Author(s): Raghu Gopal
This past Sunday, US television broadcaster CBS aired a segment of its news programme 60 Minutes on what appears to be a frightening security flaw in mobile networks. With just a user's mobile phone number, experts demonstrated how a person with the right skills and equipment could get nearly full access to a phone's activity. Complete surveillance is becoming a remote sport.
Karsten Nohl, a German IT researcher, demonstrated for the show's reporter how a hacker could listen in on phone calls, read text messages and even locate a person. Mr Nohl hacked an off-the-shelf iPhone provided by the programme to politician Ted Lieu, a member of the US House of Representatives and of the committee that oversees IT developments.
This hack is not altogether new. In 2014, Mr Nohl and his research team identified the weakness. At the time, several mobile operators announced that they had patched it. But Deutsche Telekom indicated that efforts by individual operators would be inadequate to solve the underlying problem.
The 60 Minutes reporter explained how, last year, the producers of the show worked with researchers to perform the same hack, intercepting calls, using data, tracking locations and accessing on-device sensors like the camera. And hardly anything seems to have been done since the last hack was demonstrated by CBS.
The ability to access such personal data using a mobile device number is due to a security defect in the Signalling System 7 (SS7) protocols used to connect telephone networks. The flaw affects international mobile phone operators and makes information vulnerable regardless of the phone type. SS7 describes the architecture that most providers use to support inter-network communications. The fact that the hack is made at such a primary level is an indication of the potential severity of the problem.
This is not the first consumer-centric IT security issue to make the headlines, but there is something particularly eerie here. In other attacks, hackers relied on tricking users to install malicious applications or gaining physical access to a phone or PC. With the SS7 vulnerability, a hacker needs just the mobile number to gain access to the phone. The global presence of mobile phones means entire populations are potentially vulnerable.
The 60 Minutes story was informative about the network defect at hand, but it should also be a reminder that excitement about new technology implementations should be strengthened by safety checks. As we move into a world of connected things, the potential for hacks grows. From watches to washing machines, the growing number of leaves on the tree of the Internet of things potentially means more exposure for users. While the average person may not fall victim to the type of attack that was demonstrated on the CBS programme, people should be aware of the enormity of the problem. The sprawling, interconnected nature of global networks means operators will need to work together and address the security problem sooner rather than later.