How the NSA could spy on any American phone — without congressional approval

As information technology has become ubiquitous, privacy has become a real concern for the average American. Sophisticated, connected devices make our life easier, giving us easy access to a wide array of services from cheap taxi rides to online shopping. From cell phones and gaming consoles to cars, the objects we use daily are connected in an endless flow of digital information known as the internet of things (IoT).

This information technology also enables intelligence organizations, law enforcement agencies, corporations, and criminals to unlawfully collect and exploit private information. Americans today are becoming increasingly aware of the perils connected devices hold, and looking for legal mechanisms to protect their basic right to privacy.

In the post-9/11 world, the United States has expanded the legal rights of its intelligence and law-enforcement agencies to collect private information, sometimes in cooperation with the telecom companies that provide services to the public. The most notable of these laws is Section 702 of the Foreign Intelligence Surveillance Act (FISA), which authorizes agencies to collect and use any electronic communications held by U.S. internet service providers. Unlike general FISA surveillance, however, Section 702 does not require that the target be a suspected terrorist, spy, or other foreign agent.

{mosads}However, the potential for a breach that jeopardizes Americans’ privacy predates IoT by a significant margin: the SS7 (Signaling System No. 7) network — a set of protocols developed in 1975 to set up and tear down  public switched telephone network (PSTN) telephone calls. It is, if you will, the central nervous system of the global telecommunications infrastructure, including in the US. This is what allows you to use your local cellular provider when traveling abroad.

The SS7 vulnerability was exposed several years ago during the 2014 31C3 (31th Chaos Communication Congress) conference. Tobias Engel, a German cyber security expert, demonstrated how easy it was to hack into the SS7, eavesdrop on calls, intercept text messages, and pull location-based information. Another German crypto-expert, Karsten Nohl, demonstrated in a 2014 cyber security conference (and again in 2016) how he could easily hack a congressman’s phone and gain access to his calls, text messages, and location. Reports also claimed that hackers have leveraged flaws in the SS7 to empty bank accounts in Europe, including Bitcoin accounts. Recently, the Daily Beast published an article that presented the results of an internally-conducted experiment, in which its reporters gained access to the SS7 by simply applying to a Western European telecom company, posing as a fake company that would need coverage in Europe — all for just a few thousand dollars. In short, any hacker inside the network could easily access any user, regardless of the operating system or device they use.

The vulnerability of the SS7, combined with the leeway Section 702 gives to intelligence and law-enforcement agencies, poses a great threat to personal privacy. If this breach has been known for years, why isn’t anyone dealing with it? Telecom companies are well aware of this breach, but are reluctant to fix it since it is expensive and will require huge global investments to update many systems worldwide. However, there might be another reason for this reluctance: the breach allows intelligence agencies to monitor individual communications easily, without needing to invest in sophisticated technologies.

The SS7 breach also brings to light the vulnerability of legacy systems — outdated computer systems, programming languages, or application software that are used instead of available upgraded versions. Organizations (especially large ones) often rely on legacy systems because they work adequately, they are far too complex to fix or redesign, and they are well embedded within the organization’s infrastructure (so they can’t be easily replaced). However, their security mechanisms are outdated and simply can’t keep up with contemporary hacking capabilities.

The SS7 is exactly this kind of legacy system. When such a system faces determined hackers, sophisticated law-enforcement agencies, lenient legislation, and obstinate telecom providers, the system loses. The public’s privacy is already jeopardized, even before we can begin exploring the smart homes, connected cars, and the many future applications of IoT.

Shay Hershkovitz, Ph.D., is a political science professor specializing in intelligence studies. He is also a former IDF intelligence officer whose book, “Aman Comes To Light,” deals with the history of the Israeli intelligence community.