(Bloomberg) -- Foreign governments are abusing security flaws in mobile phone networks to secretly track Americans in the US and journalists and dissidents abroad, Senator Ron Wyden has warned.

In a letter sent to President Joe Biden on Thursday, reviewed by Bloomberg News, Wyden is urging the White House to counter the threat by supporting a major overhaul of cybersecurity standards for US-based wireless carriers. 

“Surveillance companies and their authoritarian foreign government customers have exploited lax security in US and foreign phone networks for at least a decade to track phones anywhere in the world,” Wyden wrote, adding that the practice is “threatening US national security, freedom of the press and international human rights.”

At the center of the senator’s concern is an obscure telecom protocol called SS7, or Signaling System 7, a sort of switchboard for the global telecommunications industry that is used to route communications between phone networks. SS7 contains known security vulnerabilities that governments and private surveillance companies have exploited in the past to intercept phone calls and text messages, and track people’s locations. 

The surveillance method doesn’t require hacking into individual phones to install spyware on the device and steal data. Instead, it can be used to trick the phone network itself into handing over communications or location information from a particular phone. Multiple companies are now providing foreign governments with these “phone company hacking services,” according to Wyden, a Democrat from Oregon. 

A representative for CTIA, a trade association that represents the US wireless communications industry, wasn’t immediately available for comment. Industry bodies have previously recognized the issue. The GSMA, an industry group that works with carriers internationally, has acknowledged there are “known vulnerabilities” associated with SS7 and last year published a code of conduct intended to help prevent abuses of the protocol.

The Department of Homeland Security warned in a 2017 report that SS7 vulnerabilities could be exploited by “countries or organizations that support terrorism or espionage.” Meanwhile, the FCC, National Security Agency, and Cybersecurity and Infrastructure Security Agency, known as CISA, have also acknowledged the serious threat of SS7 surveillance, according to Wyden.

Wyden accuses CISA of “actively hiding information” about the problem, citing an independent report that he says the agency commissioned in 2022 but has refused to publicly release. A spokesperson for CISA said in an emailed statement that the agency doesn’t comment on congressional correspondence and would instead respond directly to the senator.

In 2021, Bloomberg News reported on a Switzerland-based company named Mitto AG whose co-founder was allegedly secretly providing surveillance services that exploited SS7 vulnerabilities. The company denied operating a surveillance business and said it would carry out an investigation “to determine if our technology and business has been compromised.” Several of Mitto’s clients, including Twitter Inc., later cut ties with the firm.

Read More: Swiss Firm Executive Said to Run Secret Surveillance Operation

According to Wyden, the Swiss government is now leading a push to internationally regulate the sale of SS7 surveillance services under the Wassenaar Arrangement, a multicountry forum for collaboration on export controls.

Wyden is calling on President Biden to direct the national cyber director to coordinate action among agencies and provide Congress with updates at least twice a year until the threat is “meaningfully addressed.” He sets out a series of recommendations to counter the surveillance vulnerabilities, calling on the Office of Management and Budget, in consultation with CISA and NSA, to establish minimum cybersecurity standards for wireless services purchased by federal agencies.

He also recommends that the government sanction surveillance technology companies allegedly providing SS7-related services, including the Israeli firms Cognyte and the Rayzone Group, Bulgaria’s Circles and Panama-based Defentek. Representatives for each of the companies didn’t respond to requests for comment.

“There is a simple reason for the wireless industry’s failure to protect subscribers, including federal agencies: The US government has failed to set minimum cybersecurity standards,” Wyden says in the letter. “Effectively addressing this threat will require a whole-of-government effort, and diplomatic partnership with our allies.”

Wyden has long advocated for curbs on the use of intrusive surveillance technology. The senator, a member of the Senate’s Intelligence Committee, has previously criticized the NSA’s large-scale surveillance programs and brought scrutiny to the practice of government agencies purchasing Americans’ personal data from private companies.

©2024 Bloomberg L.P.