Your phone number is what hackers need to track MP's cellphone
NDP MP Matthew Dubé looks at a map showing that hackers tracked his movements through his cellphone for days.
One
marker shows Dubé near Parliament Hill. Another marks the place he
lives when he's working in Ottawa. One more shows an early morning trip
to the airport to pick up his partner from a business trip.
"That's creepy. That doesn't make you feel very comfortable," said the Quebec MP.
He looks down at the laptop showing the map again and laughs nervously.
"I guess it's not something to joke about but I guess you think: 'Good thing I wasn't doing anything inappropriate.' "
It wasn't just his movements. Hackers were able to record Dubé's calls, too.
It
was all part of a CBC/Radio-Canada demonstration of just how vulnerable
Canada's phone networks are. With Dubé's consent and the help of
cybersecurity experts based in Germany, CBC/Radio-Canada learned that
Canada's two largest cellphone networks are vulnerable to attack.
How can hackers access your phone?
This
is all possible because of vulnerability in the international
telecommunication network. It involves what's known as Signalling System
No. 7— or SS7.
SS7
is the way cellphone networks around the world communicate with one
another. It's a hidden layer of messages about setting up and tearing
down connections for a phone call, exchanging billing information or
allowing a phone to roam. But hackers can gain access to SS7, too.
"Those
commands can be sent by anybody," said Karsten Nohl, a Berlin-based
cybersecurity expert whose team helped CBC/Radio-Canada hack into Dubé's
phone.
Lex Gill, Research Fellow at the University of Toronto’s Citizen Lab, weighs in 5:30
That
can go beyond spying on phone conversations or geolocating a phone. SS7
attacks can also be used to alter, add or delete content.
For
example, Nohl said he could set up a person's cellphone voicemail so
all messages went directly to him. The user might never know the
messages were missing.
"The
technology is built with good intentions to make a very useful phone
network and good user experience but it lacks any kind of security and
it's open to abuse.".
It's
not just Nohl sounding the alarm. The U.S. Department of Homeland
Security put out a report in April warning that "significant weaknesses
in SS7 have been known for more than a decade."
The
report notes that potential abuses of SS7 include eavesdropping,
tracking and fraud, with "tens of thousands of entry points worldwide,
many of which are controlled by countries or organizations that support
terrorism or espionage."
SS7 abuse
SS7
attacks can easily go completely undetected. However, German
journalists reported on an incident in 2014 where customers of
Telefonica bank had untold amounts of money drained from their accounts
because of phishing emails and SS7 attacks.
In
that case, the bank used four-digit codes sent to customers' phones in
order to complete money transfers. Hackers used SS7 to get those codes
and take the funds for themselves.
The sheer number of SS7 attacks becomes clear when networks beef up their security, said Nohl.
"When
they start blocking this abuse, they're blocking millions of otherwise
abusive messages.That's for a single network in a single country. So you
can imagine the magnitude of abuse worldwide."
Hacking a Canadian phone
Nohl said some telecom companies, primarily in Europe, have beefed up their defences to ward off SS7 attacks.
CBC/Radio-Canada
wanted to know just how well Canadian cellphone networks would fare and
asked Dubé to be part of a demonstration.
Dubé,
the vice-chair of the House of Commons standing committee on public
safety and national security, went to the mall and picked up a new phone
for the experiment. CBC/Radio-Canada agreed not to use his current work
phone in order to protect the privacy of those phone calls.
Dubé's new phone number was given to Nohl and his team of hackers in Berlin. It didn't take long for them to access his calls.
First,
the hackers were able to record a conversation between Dubé in his
office on Parliament Hill and our Radio-Canada colleague Brigitte
Bureau, who was sitting at a café in Berlin.
Next, it was a conversation between Dubé and his assistant, who were both in Ottawa.
Nohl's team also tracked the geolocation data from the phone, painting a picture of Dube's whereabouts.
When the CBC/Radio-Canada team was back in Canada, the calls were played for Dubé and he was shown a map of his movements.
"It's
exactly what I did that day. Just phone calls are bad enough. When you
start knowing where you are, that's pretty scary stuff," said Dubé.
Dubé's phone was on the Rogers Network, but CBC/Radio-Canada also ran a similar test with phones on the Bell network.
'Easy to hack'
Nohl offered his assessment of the results.
"Relative to other networks in Europe and elsewhere in the world, the Canadian networks are easy to hack."
He believes there's much more that Rogers and Bell could be doing.
"I
think the two Canadian networks we tested have about 10 per cent of the
security that they need to do to protect from SS7 attacks."
It's
a source of concern for Pierre Roberge, too. He spent more than 10
years with for Canada's Communications Security Establishment — the
electronic spy agency charged with protecting Canadian digital security.
He's now the CEO of Arcadia Cyber Defence.
The
CBC/Radio-Canada demonstration raises questions about personal
security, he said, and also about who else might want to spy on
sensitive discussions.
"To know other nations
or criminal groups can eavesdrop on Canadian communication is really
worrisome, especially at the political level."
Companies say security a priority
Bell,
Rogers and the Canadian Wireless Telecommunications Association
declined to sit down with CBC/Radio-Canada and speak about the test
results.
Via
email, CBC/Radio-Canada sent a series of questions about what the
networks were doing to prevent SS7 attacks and why customers weren't
being told conversations could be compromised. Both networks responded
with general statements about their security efforts.
Rogers
Communications said security is a top priority and that it has a
cybersecurity team monitoring threats and is introducing new measure to
protect customers.
"On
SS7, we have already introduced and continue to implement the most
advanced technologies but we are unable to share specific details for
security reasons."
Bell sent a two-line response.
"Bell
works with international industry groups such as the GSMA [an
international mobile phone operators association] to identify and
address emerging security risks, including those relating to SS7."
A spokesperson added that Bell is "an active participant" in the Canadian Security Telecommunications Advisory Committee.
The
group that represents Canadian telecoms was also fairly tight-lipped.
The Canadian Wireless Telecommunications Association said it works with
domestic and international bodies on security standards. It also said it
works with law enforcement to "actively monitor and address risks."
Government reaction
CBC/Radio-Canada
also reached out to Public Safety Minister Ralph Goodale's office to
ask what was being done to protect Canadians and was directed to the
Communication Security Establishment.
In
a statement, CSE said its role is to provide "advice and guidance to
help protect systems of importance to the Government of Canada."
"CSE
has been actively working with Canada's telecom industry and critical
infrastructure operators to address issues related to SS7 to develop
best practices, advice and guidance that can help mitigate the risks
associated with SS7."
How to protect yourself
There are ways to minimize the chance someone will spy on your communications, said Nohl.
He recommends encryption software.
"If
you're using Signal, WhatsApp, Skype, you're certainly protected from
SS7 attacks.... But there's other types of attacks that could happen
against you, your computer, your phone. So you're never fully safe."
When
it comes to having your movements tracked, Nohl said the only
protection is to turn your phone off — something that's not always
practical.
"We're
so dependent on our phones.The networks should protect us from these
attacks rather than us having to forgo all the benefits of carrying a
phone."
Dubé said that dependency is what makes this most troubling.
"The
scariest thing of all is that I know that tonight or tomorrow morning,
when I make calls to friends to go out for a drink or when I make calls
to colleagues to resolve a political or professional issue — I'm still
going to have to use the phone."