Surveillance systems that track the locations of cellphone users and spy on their calls, texts and data streams are being turned against Americans as they roam the country and the world, security experts and U.S. officials say.
Federal officials acknowledged the privacy risk to Americans in a previously undisclosed letter from the Department of Homeland Security to Sen. Ron Wyden (D-Ore.) last week, saying they had received reports that "nefarious actors may have exploited" global cellular networks "to target the communications of American citizens."
The letter, dated May 22 and obtained by the Washington Post, described surveillance systems that tap into a global messaging system that enables cellular customers to move from network to network as they travel. The decades-old messaging system, called SS7, has little security, allowing intelligence agencies and some criminal gangs to spy on unwitting targets — based on nothing more than their cellphone numbers.
"I don't think most Americans realize how insecure U.S. telephone networks are," Wyden said in a statement. "If more consumers knew how easy it is for bad guys to track or hack their mobile phones, they would demand the FCC and wireless companies do something about it. These aren't just hypotheticals."
Wyden also revealed in a separate letter Tuesday that a major American cellular carrier has referred an "SS7 breach" involving customer data to federal law enforcement officials for investigation. He chastised the Federal Communications Commission in the letter, saying the agency had "failed to address this ongoing threat to national security."
The FCC declined to comment on the letter, which was addressed to Chairman Ajit Pai.
SS7, which stands for Signaling System 7, was created in the 1970s as a way for telecommunications carriers to exchange information as they routed calls. Over the years, SS7 expanded to serve a sprawling global cellular system that enabled users to move from network to network — within their own nations and across international borders — without missing calls, losing service or having to make payments to each carrier that routed a signal to their phones.
But as the number of companies with access to SS7 grew from a handful to many thousands, the lack of built-in security became a growing problem. It was easy for anyone with access to the network to pretend to be a carrier making legitimate requests for information about customers.
Early research of SS7 surveillance focused on its use in tracking user locations through cellphones. But in recent years, a more serious issue has emerged around its ability to intercept calls, texts and data.
Researchers say SS7 tracking systems around the world now create millions of "malicious queries" — meaning messages seeking unauthorized access to user information — each month.
One Israeli surveillance vendor, Ability, said in an online marketing video posted last year that its ULIN interception system can eavesdrop on cellphone calls on targets in Los Angeles or New York while agents are "sitting at your desk ... anywhere in the world." A 2016 brochure for the company depicted phones being tracked in Massachusetts.
Ability declined to comment about SS7 interception or where the company conducts surveillance, but a person familiar with its operations, who spoke on the condition of anonymity to describe private corporate details, said the ULIN system is not used in the United States. The video, this person said, is used "for demonstration purposes."
The company says on its website that it has had 50 government clients around the world and does not have private-sector clients. Public financial documents listed Ability's major areas of operation as Latin America, Asia and Africa, but it does not name nations. Forbes has previously reported on Ability's capabilities and sales, including to a client in Mexico.
The company — which according to news reports has struggled financially in recent years — has several competitors, including in Israel, in Eastern Europe and in other parts of the world, say experts in SS7 surveillance.
Wyden said the risks posed by SS7 surveillance go beyond privacy to affect national security. American, Chinese, Israeli and Russian intelligence agencies are the most active users of SS7 surveillance, experts say, and private-sector vendors have put systems within the reach of dozens of other governments worldwide. Sophisticated criminals and private providers of business intelligence also use the surveillance technology.
"America is the No. 1 target, far and away. Everyone wants to know what's happening in America," said Brian Collins, chief executive of AdaptiveMobile Security, a cellular security firm based in Dublin, Ireland. "You will always be a target, whether at home or away."
Other experts said SS7 surveillance techniques are widely used worldwide, especially in less developed regions where cellular networks are less sophisticated and may not have any protection against tracking and interception. But the experts agreed that Americans are significant targets, especially of rival governments eager to collect intelligence in the United States and other nations where Americans use their cellphones.
Collins said his firm detected a surge in SS7 queries in U.S. networks in late 2014 that it thinks was related to the Office of Personnel Management hack in which intruders — widely reported to be Chinese — gained access to the files of millions of federal workers, including in some cases their phone numbers. (Although publicly reported in 2015, the hack began at least a year earlier.)
AdaptiveMobile Security also detected an uptick in malicious SS7 queries this month in the Middle East, in the days after President Trump announced the U.S. withdrawal from the Iran nuclear agreement, Collins said. This surveillance probably was the work of intelligence agencies studying how the U.S. move would affect oil prices and production, Collins said.
CTIA, a wireless industry group based in Washington, said carriers have worked to implement recommendations from federal officials to protect against SS7 surveillance. "The wireless industry is committed to safeguarding consumer security and privacy and collaborates closely with [Department of Homeland Security], the FCC and other stakeholders to combat evolving threats that could impact communications networks," CTIA said in a statement.
Firewalls installed by carriers in recent years block many of the malicious queries, but many others succeed in eliciting unauthorized information from cellular carriers worldwide.
"It does happen, and it does happen thousands of times a month," said Karsten Nohl, a telecommunications security expert with Security Research Labs in Berlin.
The most advanced SS7 surveillance systems can monitor the movements of dozens of people for hours at a time, sending alerts if they get close to select areas or to one another, experts say.
German telecommunications researcher Tobias Engel first warned of the potential for SS7 surveillance at a security conference in 2008, during which he demonstrated how to locate a cellphone provided by a volunteer from the audience. Engel also located the cellphone of a Washington Post reporter in 2014, at the Post's request, for an article about the growing availability and effectiveness of such systems.
Researchers have continued to detail SS7 vulnerabilities in recent years, including call, data and text interception. A site reachable on Tor, an encrypted Internet browsing tool, offers SS7 tracking and interception of cellphones for a few hundred dollars a month.
Criminals last year used SS7 to intercept security codes that a bank texted to its customers in Germany, allowing the criminals to steal money from accounts, according to news reports.
Carriers worldwide have gradually added better security, but SS7 does not have any way to verify that carriers sending data requests are who they claim to be. The firewalls increasingly installed by carriers, meanwhile, protect their own customers but typically not people who are roaming on the network, said Engel, the German researcher who first reported the security and privacy risks of SS7.
"It's much simpler to protect your own subscribers," said Engel, now a researcher for GSMK, a mobile communications security company based in Berlin. "It could be that you're vulnerable as soon as you enter somebody else's network, domestic or foreign."
Calls for an aggressive federal response grew after the Post's 2014 article and a "60 Minutes" report in 2016 in which Nohl, one of the German researchers, demonstrated SS7 surveillance risks by intercepting a call to the cellphone of Rep. Ted Lieu (D-Torrance), with his permission.
Department of Homeland Security, which declined to comment for this article, issued a report on SS7 cellphone security in April 2017 that noted the risk to federal personnel: "SS7 attack types can be used to target key U.S. Federal Government personnel both in the United States and traveling or working overseas."
The report recommended that carriers adopt new protections. An FCC group, the Communications Security, Reliability and Interoperabilty Council, issued recommendations for improving SS7 security in March 2017 that U.S. carriers have largely adopted.
But Wyden and some other officials say the government must do more to protect American cellphone users by documenting SS7 breaches and commissioning independent testing of the vulnerabilities in national cellular networks — a step that Britain and some other nations have taken.