Saudi Arabia Exploiting Wireless SS7 Flaw to Track Targets In The United States

from the ill-communication dept

In 2017, hackers and security researchers highlighted long-standing vulnerabilities in Signaling System 7 (SS7, or Common Channel Signalling System 7 in the US), a series of protocols first built in 1975 to help connect phone carriers around the world. While the problem isn't new, a 2016 60 Minutes report brought wider attention to the fact that the flaw can allow a hacker to track user location, dodge encryption, and even record private conversations. All while the intrusion looks like ordinary carrier to carrier chatter among a sea of other, "privileged peering relationships."

Telecom carriers and lobbyists have routinely downplayed the flaw and their multi-year failure to do much about it. In 2018, the CBC noted how Canadian wireless providers Bell and Rogers weren't even willing to talk about the flaw after the news outlet published an investigation showing how (using only a mobile phone number) it was possible to intercept the calls and movements of Quebec NDP MP Matthew Dubé.

Now there's another wake up call: a new report by The Guardian indicates that Saudi Arabia has likely been exploiting the flaw for years to track and monitor Saudi Arabian targets when they travel in the United States:

"The data suggests that millions of secret tracking requests emanated from Saudi Arabia over a four-month period beginning in November 2019. The tracking requests, which sought to establish the US location of Saudi–registered phones, appeared to originate from Saudi’s three biggest mobile phone companies.

The whistleblower said they were unable to find any legitimate reason for the high volume of the requests for location information. “There is no other explanation, no other technical reason to do this. Saudi Arabia is weaponising mobile technologies,” the whistleblower claimed.

U.S. carriers like AT&T, Verizon, and T-Mobile routinely receive Provide Subscriber Information (PSI) messages from foreign phone companies to help them track roaming costs for users on foreign cell plans traveling abroad. But excessive use of such messages usually indicates a more nefarious intent. The Guardian couldn't directly tie the excessive use of PSIs by Saudi telcos to the Saudi government, but most security experts believe Saudi's history makes the intention fairly clear:

"The whistleblower’s data...suggests that the three largest Saudi mobile operators – Saudi Telecom, Mobily and Zain – sent the US mobile phone operator a combined average of 2.3m tracking requests per month from 1 November 2019 to 1 March 2020. The data appears to suggest the Saudi mobile phones were being tracked as they travelled through the US as often as two to 13 times per hour. Expert said that frequency suggests users could probably have been tracked on a map to within hundreds of metres of accuracy in a city."

One reason U.S. telcos may not have been particularly keen on cracking down on the practice is that the U.S. government and the NSA very likely exploit the SS7 flaw as well. Senator Ron Wyden demanded answers as early as 2017 from mobile phone companies as to why they haven't done more to thwart the practice. Of the major U.S. carriers, only AT&T was willing to respond to the Guardian, insisting "we have security controls to block location-tracking messages from roaming partners." It's far less likely the NSA's longstanding BFF blocks similar requests from U.S. intelligence agencies.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: saudi arabia, spying, ss7, surveillance


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Upstream (profile), 2 Apr 2020 @ 7:21am

    It's far less likely the NSA's longstanding BFF blocks similar requests from U.S. intelligence agencies.

    I am no expert on the details of the various phone or Internet systems, but the way I understand it is that the NSA and other US intelligence agencies probably don't even need to make such requests because the NSA, AT&T, and much of the Internet / phone system backbone are largely indistinguishable.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 2 Apr 2020 @ 8:23am

    A question: how often would a carrier check the towers that a phone they have registered to their service is in contact with? I presume that the carrier to which the phone is registered is the one that will be asked for routing information to make a call to that phone.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 2 Apr 2020 @ 8:39am

    It's interesting that this is only addressing the Saud's and only as it applies to tracking "their" targets.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 2 Apr 2020 @ 8:57am

    in other news...

    get your jackets back out because it's about to snow:
    Comcast dropped data caps! (until May 13't at least)

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 2 Apr 2020 @ 10:50am

    And of course, the USA isn't doing the same! We're the worse country on the Planet for wanting to know everything about everyone, everywhere, yet we're tge first to complain when others do the same thing. Hypocritical dont have nothing on us!

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 3 Apr 2020 @ 5:36am

    Solution

    Just get Jared to call his bff MbS and say "knock it off, bro'."

    link to this | view in thread ]

  7. icon
    tz1 (profile), 5 Apr 2020 @ 5:02pm

    Don't mess with him

    Moe, the Bone-Saw-Man. Or you might Sho Kashoggi. No problems, "He went to Jared!"

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.