What the security community has suspected for years about telecom protocols has now been confirmed by an American cybersecurity official. Per 404media, longstanding vulnerabilities with SS7 and Diameter protocols for 3G/4G communications have been used to track and spy on individuals in the United States. This claim is according to Kevin Briggs’ recent filing to the Federal Communications Commission.

Briggs is CISA’s senior advisor for telecommunications, but his comments depart from the official line.

I was not surprised to learn that the US government and foreign actors are tracking people’s location by monitoring telco authentication traffic, which is too often sent in the clear.

Telecommunications providers and Internet service providers also use RADIUS for authentication. As an expert in RADIUS protocols, I can tell you RADIUS systems have likely been eavesdropped on in the same way. To assume anything else is to bury your head in the sand.

If authentication information is not sent in encrypted form, there is every reason to believe that the exact same monitoring is happening with RADIUS as we see with SS7 and Diameter.

This isn’t paranoia. The security community and policymakers knew attacks via SS7 and Diameter were possible and probable. That has now been confirmed. It’s only paranoia if they’re not out to get you.

We owe users better protection. Everyone should stop using systems which have been known for years to have serious vulnerabilities.

Step one: encrypt authentication traffic to prevent spying

Now that we know authentication traffic was used by bad actors to monitor individuals, it lends credence to the conversations we’ve been having at the Internet Engineering Task Force (IETF).

The development of standards to prevent this type of tracking is already well underway. I have been involved in the RADIUS working group at IETF since 1998 and have been pushing for increased security that entire time. These efforts have gained more support recently. I now have an in-progress document in the IETF that addresses this issue for RADIUS. It should become a full standard later this year.

The statements by Briggs are really the first public proof that this monitoring is happening, although many people had their suspicions. The attention around Diameter and spying on users should help to prioritize changes which will help keep data private.

At the very least, telcos and ISPs should encrypt their traffic whether they’re using RADIUS, Diameter, or anything else. Surely that’s not too much to ask?

High-profile health care ransomware attacks, and the consistent upward trend in data breaches and cyberattacks make it clear we must act as if there’s a target on everyone’s backs, because there is.

Telcos and their regulators need to do more. Now.

Ignoring the problem doesn’t make it go away

The risks of location tracking exploits and data interception via SS7/Diameter have been known for ages. Media coverage of the security flaws in those protocols goes back to 2016. A year later, the Communications Security, Reliability, and Interoperability Council (CSRIC), a U.S. federal advisory committee to the FCC, adopted a final report detailing the vulnerabilities in the SS7 and Diameter protocols and provided specific recommendations for best practices to help prevent exploitation of SS7.

Major telecoms providers in the U.S. said they’ve hardened their systems, yet Briggs’ comments reference specific instances of spying in 2022 and allege many other incidents.

In the wake of Briggs’ allegations, the FCC is following up with communications service providers to ask if they are refurbishing their networks to prevent tracking of users.

How are bad actors tracking customers through SS7?

According to the story in 404media, Briggs told the FCC in a public filing he has seen “reporting on what appears to be reliable information” on the tracking of a person in the USA using PSI (Provide Subscriber Information) exploitation. He also claims to have seen similar reporting on three subscribers in the USA that were location-tracked using SRI (Send Routing Information) packets using the subscribers’ mobile phone numbers.

Briggs considers these examples to be the tip of the iceberg. In his response to the FCC, he says he believes there have been “numerous incidents of successful, unauthorized attempts to access the network user location data of communications service providers operating in the USA using SS7 and/or Diameter exploits.” See 404media for more detail on Briggs’ comments.

RADIUS, SS7, Diameter and other authentication and routing protocols are the backbone of our wireless communications systems, and they are dangerously exposed.