“I think they are surveilling not only those they know are dissidents, but those they fear may deviate from the Saudi leadership. They are particularly worried about what Saudi nationals will do when they are in western countries.”
Saudi Arabia is allegedly tracking its citizens who live in and visit the US, according to a data trove provided to The Guardian by a whistleblower. The records suggest Saudi telecommunications operators made millions of location tracking requests to pinpoint the GPS location of its citizens. The method of the surveillance exploits known flaws in a global communications network that operators use to ensure connectivity for their customers traveling abroad.
What is SS7?
Signaling System 7 (SS7) has served telecom operators for decades to enable call-routing between different nations. Additionally, a device can easily roam when a user travels abroad thanks to SS7. To facilitate this, SS7 depends on a method of verifying that the user is indeed roaming. It does this through Provide Subscriber Information (PSI) requests, which are sent by a customer’s telecom company to outside networks.
Typically, PSI requests are only used to verify a customer’s location in order to bill the customer appropriately. Occasional PSI requests are not unusual, Saudi carriers sent a combined average of 2.3 million per month from Nov. 1 to March 1.
The Guardian shared the data with several security experts for their interpretations. Andrew Miller, a former member of President Barack Obama’s National Security Council, speculated on the kingdom’s motive for making such a large number of PSI requests.
“I think they are surveilling not only those they know are dissidents, but those they fear may deviate from the Saudi leadership,” Miller said. “They are particularly worried about what Saudi nationals will do when they are in western countries.”
Sid Rao, security and privacy research and technologist at Nokia Bell Labs, agreed with the whistleblower’s assertion that Riyadh is using SS7 to track its citizens in the US.
History of Problems
The whistleblower’s allegations are not the first time SS7 has been identified as a point of weakness in the communication grid. In 2016, Rep. Ted Lieu, D–Cali., allowed his phone to be hacked via SS7 for a security segment on CBS’ 60 Minutes.
“Everyone’s accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw,” Lieu said.
In addition to hacking, experts have warned about the potential for third parties to intercept and redirect phone calls and text messages by abusing SS7. In 2017, criminals exploited the network to gain access to bank accounts by intercepting two-factor authentication codes sent to customers, ZDNet reported.
Known Saudi Technique
The whistleblower’s allegation against Saudi Arabia is the latest controversy involving the Middle Eastern kingdom and its crackdown on its citizens abroad. Riyadh faced calls from UN security experts for an investigation into the alleged hacking of Amazon founder Jeff Bezo’s phone. In May 2018, he received a malware-infected video in a message from the personal phone number of Saudi Crown Prince Mohammed bin Salman (MbS), according to TechCrunch.
A forensics report by FTI Consulting said it was “highly probable” that Saudi Arabia hacked the Amazon CEO. Forensics experts also alleged Riyadh used the same malware to spy on dissidents abroad, including known associates of Washington Post journalist Jamal Khashoggi, who was allegedly murdered at the behest of MbS.
Years of Inaction
Thus far, the Federal Communications Commission has only issued a public notice to prompt US carriers to increase their SS7 security, but Sen. Ron Wyden, D–Ore., a member of the Senate Intelligence Committee, would like to see more government action.
“I’ve been raising the alarm about security flaws in U.S. phone networks for years, but FCC Chairman Ajit Pai has made it clear he doesn’t want to regulate the carriers or force them to secure their networks from foreign government hackers,” Wyden said. “Because of his inaction, if this report is true, an authoritarian government may be reaching into American wireless networks to track people inside our country,” he said.
In 2018, AT&T, Verizon, and T-Mobile informed Wyden’s office that they would install additional firewall security. However, any new security measures must take care to not block legitimate PSI requests, said an FCC working group in 2016.