A new consultation from the US Federal Communications Commission (FCC) gives hope that there will be a long-overdue tightening of security around SS7 and Diameter, two of the telecoms industry’s most important network signaling protocols. The consultation comes just a few weeks after Senator Ron Wyden warned President Joe Biden about weak signaling security being exploited for espionage . In his letter to the President, Wyden identified…
…grave threats posed by wireless carriers’ lax cybersecurity practices, which are not regulated, but should be.
The FCC has not reviewed SS7 security since 2018, and not reviewed Diameter security since 2020, so it seems unlikely that the timing of their new consultation is a coincidence. Regular readers of Commsrisk will not need much briefing on this topic because the implications of poor signaling security have been repeated by many industry experts over the years. Put simply, the high degree of trust inherent to the cooperative use of networks, especially in the context of roaming, allows bad actors to interrogate systems for information about the location of mobile phones worldwide. Some bad actors obtain access whilst remaining in the shadows by leasing the global title of a legitimate telco; global title is the addressing system for signaling infrastructure. Deutsche Telekom is encouraging other telcos to voluntarily curb the leasing of global title but bad actors will still be able to abuse signaling data until governments intervene.
No proposals have been made by the FCC; their consultation is merely framed as an exercise in gathering information. It can essentially be reduced to four questions.
- Are there examples of SS7 and Diameter being used to track the movements of Americans within the USA?
- Have there been instances of the global title belonging to a US telco being leased to another party and then used for surveillance?
- Which past signaling security recommendations are being followed in practice, and what more needs to be done?
- Are current controls surrounding the leasing of global title sufficient?
The open-ended nature of the FCC’s questions suggest a disturbing degree of complacency. The power to track a person’s movements through their phone is an enabler for monitoring who they associate with, or for sending an assassin to their location. Telcos are effectively giving this power to foreign spy agencies and organized crime. The FCC is gathering information whilst Senator Wyden has already progressed to the stage where he made six specific demands in his letter to Biden.
- Establish minimum signaling security standards for telco services used by US government agencies.
- Establish minimum SS7 and Diameter security requirements for all US mobile providers and aggregators of messages. These should include mandating the registration of any company that leases the global title of a telco and making them comply with know-your-customer obligations.
- Extend to telecom surveillance services the same export rules already applied to surveillance software and hardware products.
- Extend to telecom surveillance services the rules expressed in a 2023 Presidential Order that prohibits the US government from buying spyware.
- Sanction some well-known telecoms surveillance companies and investigate others.
- Work with foreign governments to regulate the supply of telecom surveillance services at an international level.
Some mainstream journalists have treated the FCC’s consultation as evidence that the regulator will soon act decisively. This conclusion is premature, given the extent of the current regulatory void and the time that has passed since the FCC last reviewed signaling security risks. I rather think that this consultation is yet more evidence of an unhealthy relationship between the press and the US comms regulator. The new consultation document opens with a series of references to mainstream media stories about the abuse of signaling security. It comes shortly after Wyden generated publicity for the issue. But regulators exist because there is sometimes a need for proactive specialist insight that goes beyond public opinion or concerns that have already been voiced by politicians. Network security is one of those domains.
I do not want journalists setting the cybersecurity agenda for regulators, and nor do I want them giving a verdict on how competently issues like these are handled. Not many people will be spied upon using techniques that exploit SS7 and Diameter, but the consequences of allowing a person’s location to be tracked can be devastating. The seriousness of an issue is not just determined by the number of readers, or voters, who know about it. Too much of the FCC’s work appears to be determined by press headlines, and too little involves listening and responding to genuine experts on topics like these. How else can we explain that a government agency with an annual budget of half a billion dollars is acting as if it first relies on TV news reports before seeking the expert advice of telecoms industry insiders?
Something is better than nothing, so let us be grateful that this consultation is now occurring. But the competence of the work performed by the authorities in the USA deserves more scrutiny, not just from journalists who are chasing a sensational headline or have a political axe to grind, but from anyone in the industry who understands the worsening threats to privacy. It makes little sense to engage in crude interventions like banning Chinese companies from running telcos within the USA if foreign spies can remotely monitor the movements of Americans by exploiting well-known security weaknesses that affect US-owned networks.
The public notice for this consultation is here. The deadline for comments is April 26 and the deadline for reply comments is May 28.



