The following script is from “Hacking Your Phone” which aired on April 17, 2016, and was rebroadcast on Sept. 4, 2016. Sharyn Alfonsi is the correspondent. Howard L. Rosenberg and Julie Holstein, producers.
A lot of modern life is interconnected through the Internet of things -- a global empire of billions of devices and machines. Automobile navigation systems. Smart TVs. Thermostats. Telephone networks. Home security systems. Online banking. Almost everything you can imagine is linked to the world wide web. And the emperor of it all is the smartphone. As we first told you last April, you’ve probably been warned to be careful about what you say and do on your phone, but after you see what we found, you won’t need to be warned again.
We heard we could find some of the world’s best hackers in Germany. So we headed for Berlin. Just off a trendy street and through this alley we rang the bell at the door of a former factory. That’s where we met Karsten Nohl, a German hacker, with a doctorate in computer engineering from the University of Virginia.
We were invited for a rare look at the inner workings of security research labs. During the day, the lab advises Fortune 500 companies on computer security. But at night, this international team of hackers looks for flaws in the devices we use everyday: smartphones, USB sticks and SIM cards. They are trying to find vulnerabilities before the bad guys do, so they can warn the public about risks. At computer terminals and work benches equipped with micro lasers, they physically and digitally break into systems and devices.
Now, Nohl’s team is probing the security of mobile phone networks.
Sharyn Alfonsi: Is one phone more secure than another? Is an iPhone more secure than an Android?
Karsten Nohl: All phones are the same.
Sharyn Alfonsi: If you just have somebody’s phone number, what could you do?
Karsten Nohl: Track their whereabouts, know where they go for work, which other people they meet when-- You can spy on whom they call and what they say over the phone. And you can read their texts.
We wanted to see whether Nohl’s group could actually do what they claimed -- so we sent an off-the-shelf iPhone from 60 Minutes in New York to Representative Ted Lieu, a congressman from California. He has a computer science degree from Stanford and is a member of the House committee that oversees information technology. He agreed to use our phone to talk to his staff knowing they would be hacked and they were. All we gave Nohl, was the number of the 60 Minutes iPhone that we lent the congressman.
Sharyn Alfonsi: Hello congressman? It’s Sharyn Alfonsi from 60 Minutes.
As soon as I called Congressman Lieu on his phone, Nohl and his team were listening and recording both ends of our conversation.
Sharyn Alfonsi: I’m calling from Berlin.
Sharyn Alfonsi: I wonder if I might talk to you about this hacking story we’re working on.
Karsten Nohl: What hacking story?
They were able to do it by exploiting a security flaw they discovered in Signaling System Seven -- or SS7. It is a little-known, but vital global network that connects phone carriers.
Sharyn Alfonsi: Congressman thank you so much for helping us...
Every person with a cellphone needs SS7 to call or text each other. Though most of us have never heard of it.
Nohl says attacks on cellphones are growing as the number of mobile devices explodes. But SS7 is not the way most hackers break into your phone--
Those hacks are on display in Las Vegas.
John Hering: “Three-days of non-stop hacking.”
That’s where John Hering guided us through an unconventional convention where 20,000 hackers get together every year to share secrets and test their skills.
John Hering: It’s proving what’s possible. Any system can be broken it’s just knowing how to break it.
Hering is a hacker himself, he’s the 30-something whiz who cofounded the mobile security company “Lookout” when he was 23. Lookout has developed a free app that scans your mobile phone for malware and alerts the user to an attack.
Sharyn Alfonsi: How likely is it that somebody’s phone has been hacked?
John Hering: In today’s world there’s really only-- two types of companies or two types of people which are those who have been hacked and realize it and those who have been hacked and haven’t.
Sharyn Alfonsi: How much do you think people have been kind of ignoring the security of their cellphones, thinking, “I’ve got a passcode, I must be fine?”
“Any system can be broken it’s just knowing how to break it.”
John Hering: I think that most people have not really thought about their phones as computers. And that that’s really starting to shift.
Sharyn Alfonsi: And that’s what you think-- it’s like having a laptop now?
John Hering: Oh absolutely. I mean, your mobile phone is effectively a supercomputer in your pocket. There’s more technology in your mobile phone than was in, you know, the space craft that took man to the moon. I mean, it’s-- it’s really unbelievable.
Sharyn Alfonsi: Is everything hackable?
John Hering: Yes.
Sharyn Alfonsi: Everything?
John Hering: Yes.
Sharyn Alfonsi: If somebody tells you, “You can’t do it.”
John Hering: I don’t believe it.
John Hering offered to prove it -- so he gathered a group of ace hackers at our Las Vegas hotel. Each of them a specialist in cracking mobile devices and figuring out how to protect them.
Adam Laurie: Would you put your money in a bank that didn’t test their locks on their safes? We need to try and break it to make sure the bad guys can’t.
Sharyn Alfonsi: How easy is it to break the phone right now?
Jon Oberheide: Very easy.
Adam Laurie: As you’ve seen, pretty trivial.
Sharyn Alfonsi: Do I need to connect to it? OK.
It started when we logged onto the hotel Wi-Fi -- at least it looked like the hotel Wi-Fi. Hering had created a ghost version--it’s called spoofing.
Sharyn Alfonsi: I mean, this looks legitimate.
John Hering: It looks very legitimate. So you’re connected?
Sharyn Alfonsi: I am.
John Hering: And I have your email.
Sharyn Alfonsi: You have access to my email right now--
John Hering: Yeah. It’s coming through right now. I actually can s-- I know have a ride-sharing application up here, all the information that’s being transmitted, including your account ID, your mobile phone, which I just got the mobile number. Then, more importantly, I have all the credit cards associated with-- with that account.
