Telcos Left Vulnerable As 30-Year-Old Ss7 Protocol Revealed To Be A National Security Nightmare

Signalling System No. 7 (SS7) protocol, a cornerstone of the global telecommunications network, has been identified as a major vulnerability by cybersecurity experts and telco operators alike. The legacy protocol, which has been in use for over three decades, poses significant security risks, including location tracking, voice data interception, spyware delivery, and bypassing two-factor authentication.

Cybersecurity experts attribute the vulnerabilities to the protocol’s complexity and lack of modern security measures. Dmitry Kurbatov, co-founder of telecom network security solutions provider SecurityGen, notes that SS7 is an “old technology that has been around for 30 years, and it’s still being used in many places.” This acceptance of outdated technology has contributed to the telco industry’s slow response to SS7 concerns.

The recent Chinese cyberattacks against US telecommunications networks, dubbed Salt Typhoon, highlighted the widespread vulnerabilities in telco security. Senator Mark Warner described the attacks as “the worst telecom hack in our nation’s history,” underscoring the need for urgent action to address these issues. Philippe Langlois, CEO of P1 Security, attributes the industry’s slow response to SS7 concerns to its acceptance of outdated technology.

Many older handsets still rely on insecure 2G connections, making them vulnerable to attacks. Langlois notes that “there are always these kind of attacks on the roaming side.” To mitigate this risk, some telcos have implemented solutions like IMSI scrambling, which protects International Mobile Subscriber Identity (IMSI) data.

However, as Dave Harcourt, BT’s Chief Security Authority & Automation Director, points out, “These steps have made it much harder to launch SS7 attacks, but IMSI leakage can still occur due to other factors.” The lack of investment in telco security is a significant issue, according to Langlois. “The problem is not with the fact that we don’t have ways to make it secure; we have ways to make it much more secure. The problem is more that there’s a lack of investment.”

Security by design has become a starting point for the telecoms industry, but this approach was not in place when SS7 was created. Regulators and governments push for greater security measures, but telcos face significant challenges in implementing effective firewalls to block malicious attacks.

Moody’s recent cyber heat map ratings agency moved the telecoms sector to the high-risk category, underscoring the immense security issues at play. Kurbatov emphasizes that “the problem is not with the fact that we don’t have ways to make it secure; we have ways to make it much more secure. The problem is more that there’s a lack of investment.”