SS7 and NSA’s Redundant Spying

SS7 countermeasuresOn Sunday, 60 Minutes brought attention to an issue first exposed by researchers some years back: the ease with which people can use the SS7 system that facilitates global mobile phone interoperability to spy on you.

Sharyn Alfonsi: If you just have somebody’s phone number, what could you do?

Karsten Nohl: Track their whereabouts, know where they go for work, which other people they meet when– You can spy on whom they call and what they say over the phone. And you can read their texts.

60 Minutes was smart in that they got Congressman Ted Lieu to agree to be targeted.

Congressman Lieu didn’t have to do anything to get attacked.

All Karsten Nohl’s team in Berlin needed to get into the congressman’s phone was the number. Remember SS7 –that little-known global phone network we told you about earlier?

Karsten Nohl: I’ve been tracking the congressman.

[snip]Sharyn Alfonsi: Are you able to track his movements even if he moves the location services and turns that off?

Karsten Nohl: Yes. The mobile network independent from the little GPS chip in your phone, knows where you are. So any choices that a congressman could’ve made, choosing a phone, choosing a pin number, installing or not installing certain apps, have no influence over what we are showing because this is targeting the mobile network. That of course, is not controlled by any one customer.

[snip]

Sharyn Alfonsi: What is your reaction to knowing that they were listening to all of your calls?

Rep. Ted Lieu: I have two. First, it’s really creepy. And second, it makes me angry.

Sharyn Alfonsi: Makes you angry, why?

Rep. Ted Lieu: They could hear any call of pretty much anyone who has a smartphone. It could be stock trades you want someone to execute. It could be calls with a bank.

Karsten Nohl’s team automatically logged the number of every phone that called Congressman Lieu — which means there’s a lot more damage that could be done than just intercepting that one phone call.

So now Lieu is furious — and pushing House Oversight Committee to conduct an investigation into SS7’s vulnerabilities.

Of course, it’s probably best to think of SS7’s vulnerabilities not as a “flaw,” as 60 Minutes describes it, but a feature. The countries that collectively aren’t demanding change are also using this vulnerability to spy on their subjects and adversaries.

But the fact that Lieu — who really is one of the smartest Members of Congress on surveillance issues — is only now copping onto the vulnerabilities with SS7 suggests how stunted our debate over dragnet surveillance was and is. For two years, we debated how to shut down the Section 215 dragnet, which collected a set of phone records that was significantly redundant with what we collected “overseas” — though in fact the telecoms’ production of such records was mixed together until 2009, suggesting for years Section 215 probably served primarily as legal cover, not the actual authorization for the collection method used. We had very credulous journalists talking about what a big gap in cell phone records NSA faced, in part because FISC frowned on letting NSA collect location data domestically. Yet all the while (as some smarter commenters here have said), NSA was surely exploiting SS7 to collect all the cell phone records it needed, including the location data. Members of Congress like Lieu — on neither the House Intelligence (which presumably has been briefed) or the House Judiciary Committees — would probably not get briefed on the degree to which our intelligence community thrives on using SS7’s vulnerabilities.

What I find perhaps most interesting about this new flurry of attention on SS7 is that the researchers behind it were hired by some “international telecoms” to find ways to improve security sometime in advance of December 2014 (when they first presented their work). The original CCC presentation on this vulnerability (see after 40:00) included a general discussion of what cell phone providers could do to increase the security of their users (see above). 60 Minutes noted that some US providers were doing more than others.

The NSA presumably could and did use entirely SS7 collection for cell phones — especially US based ones — until such time as domestic providers started making them less accessible (and once they were unaccessible overseas, then subject to legal process, though even some of the countermeasures would still leave a US user exposed to other US providers). That needs to be understood (should have been, before the passage of USA Freedom) to really understand the degree to which Congress has any influence over the NSA.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

9 replies
  1. What Constitution? says:

    If you have nothing to hide you have nothing to fear. If you have nothing to hide you have nothing to fear. If you have nothing to hide you have nothing to fear.

    Feeling much better now. Yes?

  2. Denis says:

    So somebody tell me this with respect to SS7: How much info on the
    Farook Lexus phone did FBI have access to w/out cracking it?
    .
    And the reason I ask it is b/c CNN put up a brief headline this morning
    that said “Sources: Data from San Bernardino phone has helped in probe”
    The article was quickly taken off the online front page and put on the back
    burner and you now have to dig for it.
    .
    http://www.cnn.com/2016/04/19/politics/san-bernadino-iphone-data/index.html
    .

