Kevin Briggs, an official at America’s Cybersecurity and Infrastructure Security Agency, told the Federal Communications Commission (FCC), a regulator, earlier this year that there had been “numerous incidents of successful, unauthorised attempts” not only to steal location data and monitor voice and text messages in America, but also to deliver spyware (software that can take over a phone) and influence American voters from abroad via text messages. The comments were first reported recently by 404 Media, a website that covers technology.

The hacks were related to an obscure protocol known as Signalling System 7 (SS7). Developed in the 1970s to allow telecom firms to exchange data to set up and manage calls, nowadays SS7 has more users than the internet. Security was not a big issue when SS7 was first introduced because only a few fixed-line operators could get access to the system. That changed in the mobile age. SS7 and a newer protocol, Diameter, became crucial for a wide range of tasks, including roaming. According to the US Department of Homeland Security, SS7 is a particular risk because there are “tens of thousands of entry points worldwide, many of which are controlled by states that support terrorism or espionage”.

Security experts have known for more than 15 years that the protocol was vulnerable in several ways. In 2008 Tobias Engel, a security researcher, showed that SS7 could be used to identify a user’s location. In 2014 German researchers went further, demonstrating that it could also be exploited to listen to calls or record and store voice and text data. Attackers could forward data to themselves or, if they were close to the phone, hoover it up and tell the system to give them the decryption key. Spy agencies had known about the issue for a lot longer. Many were taking advantage of it.

In April 2014 Russian hackers exploited SS7 to locate and spy on Ukrainian political figures. In 2017 a German telecoms firm acknowledged that attackers had stolen money from customers by intercepting SMS authentication codes sent from banks. In 2018 an Israeli private intelligence company used a mobile operator in the Channel Islands, a British territory, to get access to SS7 and thus users around the world. That route is thought to have been used to track an Emirati princess who was abducted by the United Arab Emirates in 2018. And in 2022 Cathal McDaid of ENEA, a Swedish telecoms and cybersecurity company, assessed that Russian hackers had long been tracking and eavesdropping on Russian dissidents abroad by the same means.

Beginning in 2014 Chinese hackers stole huge amounts of data from the Office of Personnel Management, the government agency that manages America’s federal civil service. The most sensitive data were security-clearance records, which contain highly personal details about government employees. But phone numbers were also stolen. According to semi-redacted slides published by the US Department of Homeland Security, American officials noticed “SS7 anomalous traffic” that summer which they believed was related to the breach.

Mr Briggs’s comments to the FCC bring the scope of the SS7 problem into sharper focus. “Overall”, he said, the incidents he reported were “just the tip of the proverbial iceberg of SS7- and Diameter-based location and monitoring exploits that have been used successfully.” That is a reminder that, even as unencrypted phone calls and SMS text messages have become rarer, the backbone of mobile networks remains woefully insecure. Mobile-network operators can block some of these attacks, but most have failed to take the proper precautions, say insiders.

Phone users can protect themselves against SS7-based eavesdropping (but not location tracking) by using end-to-end encrypted apps such as WhatsApp, Signal or iMessage. But these, too, can be circumvented by spyware that takes over a device, recording keystrokes and the screen. In April Apple warned users in 92 countries that they had been targeted by a “mercenary spyware attack”. On May 1st Amnesty International published a report showing how “a murky ecosystem of surveillance suppliers, brokers and resellers” from Israel, Greece, Singapore and Malaysia had put powerful spyware into the hands of multiple state agencies in Indonesia. That, too, is the tip of the iceberg.

© 2024, The Economist Newspaper Limited. All rights reserved. From The Economist, published under licence. The original content can be found on www.economist.com