The security of U.S. telecom networks has come under fresh scrutiny in recent months, with the latest example coming this week when the Cybersecurity and Infrastructure Security Agency (CISA) recommended that individuals in need of high security use encrypted messaging apps for mobile communications.
Concern grew in October when CISA and the FBI confirmed that China-linked threat actors had infiltrated telecom networks in an attempt to spy on President-elect Donald Trump and the campaign of Vice President Kamala Harris, among other top U.S. officials.
Congressional hearings followed, including an extraordinary admission from Senator Mark Warner that “thousands and thousands and thousands” of vulnerable telecom network devices might need to be replaced.
“Unlike some of the European countries where you might have a single telco, our networks are a hodgepodge of old networks,” Warner told the Washington Post. “The big networks are combinations of a whole series of acquisitions, and you have equipment out there that’s so old it’s unpatchable.”
Guidance earlier this month from U.S. cyber and national security agencies and counterparts in Canada, Australia and New Zealand offered comprehensive advice for hardening and securing global telecom networks in light of the attacks, and the U.S. Federal Communications Commission (FCC) said it would take steps to mandate stronger telecom security.
Attention Turns to SS7 and Diameter as List of Attackers Grows
Recently, the security of the 40-year-old Signaling System No. 7 (SS7) telecom protocols used in 2G and 3G SMS and phone services – as well as international roaming – came under renewed scrutiny over SS7’s potential to allow location tracking, interception of voice data and multi-factor authentication keys, as well as the protocol’s potential as a spyware delivery vector. The 4G and 5G Diameter protocol also has location tracking vulnerabilities, and 4G and 5G users could also find themselves downgraded to SS7 when roaming.
Senator Ron Wyden earlier this month released 23 pages of correspondence with the U.S. Department of Defense (DoD) detailing insecurities in telecom messaging systems and the SS7 and Diameter protocols. Wyden and Senator Eric Schmitt asked DoD Inspector General Robert Storch to “investigate the Department of Defense’s (DOD) failure to secure its unclassified telephone communications from foreign espionage.”
“Teams and certain other platforms utilized by DOD are not end-to-end encrypted by default, causing concerning gaps in security that could easily be mitigated,” the Senators wrote. “End-to-end encrypted voice, video, and text messaging tools such as Signal, WhatsApp, and FaceTime better protect communications in the event that the company that offers the service is hacked.”
DoD has begun limited pilots of a potentially more secure platform known as Matrix that is widely used by NATO allies, but the senators said the Defense Department needs to do more.
The letter included a number of appendices detailing correspondence between Wyden’s staff and the DoD.
In one, Wyden’s staff asked the DoD if it agreed with three statements by the Department of Homeland Security on SS7’s and Diameter’s security shortcomings that were included in a 2017 report – and the DoD responded that it agreed with the statements.
The three DHS statements the DoD agreed with are:
- DHS “believes that all U.S. carriers are vulnerable to [SS7 and Diameter] exploits, resulting in risks to national security, the economy, and the Federal Government’s ability to reliably execute national essential functions.”
- DHS “believes SS7 and Diameter vulnerabilities can be exploited by criminals, terrorists, and nation-state actors/foreign intelligence organizations.”
- DHS “believes many organizations appear to be sharing or selling expertise and services that could be used to spy on Americans.”
Cyble dark web researchers confirm that SS7 and Diameter exploits and services continue to be routinely discussed on cybercrime and underground forums, including detailed exploits for attacks using these protocols.
Wyden also said he had seen an unreleased CISA report from 2022 detailing U.S. telecom security issues that contained “alarming details about SS7-related surveillance activities involving U.S. telecommunications networks.”
Wyden asked if DoD was “aware of any incidents in 2022 or 2023 in which DoD personnel, whether located in the U.S. or outside the U.S, were surveilled through SS7 and Diameter enabled technologies?”
The DoD replied that the question “Requires a classified response.”
Wyden sent the DoD a slide from a 2017 DHS event (not included in the documents) that identified the “primary countries reportedly using telecom assets of other nations to exploit U.S. subscribers. Those countries, according to the DHS presentation, are Russia, China, Israel and Iran.”
Wyden said Russia, China, Israel and Iran had also used telecom assets of countries in Africa, Central and South America, Europe, the Middle East, and Africa to “attack US subscribers … indicating that these foreign governments are using SS7 to target U.S. users, and that these SS7 attack are being routed through 3rd country networks.”
Asked if it agreed with those assessments, the DoD replied that it “is not in a position to render an assessment without access to the underlying data that informed this presentation.”
CISA’s Encrypted Messaging Guidance
With that background, CISA’s guidance issued this week merits particularly close attention by anyone engaged in sensitive communications, especially those who may come under international roaming.
The CISA document includes specific recommendations for Android and iPhone devices, but general guidance includes:
- Using a free messaging application for secure communications that guarantees end-to-end encryption, such as Signal or similar apps.
- Enable Fast Identity Online (FIDO) phishing-resistant authentication.
- Take inventory of valuable accounts, including email and social media and review any accounts where information leakage would benefit threat actors
- Enroll each account in FIDO-based authentication, especially Microsoft, Apple, and Google accounts. Once enrolled in FIDO-based authentication, disable other less secure forms of MFA.
- For Gmail users, enroll in Google’s Advanced Protection (APP) program to strengthen defenses against phishing and account hijacking.
- Migrate away from Short Message Service (SMS)-based MFA and disable SMS as a second factor for authentication.
- Use a password manager to store all passwords.
- Set a Telco PIN and MFA for mobile phone accounts to protect against SIM-swapping techniques.
