On June 27, The House Science, Space, and Technology’s oversight subcommittee convened a panel of cybersecurity experts for a hearing on cellphone spying. The focus of the hearing seemed driven by recent media reports revealing that backpack-sized surveillance devices - known as IMSI catchers or Stingrays - are operating near the White House and other sensitive locations across the United States.
During the hearing, which highlighted the fact that calls and texts of every American are vulnerable to interception and eavesdropping via these devices, Members of Congress and the panel of experts discussed the challenges associated with detecting IMSI catchers and Stingrays before concluding, correctly, that no guaranteed method exists to detect them. However, nobody zeroed in on the real question, which is: even if they could be detected, so what? The reality is that trying to detect these kinds of attacks is useless because pinpointing the IMSI catchers does nothing to stop their interception of data.
Focusing on such a futile exercise in mobile security misses the proverbial “forest for the trees” and likely indicates a flawed approach. In fact, the far more dire threat is that posed by the interoperability of the global telecommunications infrastructure, specifically, the SS7 and Diameter protocols that can be used to intercept calls and messages from the other side of the planet. An important research report found that,
“Gaining unauthorized access to the core SS7 or Diameter network is a risk since there are tens of thousands of entry points worldwide, many of which are controlled by countries or organizations that support terrorism & espionage.”
In light of all this, Congressional confusion about how to address this threat is highly concerning. Frankly, anyone who has been paying attention to this issue who claims that they don’t know how to solve this challenge is either lying or incompetent.
Regardless of the tools used to spy, whether stingrays or SS7-based tools, the only effective solution is end-to-end encryption for calls and texts - a well-researched and documented approach that is easy to implement, inexpensive and, most importantly, effective. In fact, a major research paper on this issue explicitly states that “due to the nature of carrier networks no voice or data should depend solely on the network for confidentiality or integrity protection” and concluded that it is necessary to “ensure devices use end-to-end encryption for all communications paths.”
The author of the paper? The U.S. Department of Homeland Security.
<mic drop>