The shocking disclosure that hackers can access cellphones anywhere in the world and listen in on conversations is putting more urgency behind an effort on Capitol Hill to strengthen encryption laws and create a national standard.
“It points out the importance of strong encryption, not just for U.S. security, but also for commerce, business, for journalists, for Americans who don’t want people listening in on their conversations,” said Rep. Ted Lieu, a California Democrat who sits on the House Oversight Subcommittee on Information Technology. Lieu in February coauthored the Ensuring National Constitutional Rights for Your Private Telecommunications, or ENCRYPT Act, a bill that aims to protect strong encryption standards from being threatened by state laws.
The legislation would prevent states from passing laws aimed at prohibiting encryption.
Lieu was referring a vulnerability to the Signaling System No. 7 network, which is used by about 820 telecom providers worldwide. In an April 17 report for the CBS program “60 Minutes,” German researchers highlighted how they could access the data on Lieu’s cellular device simply by accessing the network. That included voice calls, data, GPS data and more.
While it could be hard for a hacker to access the SS7 network on their own, it would not be as difficult for a foreign intelligence agency or a rogue network administrator. “Your sort of regular hacker may not have the ability to exploit the SS7 flaw, but Russia certainly could, and sophisticated hackers likely could,” Lieu said.
Though it would not be possible to completely avoid being surveilled by someone exploiting the SS7 vulnerability, analysts have said that end-to-end encryption can at at least protect data being sent by text messaging. That’s the same sort of security that several messaging applications, including Viber and WhatsApp, announced in April that they were going to begin offering universally.
Law enforcement officials expressed dismay about those applications, and FBI General Counsel James Baker warned that the encryption on WhatsApp comes with “public safety costs.” The ENCRYPT Act is part of a legislative counterpunch to initial moves in Congress to water down encryption following the terrorist attacks in Paris and Brussels. That’s especially the case in the Senate, where legislation to ban end-to-end encryption began to circulate this month.
Yet following the news about SS7, Lieu said, he downloaded WhatsApp to try to mitigate the possibility that he would be spied on, and he advised others to do the same.
“You can imagine all of the possible ways this could negatively affect national security and the global economy, and the lives of ordinary people across America,” Lieu said in reference to SS7. “From conversations with your loved ones to banking transactions to stock trades, this flaw has huge implications. You can imagine that if a foreign government or hackers had a cellphone number for an executive of a company, they could get inside information and execute stock trades based on that. There are so many nefarious uses to getting inside the conversations of hundreds of millions of cellphones.”
Telecom providers are set to move off SS7 to what are called IP-based networks over the next decade, something that Lieu says that will make it possible for an even broader range of hackers to find vulnerabilities.
“Once you go to an IP network, in my opinion, the problem magnifies 10,000 percent,” Lieu said. “Anybody can now try to attack a network. The attack surface has increased almost infinitely.”
The bottom line, Lieu said, is that end-to-end encryption is the only option available for consumers hoping to protect any of the data they transmit. While his ENCRYPT Act came out of the gate with promise, boasting bipartisan sponsorship and public opinion that has generally trended in favor of encryption, Lieu argues that the news about SS7 makes the need for the bill even more apparent.
“This is a massive flaw that needs to be addressed.” Lieu said. “We need to increase encryption and make it stronger.”
