Security flaws in a system used by cellphone carriers around the world could open the door to wide-ranging surveillance of mobile-phone traffic, according to a German researcher who discovered the problem.
The issue affects a telecommunications standard called Signaling System 7, or SS7, which is used by carriers to manage connections between cellular networks. The Berlin-based Security Research Lab, which discovered the problem in August, said a skilled person could exploit the flaws to eavesdrop on the phone calls, text messages and data traffic of billions of people.
“Given how valuable such spying capabilities are to states and other criminal actors, I would be very surprised if we are first to find these hacking vectors,” company researcher Karsten Nohl said Friday.
Nohl said cellphone companies were quietly told about the problem earlier this month. The Washington Post and Germany’s Sueddeutsche Zeitung newspaper reported on it Thursday.
At least two German cellphone companies, T-Mobile and Vodafone Deutschland, said they have taken measures to prevent criminals and spies from exploiting the flaws to eavesdrop on customers.
The global cellular operators body GSMA said it, too, was told of the problem and was awaiting further details to be presented at a computer-security conference in Hamburg, Germany, this week.
A spokeswoman for GSMA said the reported problem affects 2G and 3G networks, but not the newest 4G standard.
“The research disclosures made to the GSMA enabled us to conduct a preliminary analysis, consider the implications and provide recommendations to our members, including mobile-network operators and infrastructure vendors, on how to mitigate the identified risks,” Claire Cranton told The Associated Press.
Nohl noted that carriers can easily close the security hole by blocking certain network requests submitted over SS7 – a three-decades old system – by other companies.
“We were really surprised that most of them don’t do that,” he said. “It’s like the internet before firewalls became popular.”
Users can protect themselves independently of their cellphone carriers by using applications that encrypt their calls, messages and emails, Nohl said.