America's digital adversaries may have spent years eavesdropping on officials' private phone conversations through vulnerabilities in the global cell phone network, according to security experts.
A recent "60 Minutes" segment displayed the extent of the weakness, spurring government into action this week. Federal agencies vowed to investigate and Capitol Hill has begun looking into the issue.
"I would be flabbergasted if these foreign governments were not monitoring large numbers of American officials on their cell phones," Rep. Ted Lieu (D-Calif.) told The Hill.
Lieu, who hold's a bachelor's degree in computer science, offered up his phone to German computer scientist Karsten Nohl to test the extent of the vulnerability on "60 Minutes." Hackers were able to record Lieu's calls, view his contacts and monitor his movements, armed with just the Los Angeles Democrat's phone number.
Despite the government's pledges to rectify the problem, Lieu and security researchers insist officials have lost valuable time.
The vulnerabilities have been known for several years, and even bubbled up in the media in late 2014. After the flaws came back into the spotlight, Lieu said the government failed to take basic steps.
For instance, he said, "I am still dumbfounded as to why I have yet to see an alert go out to members of Congress."
Most telecom companies use decades-old protocols known as Signaling System No. 7 or SS7 to direct mobile communications around the world.
It is these protocols that are seen as insecure.
"The SS7 network was never designed to be secure," explained Les Goldsmith, a researcher with Las Vegas security firm ESD. "It was originally a cable in Europe. It had no encryption."
But SS7 serves a vital purpose. The network helps keep calls connected as users bounce from cell tower to cell tower, and routes text messages to their final location. It's also how people get service when they travel to another country, outside the reach of their normal carrier.
The problem is that anyone who can gain entry to the SS7 system can also repurpose these signals and intercept calls and texts.
The attack surface is vast. There are over 800 cell phone networks around the world, each with roughly 100 to 200 interlocking roaming agreements with other networks, Goldsmith said.
That means virtually every cell phone network is interconnected, allowing hackers to potentially tap any phone, regardless of location. Lieu's phone, for example, was infiltrated from Germany.
"The smallest carrier in the Middle East … can actually reach into AT&T and Verizon's network," said Christopher Soghoian, principal technologist for the American Civil Liberties Union (ACLU).
And the problem is not going away. SS7 will continue to be used for well over a decade, experts predict.
The system's shortcomings are not news to many security researchers and even to some government officials.
Goldsmith spoke about SS7 vulnerabilities at an industry conference last month, and his firm, ESD, has been briefing governments and telecom carriers on the issue since January of 2015. The first rumblings of the weaknesses appeared in 2010, Soghoian said.
ESD tests carriers' networks to determine the extent of malicious SS7 tracking. One European telecom carrier, Goldsmith said, had one third of its subscriber base being monitored. He suspects a nation state was behind the snooping.
At a House hearing this week, Lieu pressed a top Department of Homeland Security (DHS) cyber official, Andy Ozment, on whether his agency was aware of these SS7 flaws.
Ozment said the DHS had known about the issue since 2014, but could only warn telecom companies about the dangers since the DHS is not a regulatory agency.
After the "60 Minutes report," the Federal Communications Commission (FCC), which does regulate the telecom industry, did announce it would examine the SS7 security concerns.
Soghoian is doubtful the investigation will produce meaningful outcomes. The FCC has made similar pledges previously, he said, and told the ACLU in a meeting last year that it was open to a sit-down with the German researcher from the "60 Minutes" segment. But Soghoian said the agency has since dragged its feet on setting up such a briefing.
In a statement, FCC spokeswoman Kim Hart said the agency had simply decided to refer the SS7 investigation to an FCC-affiliated council composed of industry leaders and federal officials.
That group will offer the FCC recommendations on how it can protect cell phone networks from SS7-related spying, Hart added.
Still, Soghoian feels the FCC "is basically asleep at the wheel." Not because of "ineptitude," he said, but because of "conflicting missions."
The agency is tasked with securing phone networks, but is also under pressure from law enforcement and the intelligence community to preserve America's ability to exploit SS7 for its own surveillance efforts, Soghoian said.
Soghoian pointed to SS7 references in documents leaked by former government contractor Edward Snowden that indicate the National Security Agency has likely used the flaws to its benefit.
"This is a problem that needs to be solved and I suspect will only be solved through congressional attention," Soghoian said.
At least two House committees are considering launching investigations.
But the SS7 flaws are still at the periphery for many Congressional cybersecurity leaders. Several key cyber lawmakers acknowledged to The Hill this week that the topic was either low on the priority list or something they were not yet aware of.
John Marinho, the vice president of cybersecurity and technology for CTIA, an industry group representing wireless communications firms, said hackers need "extraordinary access" to get into the SS7 system.
"That is the equivalent of giving a thief the keys to your house; that is not representative of how U.S. wireless operators secure and protect their networks," he said.
Lieu called the response "bizarre."
"The notion that somehow this flaw is not a big deal because … your average hacker might not be able to access it?" Lieu said. "That's just a ludicrous response."
Lieu and other privacy advocates like Soghoian want the government to push for officials and members of Congress to adopt end-to-end encrypted chatting apps, such as WhatsApp, which only allow the sender and receiver of a message to see the content. Numerous apps also allow for encrypted phone conversations.
These solutions would prevent much of the SS7 eavesdropping, although they would still leave GPS data exposed.
"After I watched the '60 Minutes' episode," Lieu said, "I went and downloaded WhatsApp," adding that he had encouraged others to do the same.
"Now I do text messages to the extent possible on WhatsApp."