    The phone didn’t contain evidence of contacts with other ISIS supporters or the use of encrypted communications during the period the FBI was concerned about. The FBI views that information as valuable to the probe, possibilities it couldn’t discount without getting into the phone, the officials said.

    .
    Yeah, they would say that, wouldn’t they?
    .
    Seems to me there would have been technical ways to get that information
    w/out cracking the phone, and as Marcy has said numerous times here and
    in a Slate article, there likely wasn’t going to be anything on the phone, so
    why all the fuss?
    .
    I don’t fault the FBI for expending a reasonable amount of (constitutionally
    permissible) effort to crack the phone because 2 years from now after the
    next massacre, if the conspiracist wackos pitch a bitch because the FBI never
    got the data off the Farook phone, the FBI would hardly be able to defend
    itself by saying “Well, Marcy said there wouldn’t be anything on that phone.”
    .
    But I don’t have a good understanding of what data, if any, the FBI would
    have had access to via SS7 or other of these spooky resources without
    cracking the phone. Enough metadata and location data to show that
    the phone couldn’t have been used in any nefarious way?
    .
    I also note that some commenter here, I apologize for not remembering
    who, speculated that what the Farook cock-up case was really all about was
    the FBI trying to vacuum and destroy data on the phone that could implicate
    the FBI as an unintended accessory to the crime if this whole thing was one
    of their moronic entrapment spoofs gone wrong.
    .
    When the Farook conspiracy dog-and-pony show officially opens, I’ll place my
    bet on on that one. Of course, if it’s true, any reporter who would dare
    touch it would end up like Michael Hastings.

    • martin says:

      quote”I also note that some commenter here, I apologize for not remembering
      who, speculated that what the Farook cock-up case was really all about was
      the FBI trying to vacuum and destroy data on the phone that could implicate
      the FBI as an unintended accessory to the crime if this whole thing was one
      of their moronic entrapment spoofs gone wrong.”unquote

      Well..that would be ME. And I still suggest it’s possible one of their
      “moronic entrapment spoofs” went haywire. They HAD to get into that phone just to make sure there wasn’t any evidence what so ever. Now..that’s my story and I’m stickin to it. :)

      Meanwhile..lefty665 said:
      “It is important to have an appreciation of their skills and perseverance.”

      right. Like a rape victim should appreciate the skill and violence of their attacker.
      sheezusHchrist..fuck these criminal sonsabitches. They’ve been violating the 4th Amendment since before 9/11. They know it. I know it. The EFF knows it. The ACLU knows it. The DOJ knows it..and so do the fucking judges who still refuse to hold them accountable. The Framers would hang the judges AND the IC. And we haven’t even touched on “parallel construction”, which is absurd that the DOJ has allowed this shit to happen, notwithstanding their totally criminal attempt to keep local PD’s from allowing any knowledge whatsoever of the use of Harris Corp. Stingray’s..to the point they were told to even let cases die to keep this knowledge sekrit. Yes, these USG scumbags are criminals who have circumvented the Constitutional protections GUARANTEED to every citizen in this country..and are STILL DOING IT. So fuck THEM.

  3. lefty665 says:

    There has long been gossip out of the IC that even before 9/11 NSA had 100% of the cell phone traffic. SS7 looks like one way they could have achieved that.
    .
    They have been assigned a mission and given the money to accomplish it. Given that mandate they have demonstrated the intent and ability to exploit about every system out there, hardware and software. There is no reason to believe we’ve heard about all of them or that they rely on a single method for any source. They are the epitome of national technical means. It is important to have an appreciation of their skills and perseverance.
    .
    Hayden’s decision to turn NSA’s focus inward was profound. Some members of their Cryptologic Hall of Honor termed using NSA’s very sharp tools domestically was the stuff of dictatorship. Alas, those spooks are pretty much gone, but their message remains clear.

