FCC to probe ‘grave’ weaknesses in phone network infrastructure
The Federal Communications Commission (FCC) says it is taking action to address significant weaknesses in telecommunications networks that can enable cybercrime and spying.
The agency is investigating how vulnerabilities in the protocols Signaling System No. 7 (SS7) and Diameter — which jointly enable phone calls’ and text messages’ movement across networks — can allow breaches, particularly by revealing consumers’ locations to malicious hackers and spies.
The FCC has told carriers to explain how they are preventing such activity over the protocols. It is also demanding providers turn over specific examples of breaches.
SS7 and Diameter are not outfitted with the technology needed to properly encrypt the traffic they handle, the agency and telecom experts say. Americans are particularly exposed to hacks while roaming networks.
The problem has been well-known for some time. Sen. Ron Wyden (D-OR) urged the Biden administration to fix the flaws in a letter sent to the president in February, calling the protocols’ flaws “grave threats.”
The agency’s action, announced last week, is an important move to address a problem that affects both small and large providers, said Harold Feld, an FCC expert who is senior vice president at the advocacy group Public Knowledge.
“Given the sensitivity of geolocation information, it is extremely important for the commission to know whether providers are taking the necessary precautions to protect subscribers,” Feld said via email. “The commission should not simply wait until a massive problem surfaces.”
He called the agency’s action “exactly the kind of responsible, information gathering exercise the Commission should be doing.”
Wyden also praised the FCC, thanking Chair Jessica Rosenworcel for moving forward with a probe.
“America needs to ramp up our defenses against mercenary surveillance companies that help foreign dictators threaten U.S. national security, human rights and journalists working to expose wrongdoing,” Wyden said in a press release.
He added that he is eager to work with the agency to “secure America’s phone networks through mandatory minimum cybersecurity standards.”
It’s encouraging to see the FCC’s continued attention to location data, Chris Frascella, who is counsel at the Electronic Privacy Information Center, said via email.
Frascella, who focuses on telecommunications issues, said he is optimistic that the commission will “follow-through on its multiple lines of inquiry.” But he said he is also concerned that the FCC still hasn’t published orders issued against “prominent telecom carriers for the illegal resale of precise location data,” despite their having been released more than four years ago.
“In the absence of a comprehensive federal privacy law, and in light of chronic carrier cybersecurity deficiencies, agencies like the FCC need to act more quickly to safeguard consumer data, including but not limited to phone subscriber location information,” Frascella said via email.
The commission’s Public Safety and Homeland Security Bureau is spearheading the effort. The FCC said it wants to ensure the protocols’ vulnerabilities can’t allow hackers to “track” consumers’ locations through their mobile devices.
SS7 and Diameter play a “critical role” in U.S. telecommunications infrastructure, the agency said in the notice, noting that they enable interconnection between fixed and mobile networks.
“Over the last several years, numerous reports have called attention to security vulnerabilities present within SS7 networks and suggest that attackers target SS7 to obtain subscribers’ location information,” the agency’s notice said, adding that Diameter is similarly vital and vulnerable.
Recorded Future
Intelligence Cloud.
Learn more.
link