Submitted via IRC for SoyCow8317
The US Department of Homeland Security recently warned that malicious hackers may have targeted US phone users by exploiting a four-decades-old networking protocol used by cell phone providers around the world, according to a spokesman for US Senator Ron Wyden (D-Ore.). Meanwhile, the spokesman said, one of the nation's major cellular carriers recently experienced a breach of that same protocol that exposed customer data.
[...] In a letter Sen. Wyden received last week, DHS officials warned that "nefarious actors may have exploited" SS7 to "target the communications of American citizens," Wyden spokesman Keith Chu told Ars, confirming an article published Wednesday by The Washington Post. On Tuesday, Wyden sent a letter to Federal Communications Commission Chairman Ajit Pai that heightened concerns of SS7 hacks on US infrastructure.
"This threat is not merely hypothetical—malicious attackers are already exploiting SS7 vulnerabilities," Wyden wrote. "One of the major wireless carriers informed my office that it reported an SS7 breach, in which customer data was accessed, to law enforcement through the government's Customer Proprietary Network Information (CPNI) Reporting Portal."
[...] Sen. Wyden's letter this week to the FCC chairman is a reminder that loopholes that allow all the carriers to share customer location data aren't the only threat facing cellphone users. In responses sent late last year to Wyden's questions about SS7 security, both Verizon and T-Mobile confirmed that they were still in the process of implementing firewalls that would filter malicious requests. AT&T, meanwhile, said it implemented such firewalls but didn't say when.
The senator accused the FCC of failing to adequately answer the threat posed by SS7, noting among other things that a working group the FCC convened in 2016 to address SS7 vulnerabilities was dominated by carrier insiders and comprised no academic experts.
(Score: 4, Insightful) by requerdanos on Friday June 01 2018, @11:12PM
TCP (of TCP/IP fame) is from 1974 [wikipedia.org], making it about 44 years old, but that doesn't make it a shuddering horror; if you want to use it securely, there are means ranging from PGP to TLS at your disposal.
Yes. And the largest group of nefarious actors that does such a thing to American citizens is called the American government. Focusing on telecommunications protocol is good for general security principles, but they aren't the demon. The NSA is.