Jon Oberheide pointed out the greatest weakness in mobile security is human nature.
Jon Oberheide: With social engineering, you can’t really fix the human element. Humans are gullible. They install malicious applications. They give up their passwords every day. And it’s really hard to fix that human element.
John Hering warned us he could spy on anyone through their own phone as long as the phone’s camera had a clear view. We propped up a phone on my desk and set up cameras to record a demonstration. First he sent me a text message with an attachment to download.
John Hering: “We’re in business.”
Then Hering called from San Francisco and proved it worked.
John Hering: I installed some malware in your device that’s broadcasting video of your phone.
Sharyn Alfonsi: My phone’s not even lit up.
John Hering: I understand, yeah.
Sharyn Alfonsi: That’s so creepy.
Katie: It’s pitch black for us.
In this case, when I downloaded the attachment, Hering was able to take control of my phone. But Congressman Lieu didn’t have to do anything to get attacked.
All Karsten Nohl’s team in Berlin needed to get into the congressman’s phone was the number. Remember SS7 --that little-known global phone network we told you about earlier?
Karsten Nohl: I’ve been tracking the congressman.
There’s a flaw in it that allowed Nohl to intercept and record the congressman’s calls and track his movements in Washington and back home.
Karsten Nohl: The congressman has been in California, more specifically the L.A. area, zoom in here a little bit, Torrance.
The SS7 network is the heart of the worldwide mobile phone system. Phone companies use SS7 to exchange billing information. Billions of calls and text messages travel through its arteries daily. It is also the network that allows phones to roam.
Sharyn Alfonsi: Are you able to track his movements even if he moves the location services and turns that off?
Karsten Nohl: Yes. The mobile network independent from the little GPS chip in your phone, knows where you are. So any choices that a congressman could’ve made, choosing a phone, choosing a pin number, installing or not installing certain apps, have no influence over what we are showing because this is targeting the mobile network. That of course, is not controlled by any one customer.
Sharyn Alfonsi: ...despite him making good choices. You’re still able to get to his phone.
Karsten Nohl: Exactly.
Karsten Nohl and his team were legally granted access to SS7 by several international cellphone carriers. In exchange, the carriers wanted Nohl to test the network’s vulnerability to attack. That’s because criminals have proven they can get into SS7.
Karsten Nohl: Mobile networks are the only place in which this problem can be solved. There is no global policing of SS7. Each mobile network has to move-- to protect their customers on their networks. And that is hard.
Nohl and others told us some U.S. carriers are easier to access through SS7 than others. 60 Minutes contacted the cellular phone trade association to ask about attacks on the SS7 network. They acknowledged there have been reports of security breaches abroad, but assured us that all U.S. cellphone networks were secure.
Congressman Lieu was on a U.S. network using the phone we lent him when he was part of our hacking demonstration from Berlin.
Sharyn Alfonsi: I just want to play for you something we were able to capture off of your phone.
Mark on recording: Hi Ted, it’s Mark, how are you?
Rep. Ted Lieu on recording: I’m good.
Mark on recording: I sent you some revisions on the letter to the N.S.A., regarding the data collection.
Rep. Ted Lieu: Wow.
Sharyn Alfonsi: What is your reaction to knowing that they were listening to all of your calls?
Rep. Ted Lieu: I have two. First, it’s really creepy. And second, it makes me angry.
Sharyn Alfonsi: Makes you angry, why?
Rep. Ted Lieu: They could hear any call of pretty much anyone who has a smartphone. It could be stock trades you want someone to execute. It could be calls with a bank.
Karsten Nohl’s team automatically logged the number of every phone that called Congressman Lieu -- which means there’s a lot more damage that could be done than just intercepting that one phone call. A malicious hacker would be able to target and attack every one of the other phones too.
Sharyn Alfonsi : So give us an idea, without being too specific, of the types of people that would be in a congressman’s phone.
Rep. Ted Lieu: There are other members of Congress-- other elected officials. Last year, the president of the United States called me on my cellphone. And we discussed some issues. So if the hackers were listening in, they would know that phone conversation. And that’s immensely troubling.
Nohl told us the SS7 flaw is a significant risk mostly to political leaders and business executives whose private communications could be of high value to hackers. The ability to intercept cellphone calls through the SS7 network is an open secret among the world’s intelligence agencies -- -including ours -- and they don’t necessarily want that hole plugged.
“We live in a world where we cannot trust the technology that we use.”
Sharyn Alfonsi: If you end up hearing from the intelligence agencies that this flaw is extremely valuable to them and to the information that they’re able to get from it, what would you say to that?
Rep. Ted Lieu: That the people who knew about this flaw and saying that should be fired.
Sharyn Alfonsi: Should be fired?
Rep. Ted Lieu: Absolutely.
Sharyn Alfonsi: Why?
Rep. Ted Lieu: You cannot have 300-some million Americans-- and really, right, the global citizenry be at risk of having their phone conversations intercepted with a known flaw, simply because some intelligence agencies might get some data. That is not acceptable.
John Hering: I’d say, the average person is not going to be exposed to the type of attacks we showed you today. But our goal was to show what’s possible. So people can really understand if we don’t address security issues, what the state of the world will be.
Sharyn Alfonsi: Which will be what?
John Hering: We live in a world where we cannot trust the technology that we use.
Since our report first aired in April, security researchers in Germany said they’ve watched SS7 access for sale by criminals grow dramatically. And a week ago, the mobile security experts at Lookout revealed a flaw in iPhone software that allowed hackers to take over the devices with just one wrong click. Apple quickly issued a worldwide fix.