Billions of mobile phone users at risk as network flaw allows hackers to intercept calls and track location
60 Minutes uncovers huge mobile phone security susceptibilities raising security concerns on SMS verification
According to Australian TV program 60 minutes, billions of mobile phone users are at a risk of signaling flaw that allows hackers to listen into conversations and hijack Australians’ mobile phones. It also hackers to intercept all voice calls and track locations, the program claims.
Government, security agencies and the telecommunications industry will be forced to explain a security hole that allows hackers to listen in to conversations and hijack Australians’ mobile phones after it’s exposed by a 60 Minutes investigation, the program claims.
Reporter Ross Coulthart believes that he has unveiled a security susceptibility that could affect any of us on which nothing has been done to prevent it. The investigation that was carried out into mobile security spanned three continents.
“What it means is that your smartphone is an open book,” he told news.com.au.
“Criminals now have access to these huge security holes to steal your data and listen in to your calls. We know telephone companies know about it, we know security agencies know about it, but nothing is being done.”
An imperfection in the architecture known as SS7, which is a signaling system that is used by more than 800 telecommunication companies across the world including major Australian providers. Hackers can listen in to mobile phone conversations, steal information stored on mobile phones, and track the location of the phone’s user.
Coulthart says that the system has long been in use by spies and has been a secret of perpetrators of international espionage. However, recently organized crime, commercial spies and potential terrorists have been exploiting this security loophole for their gain, 60 Minutes claims to have found.
How does this work? The hacker forwards all calls to an online recording device and then re-routes the call back to its intended recipient, a so-called man-in-the-middle attack. It also allows the movements of a mobile phone user to be tracked on applications such as Google Maps.
As a result, it raises question on the security of SMS verification used by banking apps, reports 60 Minutes.
“Verification by SMS message is useless against a determined hacker with access to the SS7 portal because they can intercept and use the SMS code before it gets to the bank customer,” the report said.
With the help of a German hacker, who also works as a consultant to security agencies, the demonstration carried out intercepted and recorded a conversation and 60 Minutes reporter and independent Australian Senator Nick Xenophon, the program shows how easy it is to intercept and listen into a politician’s mobile phone conversation or for that matter anybody else’s too.
Also, it was worth noting that the German hacker was given legal access to SS7 by the government, something most hackers would not have. This revelation has lead to immediate public inquiry in Australia, surrounded by concerns that the security and intelligence services have long known about the SS7 security susceptibilities.
Senator Xenophon said in response to the report: “This is actually quite shocking because it affects everyone. It means anyone with a mobile phone can be hacked, can be bugged, can be harassed”.
“The implications are enormous and what we find shocking is that the security services, the intelligence services, they know about this vulnerability.”
“The government, security agencies, and telecommunications industry, need to explain why this hole has not been fixed.”
According to security research firm Adaptive Mobile, such attacks can be launched anywhere in the world on any individual connected to the global SS7 network and hence, such flaws should be taken seriously.
When the firm first become concerned about SS7 published a blog post following the high-profile attack on Hacking Team.
“Security in the SS7 network has become of paramount importance for the mobile community, so knowing how these surveillance companies regard and use SS7 is essential,” Adaptive Mobile said.
“Based on the information that has become available, it seems that there is a wider group of commercial entities selling systems that allow surveillance over SS7, and that these systems are for offer today.”