What is SS7 and is China Using It To Spy on Trump’s Cell Phone?

On Wednesday, the New York Times reported that President Trump often uses an unmodified, personal iPhone to communicate with friends and confidants as well as two other iPhones that had been modified by the National Security Agency. According to anonymous White House officials interviewed by the Times, Trump has been repeatedly warned that the calls he makes on these devices are not secure and that “Chinese spies are often listening.”

Last year, a Department of Homeland Security report found that mobile devices created a major weak spot in the information security of government employees. In particular, the report cited Signaling System 7 (SS7), a protocol used by telecom companies to coordinate how they route our smartphone data and calls around the world, as a significant threat.

Although the mechanism that allows Chinese spies to eavesdrop on Trump’s calls wasn’t named in the Times story, there is strong reason to believe it involves SS7, which has been used to spy on American and foreign government officials many times in the past.

In 1980, the International Telecommunications Union codified Signaling System 7 as the international standard protocol for telephone signaling. Signaling is the technical term for giving information to a network that tells it how to route a call, such as dialing a phone number. When SS7 was adopted as a standard protocol for routing telephone calls, it marked a revolution in telephony.

Prior to SS7, signaling information was sent on the same channel as the call itself: A user would dial a number (signal) and talk on the same wires, so to speak. SS7, on the other hand, established separate channels for signalling and the actual call. This not only allowed for remarkably higher data transmission rates, but it also allowed for signalling to occur at any point during the call instead of just at the beginning. This drastically improved the quality and reliability of phone calls.

By the new millennium, however, the cracks in the SS7 protocol were starting to show. The main problem with the SS7 network was that it treats all information sent over the network as legitimate. Thus, if a bad actor gains access to the network they can prey on this system of trust and use it to manipulate or intercept the signaling information that is sent. In 1999, the Third Generation Partnership Project (3GPP), a consortium of organizations that deal with telecom standards, issued a distressing warning about vulnerabilities found in SS7.

“The problem with the current SS7 system is that messages can be altered, injected or deleted into the global SS7 networks in an uncontrolled manner,” 3GPP wrote in a 2000 report. As the 3GPP noted, in the past SS7 signals were routed between a “relatively small” number of telecom providers, which made controlling access to this channel more feasible. The designers of SS7 didn’t anticipate the explosive growth of the internet and mobile phones, however, which led to the proliferation of smaller networks that connected to the main telecom backbone.

If SS7 previously only had a few entrances that were carefully guarded by major telecom companies and organizations, by the mid-aughts there were tens of thousands of entrances, many of which were poorly protected or controlled by authoritarian regimes. This made the entire system risky to use for everyone.

“There is no adequate security left in SS7,” the 3GPP concluded in its report. “Mobile operators need to protect themselves from attack from hackers and inadvertent action that could stop a network or networks operating correctly.”

Based on the dire prognosis of SS7 security vulnerabilities, one would assume that telecom organizations would leap into action to secure the backbone of the world’s mobile communications, but they’d be sorely mistaken.

Although security issues with SS7 were first recognized over two decades ago, little has been done to fix them in the interim. In fact, the telecom industry has done everything in its power to avoid having to address SS7’s security vulnerabilities. This is in spite of the fact that the use cases for SS7 have been expanded from routing calls over landlines to monitoring cell usage to calculate bills and facilitate roaming when a user ventures out of their cell provider’s network. At the same time, our increasing reliance on our mobile phones, which are now used for everything from controlling smarthomes to checking our bank accounts, have ratcheted up the stakes of an attack on the SS7 network.

As Kim Zetter noted in an article for Wired, the reason the telecom industry didn’t act on SS7’s vulnerabilities was because many operators “assumed the risks were theoretical.” Indeed, as noted in the 3GPP report, there hadn’t yet been an intentional attack on SS7 as of 2000, even though researchers recognized that a number of different attacks were possible in principle. These included tracking the physical location of individual cell phones, targeted disruption of cell phone service, intercepting text messages and eavesdropping on phone calls.

