U.S. Rep. Ted Lieu (D-Cali.) on Monday called for a full congressional investigation into a widespread flaw in global phone networks that allows hackers to track anyone's location and spy on their phone calls and text messages.
The security flaw in Signaling System No. 7 (SS7), which is a broker between most of the world's phone networks, affects hundreds of millions of mobile-phone users around the world. A hacker only needs to know your phone number to initiate the attack.
Concern over the SS7 flaw comes amid a heated debate over the growing availability of technology that uses strong encryption to protect users' data—technology that could protect Americans against those who exploit SS7 and other vulnerabilities—and a Senate bill that critics say effectively forces companies to weaken their encryption so law enforcement can access that data.
Lieu is calling for an investigation into what is causing the vulnerability, its ramifications, as well as who in government knew about it. Lieu requested the investigation in a letter sent to the chair and ranking member of the House Committee on Oversight and Government Reform on Monday morning. The letter is not yet available to the public.
“With the cellphone becoming more ubiquitous every day, this is going to affect all of society if we don't fix it.”
“With the cellphone becoming more ubiquitous every day,” Lieu told the Daily Dot, “this is going to affect all of society if we don't fix it.”
The flaw in SS7, initially revealed in 2014, was demonstrated again Sunday night on 60 Minutes by German security researcher Karsten Nohl. The news show had Nohl easily spy on Rep. Lieu's phone calls to show how even the most powerful and well-educated—Lieu has a computer science degree from Stanford—are ill affected.
The California congressman said his phone calls with elected officials as high up as President Barack Obama could have been vulnerable to hackers exploiting this vulnerability.
To begin to protect yourself against the SS7 flaw and a wide arsenal of similar hacks, you can use an app like Signal to encrypt your phone calls and messages.
Rep. Lieu pointed out that using encrypted messaging apps like WhatsApp makes this otherwise far-reaching flaw “much less of a threat.” If both you and the person you're calling or messaging are using an app like Signal, a hacker intercepting the communication will not be able to easily decipher what's actually being said, if they can decrypt the conversation at all.
Lieu argued that any government employee who previously knew about the SS7 vulnerability but did nothing to have it fixed ought to be fired because “this affects so much of daily life to your personal phone calls to your loved ones, to financial transactions, stock trades, economic espionage.”
“So much is affected by this that to not have disclosed it and to have used it simply for one purpose of intelligence gathering is not appropriate because everything else far outweighs that narrow purpose,” he said.
Lieu has long been vocal on the surging global debates on cybersecurity, particularly when it comes to encryption. In February, he sent a letter to FBI Director James Comey arguing that the Federal Bureau of Investigation should withdraw from its legal fight to force Apple to unlock an iPhone owned by a San Bernardino terrorist. The Justice Department later dropped the case after FBI investigators accessed the phone's contents with the help an unnamed third party.
The debate, stoked by vulnerabilities like the flaw in SS7, has turned to whether the FBI should the vulnerability it used to access the iPhone 5C of San Bernardino shooter Syed Rizwan Farook so that Apple can patch the hole and better protect the security of their customers' phones. The FBI has so far refused to do so.
Rep. Lieu believes the FBI should be sharing that vulnerability, “particularly because government is asking private sector companies to help the government by information sharing.”
“That was part of their law that was passed through Congress,” he said. “I don't think information sharing should just go one way.”
Lieu says the SS7 vulnerability is a far clearer case than the FBI's fight with Apple because of its much larger impact and scope.
"It's not even a close issue in terms of balance [between national security and consumer security],” Lieu said. “We just have to fix it.”