By exploiting weaknesses in a decades-old global messaging system, Saudi Arabia has been able to track its citizens as they travel through the United States. This disturbing revelation should open the eyes of U.S. regulators to the need to improve the security of the American telecommunications system.
The Saudi spying campaign, revealed by a whistleblower to the Guardian, utilized vulnerabilities in Signaling System No. 7 (SS7), a global messaging system created in 1975 and last updated in 1993. Despite its age, SS7 remains a key component of America’s digital infrastructure.
The system allows phone networks to exchange the information needed for passing calls and text messages, and allows users to roam from one network to another as they travel around the world.
Foreign service providers use SS7 to ping users’ phones and receive location information from other providers in order to levy roaming charges.
But the Saudi government appears to have abused the system, pinging the phones of Saudi nationals traveling throughout the United States at an inordinate rate.
This vulnerability can just as easily be exploited to surveil the communications of American citizens, as noted in a 2018 letter from the Department of Homeland Security to U.S. Sen. Ron Wyden (D., Ore.).
Despite the known vulnerabilities and a set of fixes that tech experts regard to be relatively straightforward, the Federal Trade Commission has never required the U.S. telecommunications industry to implement fixes.
Meanwhile, the U.S. Senate is currently considering a bill, known as EARN IT, which threatens the future of message encryption offered by U.S. Internet platforms, ensuring more vulnerabilities in the U.S. telecoms system.
The Saudi spying campaign should reveal the danger of either maintaining the status quo or, worse, further compromising U.S. cybersecurity. Efforts must be taken immediately — by the telecommunications industry, by the FTC, by Congress — to bring America’s digital infrastructure into the 21st century.
So-called “back doors” that can be exploited by U.S. law enforcement can just as easily be exploited by foreign governments.
Rather than sustaining or creating back doors, the United States should shut the door and protect the security of digital communications made on its soil.
An editorial from the Toledo Blade, Ohio.