Since the Snowden revelations of 2013 most people have become used to the idea that American and British intelligence agencies can find out anything about anyone. And as debate grows about the influence of the tech titans – companies whose earnings exceed the gross domestic product of some countries – many people are similarly unsurprised at the scale of data accumulation by the likes of Google and Facebook.
But the idea that a huge proportion of our mobile phone interactions are vulnerable to surveillance by a broad array of actors around the world, on account of longstanding weaknesses in the SS7 signaling system, still draws shock.
“The government is fixated on kicking specific vendors like Huawei out of our networks,” said Blake Reid, telecom law professor at the University of Colorado. “But there are decades-old, gaping holes in our overall telecom security architecture that this focus on vendors has no hope of addressing.” The situation, he said, leaves some security researchers and consumer advocates “incredulous”.
In a joint reporting project with the Guardian, the Bureau found that phone operators in the Channel Islands, and elsewhere around the world, were being used for surveillance purposes by corporate intelligence firms. We found evidence of phone intrusions in more than 60 countries, including the UK, the US and almost every country in Europe. And we found that such intrusions are able to track the locations of phone users as well as, in some circumstances, intercept their messages, calls, and other sensitive data.
So how did we get here?
The answer lies in the rapid evolution of the telecoms industry. Up to the 1990s, the sector was made up of a handful of phone companies – many of them state-run – which grazed peacefully in an atmosphere of mutual trust, with little need to authenticate the provenance of the communications that flowed between them. That has since been disrupted by privatization: now hundreds of mobile operators, large and small, compete for subscribers and traffic. Virtual operators, which can offer competitive roaming or data deals without the expense of owning and maintaining their own infrastructure, also piggyback on network access along with numerous peripheral players offering services such as bulk SMS delivery for marketing and authentication.
For this system to function, companies need to trade access to global phone networks – a trade that leaves them open to exploitation by other actors.
Not all countries have highly developed surveillance infrastructure and expertise. For many, it is more convenient to contract the job out to the private sector. And a flourishing marketplace for such services has emerged, as evidenced in revelations about the activities of Hacking Team, NSO Group, Circles and Candiru, among others.
Surveillance-as-a-service is not limited to government clients: at the lower rungs of the business, some providers offer individual buyers basic phone tracking in exchange for bitcoin on the dark web. But the top end of the market is dominated by private companies contracting for states – some of which have a long history of internal repression and rights abuses.
Underlying this high-end surveillance market is what appears to be a wide-ranging penetration of global phone networks. The Bureau’s investigation found evidence of surveillance traffic emanating from access points in the Channel Islands, the US, Iceland, Switzerland, Israel, Cameroon and Laos – to name a few.
A recent report by the University of Toronto’s Citizen Lab, a research group focused on digital threats to civil society, said that SS7 signaling abuse is arguably more insidious than notorious hacking software such as NSO Group’s Pegasus, since it generally leaves no trace on a device for forensic analysis.
The abuse of SS7 vulnerabilities for phone hacking was first disclosed in 2014 by Tobias Engel and Karsten Nohl, but experts told the Bureau that the industry has been slow to mitigate burgeoning security threats. Regulators sometimes seem surprised – with Guernsey’s telecoms authority telling us in response to our findings that “this is the first time [we have] been made aware of these issues” – while others appear reluctant to intervene. In May 2018, the Oregon senator and privacy advocate Ron Wyden said the US Federal Communications Commission had “done nothing but sit on its hands, leaving every American with a mobile phone at risk”. Responding to the Bureau’s findings this week, he reiterated his criticism, stating that the outgoing FCC chairman, Ajit Pai, “has shown no interest in protecting Americans from foreign spying”.
The UK has taken a more active role in trying to stem the tide of surveillance incursions into the country, with a new law drafted to beef up the security obligations of phone operators and the enforcement powers of the regulator. As we discovered, however, this risks leaving a major gap unplugged in the shape of Britain’s offshore enclaves. Again and again, experts told us that such gaps are ripe for exploitation by surveillance companies acting on behalf of undisclosed clients.
Although some of the market for phone surveillance revolves around state-on-state espionage, the risks of unstemmed abuse of the SS7 network extend to its use as a tool of internal repression. This concern was highlighted by David Kaye, former United Nations’ special rapporteur on the right to freedom of opinion and expression, who reported last year that “surveillance of individuals – often journalists, activists, opposition figures, critics and others exercising their right to freedom of expression – has been shown to lead to arbitrary detention, sometimes to torture and possibly to extrajudicial killings. Such surveillance has thrived amid weak controls on exports and transfers of technology to governments with well-known policies of repression.”
A rule change by the European Union has made it harder for EU countries to export surveillance tech to places where its use might entail human rights concerns. But as our investigation shows, the extent of phone network vulnerabilities means that such moves are unlikely to be effective unless accompanied by stronger action from phone companies and tougher oversight from regulators.
At present, however, there is effectively no transparency on how much malicious traffic passes through the world’s phone networks on a daily basis. Individual phone users have no means of telling whether they have subscribed to a network with strong security provisions or to one with a history of failing to block unauthorized messaging.
Citizen Lab’s recent report offers a bleak assessment of the worldwide effects of an untrammeled surveillance market: “spaces for legitimate democratic activity will continue to shrink” and “governments’ ability to protect their citizens, as well as their own essential services and national security, will also continue to erode”.
This report was first published by the Bureau of Investigative Journalism