You know the drill. You’re logging into your bank or another service (Gmail, to name just one) that you use regularly. You enter your username and password and then the service says that it will send you an SMS message with a code in it which you can use to confirm that it is indeed you who’s logged in. It’s called “two factor authentication” (2FA) and it passes for best practice in our networked world, given that passwords and login details can easily be cracked.
Sadly, our world is wicked as well as networked, and that SMS message can be redirected to someone else’s phone – that of the criminal who has logged in using your phished personal details – and who is now busily emptying your current account.
This kind of skulduggery has been possible for years. I’ve just come across an account of it happening to bank customers in Germany in 2017, but security experts were warning about it long before that. At the root of the problem are chronic security vulnerabilities in SS7, an arcane, decades-old, technical protocol for routing phone calls and messages, which is embedded in all telephone systems.
These vulnerabilities can be exploited by hackers to do a variety of harms: track any mobile phone anywhere in the world; listen to calls; read and redirect SMS messages; intercept internet traffic; and interfere with user connectivity or network availability, to name just a few. But SS7 is also what enables your phone to stay connected on a call while you’re in a train passing through many local cells. So it’s an integral part of the mobile phone system – the glue that holds the whole system together.
You could say that it is too big to fail, which may explain why the big telecoms firms have been reluctant to face up to its manifest downsides. This indolence has now triggered intervention by the US regulator, the Federal Communications Commission (FCC), possibly because the Oregon senator Ron Wyden has taken to describing SS7 vulnerabilities as a “national security” issue.
As it happens, the senator is pushing at an open door, for there is panic in Washington about the extent and depth of foreign (AKA Chinese) penetration of US communications and critical infrastructure, some of which is undoubtedly facilitated by the vulnerabilities of SS7. At an international security summit in Bahrain on 7 December, Anne Neuberger of the White House National Security Council admitted that Chinese cyberspies had recorded “very senior” US political figures’ calls, though she omitted to name the victims. She also confirmed that eight US telecom providers had been compromised by the Chinese hackers.
Although North Korea and Russia are also viewed as cybersecurity adversaries, the Americans appear to be obsessed with the Chinese threat. It seems that three hacking groups in particular are keeping folks in Washington awake at night. It is, as one wag commented, “typhoon season” in the city – a reflection of the names assigned to the trio – Salt Typhoon, Volt Typhoon and Flax Typhoon. Flax ran a 260,000-device botnet until it was dismantled by the FBI. Salt cyberspies breached US telecommunications companies Verizon, AT&T and Lumen Technologies – and also, in a neat touch, hacked their wiretapping systems (the ones they have to deploy when FBI agents arrive with a warrant).
Volt, in a way, is the most sinister of the trio. It specialises in US critical infrastructure – water systems, electricity grids and the like. It runs botnets based on end-of-life Cisco and Netgear routers (models for which security updates are no longer being issued). It has been active since mid-2021 with the aim, according to Microsoft, of building the capability of disrupting critical communications infrastructure between the US and the Asia region during future crises. (A Chinese invasion of Taiwan, perhaps?) The affected organisations “span the communications, manufacturing, utility, transportation, construction, maritime, government, information technology and education sectors”. The inference is that Volt “intends to perform espionage and maintain access without being detected for as long as possible”.
So, as the tech companies queue up to donate millions to Trump’s inauguration fund, two of three Chinese hacking groups named after storms will still be quietly wreaking havoc in the US’s digital back yard. The idea of Salt Typhoon hacking the FBI’s own wiretapping systems is particularly delicious. Meanwhile, mobile phones everywhere will remain tethered to an ageing protocol that’s about as secure as a two-person tent in a hurricane. And when Trump goes to Beijing to close the deal with his fellow emperor, Xi Jinping will be able to present his visitor with a leather-bound book of all his private telephone conversations since 2016.
Happy new year!
after newsletter promotion
What I’ve been reading
Blinded by the light
Optical Delusions is A fine blast on Tina Brown’s blog about the weird attraction of Trumpian glitz for many Americans.
University challenge
How the Ivy League Broke America – the title of a thoughtful long essay by David Brooks in the Atlantic on the evils of “meritocracy”.
To sir, with love
Getting the Essay Back: Two Memories. A lovely piece of writing by Richard Farr on what it’s like to have a great teacher.
