Governance & Risk Management , Privacy
Feds Ask Telcos: How Are You Combating Location Tracking?
Federal Communications Commission Responds to Persistent Surveillance ProblemsWireless carriers have known for years that protocols used to interconnect networks are prone to cyberattacks capable of stealing geolocation information. The U.S. Federal Communications Commission says it wants to know what measures carriers implement to head off those attacks.
See Also: Live Webinar | All the Ways the Internet is Surveilling You
That's the focus of a new call for comment on the effectiveness of countermeasures - and the extent to which telecoms have put them into action.
Experts warn that bad actors are continuing to exploit well-known, long-publicized weaknesses in two widely used routing protocols - Signaling System 7 and Diameter - to track individuals' location and also sell geolocation data, including to authoritarian governments. Criminals have also abused such protocols to steal one-time codes and perpetrate bank heists.
The FCC's call for comment represents a switch from past efforts by its Public Safety and Homeland Security Bureau to drive telcos to improve the security of their networks. Previously, the agency encouraged telcos to address the well-known vulnerabilities in core signaling protocols such as SS7 and the newer Diameter.
Now, rather than focus on vulnerability mitigation and other long-standing recommendations, the agency is asking telecommunications providers for specifics pertaining to:
- Location tracking incidents: The agency wants details on "any successful, unauthorized attempts to access the network user location data of communications service providers operating in the United States to track user location using exploits in the SS7 or Diameter protocols" since 2018, when it issued detailed recommendations for preventing such tracking.
- Preventing illicit location tracking: The agency wants to know what countermeasures telcos have in place for their authentication, authorization and accounting networks; what best practices it should recommend - if it's not already doing so; and if telcos' efforts should be bolstered by third-party audits.
- Global title leasing: Historically, this was crucial for enabling services "by routing signaling messages across telecommunications networks to third parties," according to the London-based GSM Association, a mobile industry lobbying group. Now, the FCC wants to know in part what security measures U.S. telcos have in place for blocking location tracking, especially when working with foreign service providers via title leasing.
The FCC's questions have been spurred in part by location-tracking concerns shared with the agency by Sen. Ron Wyden, D-Ore., pertaining to SS7 and Diameter. The protocols enable telcos to track subscribers' location, both for delivering text messages that originate with other telcos and for processing and routing calls when subscribers roam across other networks. They're widely used across the world for both fixed and mobile telecommunications networks.
"For the last decade, cybersecurity researchers and investigative journalists have highlighted how wireless carriers' failure to secure their networks against rogue SS7 and Diameter requests for customer data has been exploited by authoritarian governments to conduct surveillance," Wyden said.
Since 2017, Wyden - alongside a plethora of cybersecurity experts - has been urging the FCC to address telcos' "lax cybersecurity" and ensure they mitigate well-known and regularly abused vulnerabilities in SS7 and other protocols.
The senator, who wants to see "minimum security standards" for the industry, applauded the FCC's move to evaluate telcos' existing efforts to address the underlying problems. "Effectively addressing this threat will require a whole-of-government effort, and diplomatic partnership with our allies," he said.
Signaling Protocols' Security Shortcomings
The problems stem from the trust-based approach underpinning SS7, which is used to secure 3G and earlier networks, and Diameter, which is used to secure 4G. As detailed in a white paper from Swedish telecommunications giant Ericsson, both protocols take a trust-based approach, assuming that any network elements communicating with each other should be doing so.
Even though Diameter is a newer protocol, it lacks security capabilities. "Diameter does not encrypt originating IP addresses during transport, which increases the risk of network spoofing, where an attacker poses as a legitimate roaming partner on a network to gain access to the network," the FCC said.
Since SS7 and Diameter still serve as "the foundation for mobile telephone networks, especially for roaming capabilities to be able to interconnect networks," as networks expand their coverage and new networks and more users appear, "the opportunity for a bad actor to exploit SS7 and Diameter has increased," the FCC said.
While the use of protocols such as SS7 and Diameter can be restricted to secure tunnels, thus making them more secure, the use of secure tunneling isn't mandatory, Ericsson said.
Although 5G has better security built in, thanks to its use of HTTP signaling, as well as encrypted signaling and end-to-end protection for roaming connections, "5G and legacy networks are still vulnerable to attacks if a node gets compromised - for example, through exploitation of a zero-day vulnerability," Ericsson said. "Insider threats are also of high concern when a network function is abused by personnel."
Questions have mounted over the use of global title leasing. Samantha Kight, the GSMA's head of industry security, last year warned in a blog post that "the misuse of GT leasing presents significant security issues and opportunities for nefarious activity," and that preventing such misuse remained difficult.
"All of this means that third parties can use the SS7 protocol to monitor SMS or calls, track the location of individuals and send spam or smishing messages," she said.
As a result, she asked if the use of global title leasing, which is no longer technically required, should be retired.
Beyond Recommendations
A federal advisory committee to the FCC began studying signaling protocol security shortcomings in 2016 and developed industry recommendations for mitigating them. They include greater monitoring of worldwide signaling traffic, conducting security assessments and sharing threat intelligence, as well as encouraging their subscribers to use messaging apps that offer end-to-end encryption to protect their voice and text messages.
The agency has encouraged the industry to adopt these, and it reports that some larger communications service providers say they've done so.
Pertaining specifically to location tracking, the agency now wants to know whether telcos' security improvements have been sufficient to safeguard subscribers - and if not, what more might be required.
The FCC's call for comments closes on May 28.