US 60 Minutes broadcast a story on 17 April 2016 about some folks armed with only a cellphone number being able to listen in on phone calls and track the movements of U.S. congressman Ted Lieu.
The story touched on some phone hack techniques, including IMSI catcher risks (see an example of risk and mitigation at 3 min 50 sec) but spent most time on the issue of SS7 vulnerabilities in cellular networks and what real and present impact these vulnerabilities have on everyone who uses a mobile phone (or other cellular network connected device).
Ted Lieu took exception to these revelations, and on 18 April 2016 he sent a letter to the leadership of the House Oversight Committee to request a full investigation into the significant SS7 vulnerabilities identified in the global mobile network. Questions about SS7 vulnerabilities were also asked by Ted in the open-session Subcommittee on Information Technology hearing on Federal Cybersecurity Detection, Response and Mitigation held on 20 April 2016 (see Ted's questions at 1 hour 26 sec and 1 hour 21 min 14 sec).
All this is good and well, but why should we Australians, New Zealanders, Solomon Islanders, Fijians and other nations in Melanesia and Polynesia care about our American friends discussing SS7 cellular network vulnerabilities in their media and government system? We ought to care because none of our governments mention these vulnerabilities' criticality or national significance in their publicly disclosed cyber security strategies (where those strategies exist). Yet cellular networks underpin the backbone of private and economic activities of individuals and households, small, large and corporate businesses and government activities across our countries. Pretty odd for a national cyber security strategy to miss out the security of widely used, pervasive technology like mobile phones and cellular networks.
In short, the Americans are talking about SS7 impacts and vulnerabilities. Our neighbourhood isn't. Let's change this - ask your government, your cellular carriers and your local media to start the public conversation now.
ARC Solutions is an information security and risk management consultancy. ARC Solutions is also ESD America's authorised reseller of ESD Oversight (SS7 solution), ESD Overwatch (IMSI catcher solution) and ESD/GSMK Cryptophone (encrypted phone solution) in New Zealand, Fiji and Solomon Islands.
Contact ARC Solutions anytime to arrange a private, confidential, encrypted and secure conversation about how we can help you have and use secure mobile telecommunications.