In 2008, the researcher Tobias Engel demonstrated how to locate individual cell phones with SS7 at Chaos Communication Congress, a hacker conference in Germany. In 2014, he gave another presentation at CCC that showed how SS7 could be used to locate, track and manipulate cell phone users. As Engel noted, gaining access to the SS7 network is trivial: It can be done by hacking telecom operator equipment connected to the internet, accessing it through low-power personal cell stations called femtocells, or simply purchasing access from a telecommunications company.

That same year, the US Assistant Secretary of State Victoria Nuland was recorded shit talking the European Union on a call with the US ambassador to Ukraine. As was revealed later that year in a report by the Ukrainian telecom authority, the call had occurred on a regular telecom network and had been intercepted and rerouted to a landline in St. Petersburg, Russia. Although researchers weren’t positive that Russia used SS7 vulnerabilities to intercept the call, the details of the incident made it seem highly likely that this was the case.

By 2014 it was already clear that the threat of SS7 attacks was no longer theoretical. In fact, the SS7 network was emerging as one of the most potent attack vectors for governments and non-state actors. Yet despite these risks, the telecom industry actively resisted implementing robust security measures to address SS7’s vulnerabilities.

In 2016, two German hackers demonstrated the power of SS7 attacks on 60 Minutes by eavesdropping on a call made by California congressman Ted Lieu on an off-the-shelf iPhone (with his consent). Moreover, they were also able to determine which hotel Lieu had stayed at the night before, even though he had his GPS functionality on the phone turned off.

Following the segment, Lieu sent a letter to the House Oversight and Government Reform Committee asking it to launch an investigation into SS7 in order to characterize the extent of its vulnerabilities and determine possible solutions.

“There are thousands of ways this flaw affects commerce and national security,” Lieu told the Washington Post. “I’m sure the Donald Trump campaign would love to know what the Ted Cruz campaign manager is saying on his cellphone.”

Lieu wasn’t far off the mark. Instead of Trump exploiting SS7 vulnerabilities to eavesdrop on Cruz, however, it appears that Chinese and Russian spies are using those same vulnerabilities to eavesdrop on Trump.

Although the risks to national security and individual privacy posed by SS7 vulnerabilities are well documented, adequate solutions to the problem are less certain. In 2016 the Federal Communications Commission created a working group to study the problem and issued its final report in early 2017.

One possible solution is to abandon the SS7 network for an updated signaling protocol. Indeed, the growing amount of data and calls that are routed through the internet (VoIP) means that signalling protocols designed for computer networks could be fruitfully employed by telecom organizations as well. One such protocol is called Diameter, which was developed in the late 90s for authenticating information sent through computer networks. While the FCC acknowledged that “Diameter has certain inherent capabilities that make it more difficult to attack,” this had to be weighed against the fact that it “could introduce new vulnerabilities.” Indeed, several research teams have demonstrated exploits similar to the ones used on the SS7 network on Diameter.

Another solution broached by the FCC was for telecom providers to develop “circles of trust,” which would involve creating a system for ranking the trustworthiness of incoming message based on the type of information it contains and where it was sent from. Finally, the FCC recommended that telecom providers provide encryption support for their users.

“SS7 exploits are primarily effective because of their limited scope,” the FCC report concludes. “These threats are designed for specific end user targeting. A consumer may be able to employ methods to protect the content of messages and voice communications by using end to end encryption.”

The problem is that when a call is made using a landline or cell phone, it is not encrypted end-to-end. The signal is usually encrypted at various points along its journey but traverses most of the network unprotected. Thus, the FCC recommended that cell phone users use commercial encryption services like Signal, WhatsApp, or Tor.

We may never know for sure whether the SS7 network is being exploited to eavesdrop on Trump, but one thing is for certain: By insisting on using an unmodified iPhone on commercial telecommunications networks, the President of the United States is exposing himself to a favorite tool of spies around the world.