AT&T is “concealing vital cybersecurity reporting” about its FirstNet phone network for first responders and the US military, according to US Senator Ron Wyden (D-OR), who said the network had been dubbed unsafe by CISA.
In a letter [PDF] sent to the US government’s Cybersecurity and Infrastructure Security Agency (CISA) and NSA, the senator called for an annual cybersecurity audit of FirstNet, citing a nearly half-century old phone signalling protocol that miscreants and spies can exploit to track mobile devices and intercept their calls and texts.
“These phone network vulnerabilities are being actively exploited to conduct cross-border surveillance,” Wyden wrote.
At issue is Signaling System No. 7 (SS7), a protocol developed in the mid 1970s and used by network operators to connect one network to another. It’s very vulnerable to misuse, and has been abused to determine a cellphone’s location, redirect and read its incoming text messages, snoop on calls, and more.
“These security flaws are also a national security issue, particularly if foreign governments can exploit these flaws to target US government personnel,” Senator Wyden said in his April 12 letter, adding he’s “particularly concerned about FirstNet.”
AT&T operates FirstNet under a $6.5 billion contract with the US government. It’s a nationwide network intended to allow police, firefighters, and paramedics to transmit data and communications across multiple regions and jurisdictions without worrying about the transmissions being lost to overcrowded networks, particularly during disasters.
This is all good in theory — until it’s compromised or abused