Major SS7 Vulnerability In Wireless Networks Oddly Gets A Fraction Of The Hysteria Reserved For TikTok

While lawmakers, looking to get on cable TV, spent much of the last few years performatively hyperventilating about TikTok privacy and national security issues, few of those same folks seem quite as bothered by the parade of obvious, nasty vulnerabilities in the nation’s telecom networks.

For example, we still haven’t somehow addressed  longstanding flaws in Signaling System 7 (SS7, or Common Channel Signaling System 7), a series of protocols hackers can exploit to track user location, dodge encryption, and even record private conversations. Governments and various bad actors routinely exploit the flaw to covertly spy on wireless users around the planet without them ever knowing. 

It’s very bad, and we’ve know about the problem for a long while. 60 Minutes aired a profile on the issue back in 2016. Senator Ron Wyden demanded answers as early as 2017 from mobile phone companies as to why they haven’t done more to thwart the abuse. I’d always lazily assumed we weren’t rushing to fix the problem because it’s currently being broadly exploited by the U.S. government.

Earlier this month a Cybersecurity and Infrastructure Security Agency (CISA) official broke ranks with the NSA and formally acknowledged for the first time that the U.S. has exploited flaws in SS7 for years, going so far as to use it to track and surveil folks within the U.S. 404 Media has an interesting (but paywalled) report that’s worth a read.

Wyden sent another letter to the Biden administration last February, asking why the government seemingly refuses to take the SS7 flaw particularly seriously:

“Surveillance companies and their authoritarian foreign government customers have exploited lax security in U.S. and foreign phone networks for at least a decade to track phones anywhere in the world. Authoritarian governments have abused these tools to track Americans in the United States and journalists and dissidents abroad, threatening U.S. national security, freedom of the press, and international human rights.”

In April the FCC announced it would finally be probing “grave” weaknesses in both SS7 and another similarly flawed protocol, Diameter. But the generally feckless agency will likely be butting heads not just with U.S. intelligence, but the giant telecoms like AT&T tethered to our domestic surveillance systems. So whether this results in any meaningful reform will have to be seen.

What’s amusing is that this is a massive, significant, proven flaw in our communications networks and a proven risk to national security, and yet you’d be hard pressed to see one-one thousandth of the press coverage or political attention relegated to concerns about a single Chinese app.

The TikTok fracas was utterly avoidable for three straight years as a partially Facebook-driven hysteria about the potential security threat of the app utterly consumed American discourse. Yet if you want to learn anything about the SS7 flaw, you’ll see nowhere near the same attention, with most of the coverage (like the 404 piece or this Economist piece from this month) paywalled.

Recall that Republican FCC official Brendan Carr spent much of the last three years going on cable TV news to whine incessantly about the purported privacy and national security threat of an app he doesn’t have regulatory oversight over. Yet do a basic Google search for his name and SS7 and you’ll find the Commissioner far less invested in a problem in a sector he actually regulates.

TikTok isn’t without issues, but I still tend to think the absolute hysteria surrounding TikTok mostly functions as a policy and media distraction from our comically corrupt failure to pass a modern privacy law, regulate data brokers, and protect U.S. consumers from harm.

Between the robocall scourge and major security vulnerabilities, policy incompetence has resulted in us ceding our wireless communications networks to scammers, scumbags, and surveillance hungry bureaucrats. And outside of Ron Wyden, officials that could do something about it spend more time crying about a popular Chinese app peppered with sexy dancing and adorable racoons — than doing their actual jobs.