Tuesday, April 19, 2016

Congressman gets mad about SS7 flaws

If you've never heard of SS7, check out one of the many articles or presentations out there about SS7 flaws.  This one is particularly interesting.  The flaws, which according to this article are essentially an open secret in US intelligence agencies can be used to intercept voice calls.

When hackers demonstrated the ability to intercept calls by knowing only a congressman's phone number, he was not impressed.  Or perhaps he was too impressed.  But in any case he was definitely not amused, saying:
"The people who knew about this flaw should be fired," he said. "You cannot have 300 and some million Americans, and really the global citizenry, be at risk of having their phone conversations intercepted with a known flaw simply because some intelligence agencies might get some data. That is not acceptable."
While those are some pretty strong words, I think it speaks to elected officials' opinion of the vulnerability equities process.  We have been lead to believe that the equities process evaluates the risk to the US population agains the possibility of gaining intelligence.  If the article is correct and the NSA and others knew of the vulnerability, I personally can't imagine how it went through the equities process and was ruled to be safe to leave unpatched.

Further, I think this drives another nail in the coffin of the NOBUS argument.  Independent researchers have found a market in discovering vulnerabilities - and not just in Windows.  If it involves technology, researchers (white and black hat) are looking for security holes.  It's high time that US intelligence agencies admit that they are no longer the only game in town and start thinking about protecting the interests of all US citizens.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.