It is dangerously easy to hack the world’s phones

Kevin Briggs, an official at America’s Cybersecurity and Infrastructure Security Agency, told the Federal Communications Commission (FCC), a regulator, earlier this year that there had been “numerous incidents of successful, unauthorised attempts” not only to steal location data and monitor voice and text messages in America, but also to deliver spyware (software that can take over a phone) and influence American voters from abroad via text messages. The comments were first reported recently by 404 Media, a website that covers technology.

The hacks were related to an obscure protocol known as Signalling System 7 (SS7). Developed in the 1970s to allow telecom firms to exchange data to set up and manage calls, nowadays SS7 has more users than the internet. Security was not a big issue when SS7 was first introduced because only a few fixed-line operators could get access to the system. That changed in the mobile age. SS7 and a newer protocol, Diameter, became crucial for a wide range of tasks, including roaming. According to the US Department of Homeland Security, SS7 is a particular risk because there are “tens of thousands of entry points worldwide, many of which are controlled by states that support terrorism or espionage”.

Security experts have known for more than 15 years that the protocol was vulnerable in several ways. In 2008 Tobias Engel, a security researcher, showed that SS7 could be used to identify a user’s location. In 2014 German researchers went further, demonstrating that it could also be exploited to listen to calls or record and store voice and text data. Attackers could forward data to themselves or, if they were close to the phone, hoover it up and tell the system to give them the decryption key. Spy agencies had known about the issue for a lot longer. Many were taking advantage of it.

In April 2014 Russian hackers exploited SS7 to locate…