How insecure is America’s FirstNet emergency response system? No one’s sure

AT&T is “concealing vital cybersecurity reporting” about its FirstNet phone network for first responders and the US military, according to US Senator Ron Wyden (D-OR), who said the network had been dubbed unsafe by CISA.

In a letter [PDF] sent to the US government’s Cybersecurity and Infrastructure Security Agency (CISA) and NSA, the senator called for an annual cybersecurity audit of FirstNet, citing a nearly half-century old phone signalling protocol that miscreants and spies can exploit to track mobile devices and intercept their calls and texts. 

“These phone network vulnerabilities are being actively exploited to conduct cross-border surveillance,” Wyden wrote.

At issue is Signaling System No. 7 (SS7), a protocol developed in the mid 1970s and used by network operators to connect one network to another. It’s very vulnerable to misuse, and has been abused to determine a cellphone’s location, redirect and read its incoming text messages, snoop on calls, and more.

“These security flaws are also a national security issue, particularly if foreign governments can exploit these flaws to target US government personnel,” Senator Wyden said in his April 12 letter, adding he’s “particularly concerned about FirstNet.”

AT&T operates FirstNet under a $6.5 billion contract with the US government. It’s a nationwide network intended to allow police, firefighters, and paramedics to transmit data and communications across multiple regions and jurisdictions without worrying about the transmissions being lost to overcrowded networks, particularly during disasters.

This is all good in theory — until it’s compromised or abused by criminals and foreign governments.

Wyden says he met an expert at CISA on the matter in February 2022 who told him that America’s cybersecurity agency “had no confidence in the security of FirstNet, in large part because they have not seen the results of any cybersecurity audits conducted against this government-only network.” 

This, according to Wyden, is because AT&T is “unwilling” to share the results of independent cybersecurity audits of FirstNet with CISA, the NSA, other government agencies, or even Congress.

AT&T did not respond to The Register‘s specific inquiries about the FirstNet cybersecurity audits, though a FirstNet Authority spokesperson emailed us the following statement:

Wyden, however, has a different point of view.

“Concealing vital cybersecurity reporting is simply unacceptable,” Wyden wrote. “As the lead agencies responsible for the government’s cybersecurity, CISA and NSA need to have access to all relevant information regarding the cybersecurity of FirstNet, and Congress needs this information to conduct oversight.”

Further, if the government agencies and Congress can’t get access to the FirstNet audits commissioned by AT&T, then these public bodies should commission their own annual audits, Wyden added. “If you lack the resources or authority to conduct such audits, please indicate as much, so that Congress can take the necessary steps to address this gap.”

In closing, he also requests a copy of a report commissioned by CISA ominously titled “US telecommunications insecurity 2022.”  CISA has thus far refused Wyden’s “multiple requests” for a copy. For the record: we’d like a copy, too. It sounds like a great bedtime read.

When asked about Wyden’s letter, a CISA spokesperson told The Register: “CISA does not comment on congressional correspondence; we will respond to the Senator directly.”

The NSA did not respond to The Register‘s request for comment. At press time, Wyden’s office had not heard back from either agency. ®

READ MORE HERE