The FCC (Federal Communications Commission) seeks public input regarding measures by communications providers to address vulnerabilities in SS7 and Diameter protocols that enable tracking consumers’ mobile device locations without consent.
The protocols Diameter and SS7 are important for the telecoms infrastructure, allowing functions such as call routing, network interconnections, and mobility support.
However, several reports have highlighted security issues in these protocols that enable attackers to obtain subscriber location data illegally.
As long as SS7 and Diameter remain the base of mobile networks and also extend their reach in terms of roaming capabilities, the possibility of exploitation continues to rise.
At the same time, vulnerabilities are magnified by unencrypted information and network spoofing.
Years-old SS7 Vulnerability
The CSRIC advisory group of the FCC examined these matters and made recommendations, such as using firewalls, monitoring and filtering, engaging signaling aggregators, conducting security assessments, sharing threat information, and promoting the use of encryption by subscribers.
CSRIC on its part observed that location tracking is a main motivation for SS7/Diameter abuses showing the cell ID but not the precise GPS coordinates.
Despite this, even just cell-level location information bears risks to VIPs and officials. Various methods are employed by attackers to get cell towers and visited network details to develop target location patterns.
CSRIC VI issued recommendations to mitigate Diameter exploitation, including implementing secure domains, deploying security gateways at network boundaries, and following network administration best practices.
The FCC encouraged providers to implement CSRIC’s countermeasures. While major providers reported adopting the recommendations, Senator Wyden recently raised concerns about foreign surveillance exploiting SS7/Diameter vulnerabilities to track individuals.
Besides this, he also urged the FCC to mandate minimum cybersecurity requirements for wireless carriers to address these risks.
The FCC seeks renewed public input specifically on the implementation and effectiveness of security countermeasures, including CSRIC recommendations, in preventing location tracking exploits via SS7 and Diameter vulnerabilities.
Commenters are asked to provide details on any successful unauthorized attempts to access user location data since 2018, including incident dates, descriptions of tracking activities, exploited vulnerabilities, techniques used, attacker identities if known, provider response actions, preventive steps that could have been taken, and any incidents involving exploited leased U.S. global titles used for domestic customer tracking.
Moreover, the FCC seeks comment on measures providers have implemented to protect against customer location tracking via SS7 and Diameter, including the adoption of CSRIC, GSMA, and other industry best practices.