  4. lefty665 says:

    martin @1:15 You may be right on the FBI cockup, it fits their mo. OTOH, a simpler explanation is that they continue to be technical dolts who have been whining since the days when they pinched their fingers with alligator clips while trying to wiretap. They wanted to muscle Apple to do what they couldn’t figure out how to do themselves.
    .
    The bitch with NSA is at the top which is where the policy changed. It’s Hayden up through Rumsfeld, Cheney and Duhbya. Subsequently Alexander and his cronies, Obama et al. Now Rogers. Include in there mostly dumb and complicit Congress critters like Feinstein who have rolled over.
    .
    Thank folks like Binney, Drake, Snowden and Wyden for shining a light.

    • martin says:

      quote”Thank folks like Binney, Drake, Snowden and Wyden for shining a light.”unquote

      Yeah, and what has it accomplished? Shining a light on a boat load of rats does nothing. It’s only when you KILL them that your life might get a little cleaner.

    • martin says:

      lefty.. let me quantify my statement.

      I’m 71 years old. I lived through the end of WW11, the Korean War, the Vietnam War, all the Middle America bullshit, the South American bullshit, the Cuban bullshit, and every Legal Imperialism bullshit my government has perpetrated on this planet since I was born. Do NOT try to persuade me to accept, in part, in whole or any rationalization of what my government IS, DOES, OR ATTEMPTS to do at this point in my life. What we are dealing with is evil motherfuckers who think they can change the trajectory of morality. I’ve got news for them.

  5. Ian says:

    EMPTYWHEEL(Marcy) says:
    The NSA presumably could and did use entirely SS7 collection for cell phones — especially US based ones — until such time as domestic providers started making them less accessible (and once they were unaccessible overseas, then subject to legal process, though even some of the countermeasures would still leave a US user exposed to other US providers). That needs to be understood (should have been, before the passage of USA Freedom) to really understand the degree to which Congress has any influence over the NSA.

    I SAY:
    Thank you Marcy for covering this fast moving story.
    .
    Sometimes a story like this is best covered by going directly to the industry itself—and for cellphones that inevitably means going offshore to Europe because the underlying technology and system design for all cellphone/smartphone networks came out of Britain & France in the late 1988-1991 period.
    .
    IF YOU GO TO:
    http://www.adaptivemobile.com/blog/ss7-security-putting-pieces-together
    .
    You will see at the bottom of the page the following narrative:
    “*Disclaimer: AdaptiveMobile provided reference information to the producers of 60 Minutes/CBS for the purposes of explaining security in SS7 networks”
    .
    Above the disclaimer you will see:
    .
    “”But a third is the fact that we have some background material that has been released in various leaks, showing that some intelligence agencies have been collecting information to support attacks. One key piece of information, is that in late 2014, as part of the Snowdon revelations, there was the disclosure of a project called Auroragold within the NSA.”
    .
    and you will also see:
    .
    ………“The main purposes of Auroragold is the collection of information on mobile operators. How this is achieved is through the interception and collection of what are called IR.21s, which are basically documents that mobile operators use to exchange with each, so their subscribers can interact and roam between networks, and allow networks to correctly bill each other”
    .
    and finally you will see:
    ………“The main purposes of Auroragold is the collection of information on mobile operators. How this is achieved is through the interception and collection of what are called IR.21s, which are basically documents that mobile operators use to exchange with each, so their subscribers can interact and roam between networks, and allow networks to correctly bill each other
    .
    The hyperlinks provided for Auroragold —-AS A SIGDEV (research project) are:
    .
    https://theintercept.com/2014/12/04/nsa-auroragold-hack-cellphones/
    .
    https://cryptome.org/2014/12/nsa-aurora-gold-intercept-14-1203.pdf (pdf file)

  6. Ian says:

    WHAT I SAID WAS:[2nd repeat]:
    ………“The main purposes of Auroragold is the collection of information on mobile operators. How this is achieved is through the interception and collection of what are called IR.21s, which are basically documents that mobile operators use to exchange with each, so their subscribers can interact and roam between networks, and allow networks to correctly bill each other
    .
    WHAT IS SHOULD HAVE SAID WAS:
    .
    .….” The various leaked documents show that Auroragold focused on obtaining these documents in a variety of ways, and then making that information available internally. It was stated that the Aurorgold project gets this information in order for them to understand the current state of the networks, and predict trends for the future. However they also state that this information is of benefit to other SIGDEV (Signals Development) agencies within the NSA, protocol exploitation elements and partners

Comments are closed.