Hackers need only your cell number to eavesdrop on your phone

A security flaw in the cell exchange system can let hackers listen in on your phone calls. But while federal agencies have done little to fix the flaw, intelligence agencies are said to be still exploiting it.
Written by Zack Whittaker, Contributor

NSA halts domestic digital surveillance program over privacy issues

It's one of the most personal 10-digit numbers in your life, but that's all a hacker needs to listen in on your phone calls, read your text messages, and track your location.

A new report by sister-site CBS News' "60 Minutes," broadcast Sunday evening after two years in the making, shows how millions of smartphones users are vulnerable to eavesdropping and surveillance -- despite advancements in protections on most phones.

It's done by exploiting a flaw in Signaling System No. 7 (SS7), a little-known but crucial system that brokers information between phone networks. SS7 handles that translation every time you send a text or make a call.

By targeting SS7, an attacker can see almost everything that passes through the system.


Hackers target the phone of one congressman. (Image: CBSNews.com)

German security researcher Karsten Nohl, who revealed the flaw more than two years ago at a hacker gathering in Hamburg, said the flaw still exists. The Federal Communications Commission (FCC), which regulates the cellular space, is said to have done nothing since it first begun looking into the flaw.

To prove a point, they hacked a congressman's phone -- albeit with his permission.

"They could hear any call," said Rep. Ted Lieu (D-CA, 33rd), a privacy advocate, "It could be stock trades... it could be calls with a bank."

The problem is that there's little that smartphone users can do, except use smartphone apps that encrypt the data before it leaves the phone.

Security researcher Nicholas Weaver said in a tweet that apps like Signal, WhatsApp, and Apple's own iMessage service encrypt messages between devices, because the "network underneath can't be trusted."

Matthew Green, a cryptography expert and Johns Hopkins professor, said that most should "should trust cellular network security as far as you can throw it."

"Last year, the president called me on my cell phone, and we discussed some issues. If the hackers were listening in, they would know that full conversation. And that's immensely troubling," he said.

And if the hackers know a way in, you can bet your bottom dollar that the US intelligence community -- and its global adversaries -- have it too.

"The people who knew about this flaw should be fired," Lieu said.

Editorial standards