This piece is published with support from The Capitol Forum.
A U.S. government cybersecurity official has broken ranks from his agency and publicly revealed that attackers have repeatedly tracked the physical location of people inside the U.S. using vulnerabilities in the backbone of the world’s telecommunications cellular infrastructure in recent years, 404 Media has learned.
The comments from the Cybersecurity & Infrastructure Security Agency (CISA) official are highly unusual in that they provide an unvarnished assessment of the threat posed by such attacks on U.S. telecommunication networks, acknowledge that these attacks have happened recently even after the country’s telecoms—including AT&T, Verizon, and T-Mobile—claim they have better secured their networks, and that the official decided to speak out publicly seemingly without his agency’s approval.
After providing specific details related to the attacks, the official wrote in a public filing with the FCC that he thinks the examples “are just the tip of the proverbial iceberg of SS7 and Diameter based location and monitoring exploits that have been used successfully against targeted people in the USA.” The official is Kevin Briggs, who is CISA’s senior advisor for telecommunications, program lead, according to a CISA report posted online.
SS7 is a network and protocol that is used to route messages when a consumer roams outside of their normal provider’s coverage area. It is also exploited by spy firms, governments, and criminals to track phones’ physical locations, and intercept phone calls and text messages. Diameter is something of an efficiency upgrade to SS7, but which can still be leveraged in similar ways to track targets.
Broadly, the way malicious parties such as spy firms gain access to SS7 is through legitimate telecommunications companies or by operating their own. From here, they lease access to a Global Title, which is essentially an address to route messages with. Armed with this access and a target’s phone number, an attacker then may then be able to track the victim.
“I believe there have been numerous incidents of successful, unauthorized attempts to access the network user location data of communications service providers operating in the USA using SS7 and/or Diameter exploits,” Briggs’ response starts. Briggs then says “For example, I have seen reporting on what appears to be reliable information on the use of the tracking of a person in the USA using PSI (Provide Subscriber Information) exploitation in March of 2022.” He then writes “In addition, I have seen similar reporting on three subscribers in the USA that were location tracked using SRI (Send Routing Information) packets using the subscribers’ mobile phone numbers in April of 2022.”
He also said he has seen “very concerning information” about several thousand “Global Opcode violations” in May 2022, which is a technique that can be used to hide attacks.
Briggs adds that he has seen information about exploits that can lead to the monitoring of text and voice messages; deliver spyware to targeted devices; and influence U.S. voters “by overseas countries using text messages.”
Finally, Briggs says he believes “there is reliable information” that some small carriers or companies inside the U.S. have leased Global Titles to entities outside of the country. “The leasing of U.S. Global Titles has likely been a part of the reason for exploits against U.S. personnel,” he writes, and points specifically to the previously reported case of Princess Latifa of Dubai being tracked with SS7 and other techniques in 2018. (In 2020, The Bureau of Investigative Journalism and the Guardian revealed networks in the Channel Islands were used in that location effort).
“Much more could be said, but this ends my public comments,” Briggs concludes.
Briggs’ comments come after years of pressure against the U.S. government and telecoms to better mitigate the SS7 threat. Most recently in February, Senator Ron Wyden wrote a letter to President Biden, calling on the administration to address the threat posed by unsecure implementations of SS7 and Diameter. This included urging it to set minimum cybersecurity standards for the nation’s carriers. The following month, the Federal Communications Commission (FCC) posted a public notice seeking input from experts on the exploitation of SS7 and Diameter protocols to track consumers’ physical location. At the time of writing, the notice has eight responses, including Briggs’.
Those also include responses from the three major telecoms in the U.S.—AT&T, Verizon, and T-Mobile—and CTIA, the main lobbying arm of the telecommunications industry. In its response, CTIA says that the three telecoms, as well as a fourth called UScellular, “have not detected such incidents on their networks with SS7 and Diameter since 2018,” referring specifically to tracking the location of people inside the U.S. The CTIA also says that providers have taken strides to adopt an earlier set of security recommendations. “As a result of these continued efforts, U.S. providers report that they have not seen the types of SS7 attacks that are still occurring in other regions,” the CTIA said. That stands at odds with the response from Briggs, which claims recent attacks inside the U.S.
Briggs’ comments also contrast with those officially from CISA. In a June 2023 letter to Senator Ron Wyden, that his office shared with 404 Media, Stephanie Doherty, director of legislative affairs at CISA, wrote that “CISA remains confident in the safety of FirstNet.” FirstNet is the U.S.’s first responder communications network, built with AT&T. “While we share your concern about the risk of Signaling System 7 (SS7) being used to remotely track communications equipment, we have not reached any conclusions on its full impact or on reasonably available solutions,” the letter adds. CISA has not officially provided its own response to the FCC’s notice.
Briggs does not include any title or affiliation in his response. But 404 Media determined he has held positions at CISA. In a July 2019 event, called the Technology Innovation Exchanges (TIES): Securing Mobile Network Infrastructure, he was introduced as CISA’s Chief of Continuity Assessment and Resilience. A speaker said Briggs led teams that, among other things, worked to mitigate the threat of SS7. The event was organized by the DHS’s Science and Technology Directorate and CISA.
In response to a question about a Chinese espionage operation from the audience, Briggs said during his talk on 5G security that “The biggest subscriber-shipped [subscribership] network in the world isn't the Internet. The biggest one is the com networks, the SS7 networks, the Diameter.”
“When you add up all the subscribers there, we've got them beat by billions, and we need to bring in the same cyber controls, end-to-end,” he said, before adding on the need to bring more of the security controls around the internet to telecoms.
“If we don’t up our game there, we introduce huge vulnerability,” he concluded.
“The tip of the proverbial iceberg of SS7 and Diameter based location and monitoring exploits that have been used successfully against targeted people in the USA.”
Senator Wyden told 404 Media in a statement that one of his staff members attended a government event which Briggs spoke at.
“On February 6, 2018, a DHS cybersecurity expert named Kevin Briggs gave a presentation to workshop of federal government employees, which one of my staff attended,” Wyden said. “The material contained in that presentation was marked For Official Use Only. After I pushed DHS to release the material from Mr. Briggs' presentation, and ultimately placed a brief hold on Chris Krebs to be the top cyber official at DHS, the agency revealed that it had detected phone spying equipment near the White House.” That revelation in mid-2018 started a flurry of media coverage about IMSI catchers, another type of surveillance technology.
After that, “DHS and CISA subsequently organized two briefings for my staff, featuring Mr. Briggs, on April 25, 2018 and February 9, 2022. In both briefings, Mr. Briggs provided my staff with important information about the security of U.S. telephone networks. Mr. Briggs is an extremely credible expert, and one of the top people in the U.S. government on this obscure, but important national security issue.”
When asked for comment on Briggs’ latest comments about SS7 attacks on U.S. networks, CISA told 404 Media that Briggs did not write his response in his official capacity. CISA confirmed his current title and said he is still at the agency.
A LinkedIn account with Briggs’ name did not respond to a request for comment.
AT&T and Verizon declined to comment and instead pointed 404 Media to CTIA. T-Mobile instead pointed to its own filed response, which made similar points to CTIA’s and says “To the best of T- Mobile’s knowledge, no such successful attempts to access T-Mobile’s network user location data have taken place.” UScellular did not respond to a request for comment. CTIA declined to comment beyond its filing.
