly uses encrypted messaging systems.
Karsten Nohl, researcher at Security Research Labs (Source: CBS News)
Karsten Nohl, one of the researchers who cracked into Lieu’s phone, said that all phones are at risk, and the fault does not lie in iPhones alone. This is because the hack is made possible by the way that mobile networks around the world connect to one another, which makes this a very serious vulnerability that could affect the privacy of the world’s billions of mobile phone users.
The Security Research Labs team had uncovered a major flaw in Signaling System 7 (SS7), a global telecom network that connects all phone carriers around the world through a series of protocols first developed way back in 1975. The flaws discovered by the German researchers are actually functions built into SS7 (also known as C7 in the UK or CCSS7 in the US) for other purposes; such as keeping calls connected when users are travelling down highways by switching from cell tower to cell tower. As The Guardian points out:
“When calls or text messages are made across networks SS7 handles details such as number translation, SMS transfer, billing and other back-end duties that connect one network or caller to another. By hacking into or otherwise gaining access to the SS7 system, an attacker can track a person’s location based on mobile phone mast triangulation, read their sent and received text messages, and log, record and listen into their phone calls, simply by using their phone number as an identifier.”
The Security Research Labs team had in fact discovered the flaw as early as December 2014, and found that the SS7 surveillance features were able to be repurposed by a skilled person to eavesdrop on the phone calls, text messages and data traffic of billions of people due to the lax security on the network. The hack, first demonstrated by Nohl in 2014 at a ‘Chaos Communication Congress 31c3’ hacker conference in Hamburg, has been proven to still be active up until the recent investigations they performed.
Last year, ‘60 Minutes’ had also performed a similar SS7 hack with the help of German hacker Luca Melette, who works as a consultant in security agencies. In the demonstration, Melette succeeded in intercepting and recording mobile phone conversations made by ‘60 Minutes’ reporter Ross Coulthart, while he was speaking to Independent Australian Senator Nick Xenophon in Australia’s Parliament House.
Sadly, the security flaws in the SS7 have thus far been relatively difficult to patch because of the way it operates. SS7 is being used by all the world’s cellular carriers but is not being governed by any of them, nor any single government or entity, which makes it a sort of global collaboration with a ton of red tape and no real solution on how to fix the security holes. Additionally, the Security Research Labs team explains that in reality, the vulnerabiltity is already an “open secret” that law enforcement and security services, including the US National Security Agency, were aware of and use it to spy on targets using just their phone number.
Congressman Ted Lieu listens back to his tracked calls (Source: CBS News)
During the demonstration, the Security Research Labs hackers made it clear how easy they were able to pinpoint Lieu’s movements down to districts within Los Angeles, read his messages and record phone calls between Lieu and his staff. Clearly shocked by what the team was able to achieve through a phone number alone, has now written to the Chairman of the House Committee on Oversight and Government Reform requesting a formal investigation into the vulnerability.
Lieu sharply criticized any US agencies that may have turned a blind eye to such vulnerabilities.
“The people who knew about this flaw should be fired. You cannot have 300 and some million Americans, and really the global citizenry, be at risk of having their phone conversations intercepted with a known flaw simply because some intelligence agencies might get some data. That is not acceptable.”
The full text of the letter is as below:
You can also watch the CBS News ‘60 Minutes’ episode here.
 CBS News
 The Guardian
 The Guardian
 The Daily Mail
 LA Times
 Ars Technica