Citing reports of unlawful phone tracking confirmed by Homeland Security officials last year, Senator Ron Wyden on Wednesday called on the Federal Communications Commission to establish new regulations to force wireless companies to secure 5G networks from unlawful interception and tracking.
While older cellular network technology has long been easy to compromise, the wireless industry is still in the early days of rolling out 5G and is still in a position to address known vulnerabilities exploited by hackers and foreign governments, Wyden writes in a letter sent to FCC Chairman Ajit Pai on Wednesday.
“Unencrypted cellular phone calls and other wireless communications have long been vulnerable to interception by criminals and spies. Surveillance technology companies openly sell products that exploit these flaws to intercept calls, track phones and infect phones will malware,” the letter says. “This decades-long cybersecurity vulnerability has undoubtedly caused massive harm to our national security, and damage continues with each sensitive call or text that is tapped.”
The FCC did not immediately respond to a request for comment.
Last year, the Department of Homeland Security revealed it had obtained evidence of phone tracking equipment being used near the White House and other sensitive locations around the nation’s capitol. The devices, called IMSI catchers, or “Stringrays” after a popular law enforcement model, mimic cell phone towers and, with the addition of hand-held or vehicle-mounted equipment, can be used to accurately pinpoint a cellphone’s location to a single home or apartment. In certain modes, the devices are known to be highly disruptive, causing nearby phones to drop their connectivity.
Researchers have shown that illegal home-brew versions of IMSI catchers, which cost less than $1,000 to make, are also capable of launching more sophisticated attacks; booting phones off phone networks and leaving them inoperable, for example.
In a September 2018 report, an FCC advisory group known as the Communications Security, Reliability and Interoperability Council (CSRIC)—or “scissor-ick”—noted that many common attacks on cellular networks could be mitigated by improvements in 5G. These include location tracking, traffic interception, network spoofing, denial of service, impersonation of devices, and the malicious use of base stations.
Even with these improvements, however, phones may still be vulnerable if they can be tricked into downgrading to a lower generation of network technology. This is accomplished through what’s known as a “bidding down attack.” Security researchers are already looking for ways to exploit 5G networks using this technique.
CSRIC recommended that carriers adopt various encryption and authentication technologies to ward off attacks, noting that, for example, hackers targeting networks whose brain is based on a Software-Defined Network (SDN) architecture “can take advantage of any unencrypted communication interface to intercept or interfere with traffic to and from a central controller or network element.”
However, the group does not recommend any regulatory action whatsoever. At every turn, it states the best route is to allow the telecommunications industry to do its own thing; the government should merely provide the companies with threat assessments generated by the Department of Homeland Security to help inform its decision.
But it’s worth noting that CSRIC is overwhelmingly compromised of industry representatives. This, even though originally CSRIC was intended to include a balance of government and non-profit consumer advocates as well. According to recent research by the Project on Government Oversight (POGO), the last iteration of CSRIC—responsible for the aforementioned security recommendations—included 13 privacy-sector members and only a single civil society representative.
“For decades, wireless carriers have ignored known cybersecurity vulnerabilities that foreign governments were and are still actively exploiting to target Americans. The market has failed to incentivize cybersecurity in part because consumers have no way of comparing the cybersecurity practices of phone companies,” Wyden states.
“The FCC has the authority to regulate wireless carriers and their use of the public airwaves, particularly in areas that involve public safety and nation security,” he says. “The FCC must stop leaving the cybersecurity of American consumers, businesses and government agencies to wireless carriers and finally secure America’s next-generation 5G networks against interception and hacking by criminals and foreign spies.”
You can read Wyden’s full letter here, which includes a list of questions for the FCC chairman. He’s requested answers by December 6.