In 2017, hackers and security researchers highlighted long-standing vulnerabilities in Signaling System 7 (SS7, or Common Channel Signalling System 7 in the US), a series of protocols first built in 1975 to help connect phone carriers around the world. While the problem isn’t new, a 2016 60 Minutes report brought wider attention to the fact that the flaw can allow a hacker to track user location, dodge encryption, and even record private conversations. All while the intrusion looks like ordinary carrier to carrier chatter among a sea of other, “privileged peering relationships.”
Telecom carriers and lobbyists have routinely downplayed the flaw and their multi-year failure to do much about it. In 2018, the CBC noted how Canadian wireless providers Bell and Rogers weren’t even willing to talk about the flaw after the news outlet published an investigation showing how (using only a mobile phone number) it was possible to intercept the calls and movements of Quebec NDP MP Matthew Dubé.
Now there’s another wake up call: a new report by The Guardian indicates that Saudi Arabia has likely been exploiting the flaw for years to track and monitor Saudi Arabian targets when they travel in the United States:
“The data suggests that millions of secret tracking requests emanated from Saudi Arabia over a four-month period beginning in November 2019. The tracking requests, which sought to establish the US location of Saudi–registered phones, appeared to originate from Saudi’s three biggest mobile phone companies.
The whistleblower said they were unable to find any legitimate reason for the high volume of the requests for location information. “There is no other explanation, no other technical reason to do this. Saudi Arabia is weaponising mobile technologies,” the whistleblower claimed.
U.S. carriers like AT&T, Verizon, and T-Mobile routinely receive Provide Subscriber Information (PSI) messages from foreign phone companies to help them track roaming costs for users on foreign cell plans traveling abroad. But excessive use of such messages usually indicates a more nefarious intent. The Guardian couldn’t directly tie the excessive use of PSIs by Saudi telcos to the Saudi government, but most security experts believe Saudi’s history makes the intention fairly clear:
“The whistleblower’s data…suggests that the three largest Saudi mobile operators – Saudi Telecom, Mobily and Zain – sent the US mobile phone operator a combined average of 2.3m tracking requests per month from 1 November 2019 to 1 March 2020. The data appears to suggest the Saudi mobile phones were being tracked as they travelled through the US as often as two to 13 times per hour. Expert said that frequency suggests users could probably have been tracked on a map to within hundreds of metres of accuracy in a city.”
One reason U.S. telcos may not have been particularly keen on cracking down on the practice is that the U.S. government and the NSA very likely exploit the SS7 flaw as well. Senator Ron Wyden demanded answers as early as 2017 from mobile phone companies as to why they haven’t done more to thwart the practice. Of the major U.S. carriers, only AT&T was willing to respond to the Guardian, insisting “we have security controls to block location-tracking messages from roaming partners.” It’s far less likely the NSA’s longstanding BFF blocks similar requests from U.S. intelligence agencies.