The Federal Communications Commission is finally minded to address decades-old vulnerabilities.

Fast Enough for Government Work

What’s the craic? Suzanne Smalley reports, FCC to probe ‘grave’ weaknesses in phone network infrastructure:

“Critical role”
The … FCC says it is taking action to address significant weaknesses in telecommunications networks that can enable cybercrime and spying. The agency is investigating how vulnerabilities in the protocols Signaling System No. 7 (SS7) and Diameter … allow breaches, particularly by revealing consumers’ locations to malicious hackers and spies.
…
The commission’s Public Safety and Homeland Security Bureau is spearheading the effort. The FCC said … SS7 and Diameter play a “critical role” in U.S. telecommunications infrastructure [and] it wants to ensure the protocols’ vulnerabilities can’t allow hackers to “track” consumers’ locations.

Horse’s mouth? Rebecca Clinton and friends from the FCC’s Public Safety and Homeland Security Bureau: Requests Comment on Implementation of Measures to Prevent Location Tracking

“Security countermeasures”
Over the last several years, numerous reports have called attention to security vulnerabilities present within SS7 networks and suggest that attackers target SS7 to obtain subscribers’ location information. … The Diameter protocol provides the same services as SS7 and as a result presents similar vulnerabilities. [The] protocols are still the foundation for mobile telephone networks, especially for roaming capabilities.
…
The Bureau finds it is important to more specifically examine the area of location tracking. To that end, the Bureau seeks renewed public comment, including from communications service providers, … on the implementation and effectiveness of security countermeasures … with respect to location tracking.

Wait. Pause. “Over the last several years”? I feel like we’ve been talking about this for decades. Why now? A few weeks ago, Ryan Gallagher wrote, Senator Demands Overhaul of Telecom Security:

“Trick the phone network”
Foreign governments are abusing security flaws in mobile phone networks to secretly track Americans in the US and journalists and dissidents abroad, Senator Ron Wyden has warned. In a letter sent to President Joe Biden … Wyden [D-OR] is urging the White House to counter the threat by supporting a major overhaul of cybersecurity standards.
…
At the center of the senator’s concern is an obscure telecom protocol called SS7, [which] is used to route communications between phone networks. SS7 contains known security vulnerabilities that governments and private surveillance companies have exploited. … It can be used to trick the phone network itself into handing over communications or location information from a particular phone. Multiple companies are now providing foreign governments with these “phone company hacking services,” according to Wyden, [who] accuses CISA of “actively hiding information” about the problem.

Why didn’t the standards bodies do something? This Anonymous Coward has a long memory:

Easy? Really, though? What’s the problem? ronsor neatly boils it down:

There are insecure SS7 nodes exposed to the Internet. I’ve seen them before.

Yikes. The FCC had better fix it—and fast. satsuke calls that a “tall order”:

I was an SS7 network engineer for 20 years. The problem will take much [more] than a few federal inquiries, because SS7 was built with almost no security. … In the 1970s, the only organizations that could talk on an SS7 network were other SS7 providers—namely large telcos and some businesses.
…
Diameter is better … but it’s still largely unencrypted. … There’s functionally no barrier to entry and telcos are obliged to interconnect on a non-preferential basis to prevent the fracturing of the telephone system (e.g., if Verizon decided to not interconnect a competitor’s customers).

Sounds like a tricky problem. Kevin McMurtrie draws comparisons with 5G/NR:

Faster — yes!
mmWave crazy fast — yes!
Edge compute power — OK, sure!
AI, robots, WFH surgeons — why not?
Unicorns — better believe it!
Fix legacy telco security — whoa, let’s be realistic.

Meanwhile, sounding slightly cynical, M0nkge thinks it’s “not needed anymore”:

This same flaw exists in foreign networks. Now that the US Intel agencies have a workaround, they gave the OK to fix it.

And Finally:

No, Mother. It’s Just the Northern Lights

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Mike Meyers (via Unsplash; leveled and cropped)