Re-Hashing A Misleading Segment Led To Panic, Even On Capitol Hill.

On Sunday, 60 Minutes took a year-old segment on phone hacking it shot and aired in Australia, fluffed it up with other old hacks from last year's DEFCON, and re-packaged it for an American audience.

Almost no one noticed those particular details.

But just about everyone panicked. "Hacking Your Phone" set off a scare that raged through headlines and social media posts all week. As the miasmic cherries on top, the episode also freaked out congressman Ted Lieu, who has called for a Congressional investigation, and the FCC is now involved.

The 13-minute segment based its hysteria on a hole in phone routing protocol SS7 (Signaling System 7) a flaw which, incidentally, isn't easy to exploit. But perhaps thinking the combination of hacker boogeymen and SS7's potential wouldn't make for dramatic TV, the show blurred in a handful of different -- and extremely unrelated -- ways that smartphones can be hacked.

Demonstrations included listening to calls, intercepting email, and spying on users with a smartphone's built-in camera. In one short scene reporter Sharyn Alfonsi got a demo from Australian maker of security product CryptoPhone, with the 60 Minutes segment telling viewers, "you may need a "CryptoPhone" if you want to avoid hacking."

The SS7 network hacking bit had Alfonsi and 60 Minutes traveling to Germany to seek out "the best hackers in the world" for an SS7 hacking demo in a subterranean concrete bunker. For this, CBS provided US Rep. Ted Lieu (D–CA) with an iPhone and the researchers were filmed recording his conversations (with permission). The show cautioned viewers that they could be hacked and tracked from anywhere, concluding with a sinister warning that we now live in a world where technology can't be trusted.

Well no shit, Sherlock.

The first version of this segment aired in August 2015 on 60 Minutes Australia and had the same baseline message: "you can be bugged, tracked and hacked from anywhere in the world." The segment opens tragicomically cut with melodramatic phone tracking scenes from James Bond film Skyfall, as Australian 60 Minutes reporter Ross Coulthart traveled to, you guessed it, Berlin.

Coulthart descends into the same underground offices we saw in this episode's American remake, this time identifying security researcher Luca Melette (whom Sharyn Alfonsi neglected to identify). Melette then demonstrated use of SS7 to intercept a call between Mr. Coulthart and Australian Senator Nick Xenophon, who was as predictably shocked and outraged as his American counterpart. The Australian reporter went to Las Vegas as well, where he inexplicably interviewed the maker of a security product you might've just heard about called CryptoPhone.

Throughout the episode, 60 Minutes Australia repeated its claim that this demo of tracking and call interception using SS7 "has never been shown before."

If you've already guessed that this particular plop of kangaroo fudge isn't true, I'd like to recommend you for the obviously unfilled fact-checking position at 60 Minutes.

The first public disclosure of research into tracking and surveilling smartphone users via SS7 was in a Black Hat 2007 talk by Philippe Langlois. But the real in-your-face presentation was in Tobias Engel's 2008 presentation at German hacking conference CCC (25c3), called "Locating Mobile Phones using SS7." Since then, talks on tracking people through these exact kinds of telecommunication network attacks appeared steadily at security and hacking conferences, peaking with The Carmen Sandiego Project by Don Bailey and Nick DePetrillo at Black Hat in 2010.

60 Minutes put Herculean effort into convincing viewers that at any moment they could unknowingly become victims to some dude in a dark basement tracking their location and listening to their calls, thanks to his unfettered access to SS7.

And while a hole in phone routing protocol is a serious problem, it's an avenue of attack that's in the realm of nation-states and espionage. It requires access to backbone phone networks. It's the kind of hacking that is costly in many ways, and so is only used to go after specific high-profile or information-rich targets, by entities with resources and privileges. In the case of 60 Minutes Australia, Luca Melette was given access to SS7 by the German government -- which renders the fear-mongering and warnings of both segments moot.

I don't know if it's because 60 Minutes is low on either balls or brains, or both, but the show utterly failed to tell viewers about actually scary ways SS7 is probably being abused to violate our privacy. Like in state-sponsored data collection dragnets, where authorities take advantage of the flaw to gather info, "just in case." Or companies that have dead-serious financial motivation to track and surveil us, like Facebook, who are well known for doing things that aren't technically illegal until they are caught.

But the American 60 Minutes didn't stop at SS7 with its reductive game of hacker-terror "Telephone."

For reasons that are anyone's guess, CBS's reporter had Lookout Security founder John Hering assemble what Alfonsi called "the all-stars, the super hackers, to be part of our demonstration." In the 60 Minutes Overtime supplemental to the segment, Alfonsi remarked in surprise that "they just look like a bunch of regular guys." Apparently no one wore their balaclavas and sunglasses to the all-star roundtable. With a completely straight face, Ms. Alfonsi hit Hering and the group with nail-biting questions like "is everything hackable?"

Lookout's main man then walked Alfonsi step-by-step into connecting her iPhone to his own spoofed network, while they both pretended she had connected to some rando's creepy malicious network all on her own. Then he read through Alfonsi's (apparently unencrypted) CBS News email.

Hering's next proof of his super-hacker power was to show Alfonsi that he could spy on her using the front facing camera on her phone. At the beginning of this little contrived drama, Alfonsi is using an iPhone. You know how everyone and everything these days is telling you not to click links, download files, or install applications you don't expect to receive? Well, he told her to do exactly that -- click, download, install his app -- with a text message he sent her. To do this in real life, she'd need to disable the security features on her iPhone, and would receive warnings. But in the next shot, suddenly our reporter is being spied on by Hering though an Android phone propped up on her desk.

Don't get me wrong: SS7 surveillance, network spoofing, phishing, and spurious product placement are all very real issues that consumers need to be on top of. But 60 Minutes got it all backwards in the name of drama. They might as well have told people to soak their phones in bleach before burning them after their next sext for all the uselessness and flat-out fakety-fake hysteria in "Hacking Your Phone."

There are a million great, truly chilling, and unbelievably urgent hacking stories to be told. Ones that desperately need to be addressed by the FCC and congressional investigations. Stories that can only be all those things when they're being told accurately.

But after this, I don't believe we'll see any of them on 60 Minutes.

Source:
courtesy of ENGADGET

by Violet Blue

If you have any stories or news that you would like to share with the global online community, please feel free to share it with us by contacting us directly at [email protected]