A phone number.
That could be all it takes for hackers to gain access to your emails, texts, contacts, phone conversations, location information and more, a report from 60 Minutes revealed.
According to the report, hackers can use a flaw in Signaling System Seven (SS7) to gain access to a cell phone user’s information with nothing more than the device’s cellular number.
SS7 is a set of protocol standards that controls signaling for the public switched telephone network. The flaw in SS7 impacts all phones that function on a cellular network, the report said.
German hacker Karsten Nohl first demonstrated the flaw in late 2014. But based on Sunday’s report, nothing has been done to fix the problem since then.
In a demonstration, 60 Minutes reporter Sharyn Alfonsi observed while Nohl – who has a doctorate in computer engineering – tapped into an iPhone the pair sent to California congressman Ted Lieu.
Lieu consented to use the device on a U.S. carrier’s network knowing it would be hacked, 60 Minutes said.
On Monday, CTIA sought to reassure consumers that U.S. carriers are well aware of the flaw and have taken steps to protect their networks.
“U.S. wireless providers remain vigilant to protect their networks and their customers,” CTIA’s vice president of Cybersecurity and Technology John Marinho said. “While we are aware of the research hackers’ manipulation to exploit SS7 technology in the international wireless networks, it’s important to note that they were given extraordinary access to a German operator’s network. That is the equivalent of giving a thief the keys to your house; that is not representative of how U.S. wireless operators secure and protect their networks. We continue to maintain security as a top industry priority.”
60 Minutes said Nohl was legally granted access to SS7 by several international carriers in exchange for tests of their network vulnerability. However, the program noted criminals have already proven their ability to gain access to the system without permission.
According to the report, Nohl said it is easier to access some U.S. carriers through SS7 than others, but did not specify which ones were most vulnerable to attack.
Representatives for Verizon and AT&T both referred requests for comment to CTIA.
Though the exact details of the attack were not released as part of the 60 Minutes report, Marinho speculated Nohl’s special access to the carrier networks allowed him to recreate one of the highly privileged “peering relationships” the SS7 network is based on. This strategy, Marinho said, would allow the intruder to appear as just another carrier communicating with another carrier.
Marinho indicated that replicating such a scenario illegally would present a “challenge” for would-be hackers and noted many carriers have security protocols in place to detect that sort of activity.
“The peering relationships between carriers are highly specialized and highly secured because they are command and control communications links between carrier networks and those are treated very securely and with a high degree of reliability,” Marinho said. “We monitor this very, very closely because we’ve seen reports of those kind of exploits and we try very hard to make sure we stay ahead of those types of threats here in the United States.”
Whatever the precise method for access may be, the report said the flaw is well-known to intelligence agencies across the globe. In light of his recent experience, however, Lieu is looking to curb their access.
During his interview with Alfonsi, Lieu said anyone who knew about the flaw and promotes it based on the ready access to private information it provides “should be fired.”
“You cannot have 300-some million Americans– and really, right, the global citizenry be at risk of having their phone conversations intercepted with a known flaw, simply because some intelligence agencies might get some data,” Lieu said. “That is not acceptable.”
On Monday, Fortune reported Lieu has called for a congressional investigation of the matter through the House Oversight and Government Reform Committee, of which he is a member.
CTIA declined to comment on whether it plans to support Lieu’s effort. However, industry professionals appear to share Lieu’s concerns.
According to HAUD’s portion of the Intelligence Annual Industry Survey, which questioned 1,500 industry professionals, 84 percent of respondents think SS7 security is either critically important or important to their organization and 69 percent said they’re fully aware of the threats SS7 vulnerabilities present.