Lawmakers Ask FCC To Seek Fixes For Phone Network Vulnerabilities

Image courtesy of jpghouse

When you think about phone security, you’re probably thinking about the apps on your phone, who’s listening in on the call you make, or perhaps even the metadata you leave behind. You’re probably not thinking about the national and global network of fibers, cables, and businesses that makes your phone call physically possible. But that network has vulnerabilities, and two lawmakers want the FCC to protect consumers from them.

That’s the gist of a letter [PDF] Sen. Ron Wyden (OR) and Rep. Ted Lieu (CA) sent to FCC Chair Ajit Pai this week.

The letter follows a report [PDF] released by the FCC earlier this month.

In that report, a working group under the Public Safety and Homeland Security bureau “assessed different attack vectors” in two aspects of the phone network of the U.S. The report itself is pretty technical (a veritable alphabet soup of acronyms), but the key takeaway is that two major pieces of the infrastructure that makes phone calls work — SS7 and Diameter — are subject to external attacks.

In short, the report explains, the SS7 Network was “originally founded on the basis of trust between members of a small closed community of carriers.” There simply weren’t that many companies providing phone service, and every player knew eeveryone else. But now, the report concludes, after deregulation put in place in the Telecommunications Act of 1996, there are fewer restrictions on access and more entities can access networks. New tech development like texting (SMS) has also changed who can access the networks, how, and why.

Both wired (landline) and wireless (mobile) networks share vulnerabilities at the points where they talk to each other… and nobody’s got an eye on them. “Today there are only a handful of interconnection security experts in the world” that focus on this particular kind of issue, the report says — and for something with millions or billions of people using it every day, a “handful” of security experts is not enough.

“Ultimately,” the report concludes, “the result is that with more coverage, more networks, and more participants, the attack surface for a bad actor to potentially exploit this community of trust has increased.”

Based on the report, Sen. Wyden and Rep. Lieu tell the FCC, “We are deeply concerned about the poor state of America’s telecommunications cybersecurity.”

“Our communications networks are far too vulnerable; the FCC has not, to date, prioritized cybersecurity; and the American people have largely been kept in the dark about the fact that their calls, texts, and movements are vulnerable to spying and hackers,” the letter continues. “This much change.”

In short, Wyden and Lieu write, the FCC has simply not been paying any attention to security concerns in this area, and industry is not stepping up. “Left, for the most part, to police itself, the cellular industry has neither adequately addressed these serious cybersecurity vulnerabilities, nor warned its customers about the risks they face,” they write.

Wyden and Lieu close by asking the FCC to take a deeper look at the issue. The working group that authored the report has wrapped up, but there are still several related security issues that it didn’t get to dig into because they were outside its mandated scope. The FCC, the lawmakers conclude, needs to both take action on the working group’s recommendations and also launch a new one.

“It is clear that self-regulation isn’t working when it comes to telecommunications cybersecurity,” the letter concludes. “We urge you to take swifc action in this area.”

We’ve asked the FCC for a comment and will update if we get one back.