Saudi Arabia Exploiting Wireless SS7 Flaw to Track Targets In The United States
from the ill-communication dept
In 2017, hackers and security researchers highlighted long-standing vulnerabilities in Signaling System 7 (SS7, or Common Channel Signalling System 7 in the US), a series of protocols first built in 1975 to help connect phone carriers around the world. While the problem isn't new, a 2016 60 Minutes report brought wider attention to the fact that the flaw can allow a hacker to track user location, dodge encryption, and even record private conversations. All while the intrusion looks like ordinary carrier to carrier chatter among a sea of other, "privileged peering relationships."
Telecom carriers and lobbyists have routinely downplayed the flaw and their multi-year failure to do much about it. In 2018, the CBC noted how Canadian wireless providers Bell and Rogers weren't even willing to talk about the flaw after the news outlet published an investigation showing how (using only a mobile phone number) it was possible to intercept the calls and movements of Quebec NDP MP Matthew Dubé.
Now there's another wake up call: a new report by The Guardian indicates that Saudi Arabia has likely been exploiting the flaw for years to track and monitor Saudi Arabian targets when they travel in the United States:
"The data suggests that millions of secret tracking requests emanated from Saudi Arabia over a four-month period beginning in November 2019. The tracking requests, which sought to establish the US location of Saudi–registered phones, appeared to originate from Saudi’s three biggest mobile phone companies.
The whistleblower said they were unable to find any legitimate reason for the high volume of the requests for location information. “There is no other explanation, no other technical reason to do this. Saudi Arabia is weaponising mobile technologies,” the whistleblower claimed.
U.S. carriers like AT&T, Verizon, and T-Mobile routinely receive Provide Subscriber Information (PSI) messages from foreign phone companies to help them track roaming costs for users on foreign cell plans traveling abroad. But excessive use of such messages usually indicates a more nefarious intent. The Guardian couldn't directly tie the excessive use of PSIs by Saudi telcos to the Saudi government, but most security experts believe Saudi's history makes the intention fairly clear:
"The whistleblower’s data...suggests that the three largest Saudi mobile operators – Saudi Telecom, Mobily and Zain – sent the US mobile phone operator a combined average of 2.3m tracking requests per month from 1 November 2019 to 1 March 2020. The data appears to suggest the Saudi mobile phones were being tracked as they travelled through the US as often as two to 13 times per hour. Expert said that frequency suggests users could probably have been tracked on a map to within hundreds of metres of accuracy in a city."
One reason U.S. telcos may not have been particularly keen on cracking down on the practice is that the U.S. government and the NSA very likely exploit the SS7 flaw as well. Senator Ron Wyden demanded answers as early as 2017 from mobile phone companies as to why they haven't done more to thwart the practice. Of the major U.S. carriers, only AT&T was willing to respond to the Guardian, insisting "we have security controls to block location-tracking messages from roaming partners." It's far less likely the NSA's longstanding BFF blocks similar requests from U.S. intelligence agencies.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: saudi arabia, spying, ss7, surveillance
Reader Comments
Subscribe: RSS
View by: Time | Thread
I am no expert on the details of the various phone or Internet systems, but the way I understand it is that the NSA and other US intelligence agencies probably don't even need to make such requests because the NSA, AT&T, and much of the Internet / phone system backbone are largely indistinguishable.
[ link to this | view in thread ]
A question: how often would a carrier check the towers that a phone they have registered to their service is in contact with? I presume that the carrier to which the phone is registered is the one that will be asked for routing information to make a call to that phone.
[ link to this | view in thread ]
It's interesting that this is only addressing the Saud's and only as it applies to tracking "their" targets.
[ link to this | view in thread ]
in other news...
get your jackets back out because it's about to snow:
Comcast dropped data caps! (until May 13't at least)
[ link to this | view in thread ]
And of course, the USA isn't doing the same! We're the worse country on the Planet for wanting to know everything about everyone, everywhere, yet we're tge first to complain when others do the same thing. Hypocritical dont have nothing on us!
[ link to this | view in thread ]
Solution
Just get Jared to call his bff MbS and say "knock it off, bro'."
[ link to this | view in thread ]
Don't mess with him
[ link to this | view in thread ]