WASHINGTON — German researchers have discovered security flaws that could let hackers, spies, and criminals listen to private phone calls and intercept text messages on a potentially massive scale — even when cellular networks are using the most advanced encryption available.
The flaws, to be reported at a hacker conference in Hamburg this month, are the latest evidence of widespread insecurity on SS7, the global network that allows the world’s cellular carriers to route calls, texts, and other data to one another. Experts say it’s increasingly clear that SS7, designed in the 1980s, is riddled with serious vulnerabilities.
The flaws discovered by the Germans are actually functions built into SS7 for other purposes, such as keeping calls connected as users speed down highways, switching from cell tower to cell tower. Hackers can repurpose them because of the lax security on the network.
Those skilled at using the myriad functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen, or record hundreds of encrypted calls and texts at a time for later decryption. There also is potential to defraud users and cellular carriers by using SS7 functions, the researchers say.
These vulnerabilities continue to exist even as cellular carriers invest billions to upgrade to 3G technology aimed, in part, at securing communications. But even as individual carriers harden their systems, they must communicate with each other over SS7.
‘‘It’s like you secure the front door of the house, but the back door is wide open,’’ said Tobias Engel, one of the German researchers.
Engel, founder of Sternraute, and Karsten Nohl, chief scientist for Security Research Labs, separately found these security weaknesses as they studied SS7 networks, after The Washington Post reported the widespread marketing of surveillance systems that use SS7 networks to locate callers anywhere in the world. The Post reported that dozens of nations had bought such systems to track surveillance targets and that skilled hackers or criminals could do the same.
The researchers did not find evidence that their latest discoveries have been marketed to governments on a widespread basis. But vulnerabilities publicly reported by security researchers often turn out to be tools long used by intelligence services but not revealed to the public.
‘‘Many of the big intelligence agencies probably have teams that do nothing but SS7 research and exploitation,’’ said Christopher Soghoian, principal technologist for the ACLU.
GSMA, a cellular industry group based in London, did not respond to queries seeking comment. For the Post’s article in August on location tracking systems that use SS7, GSMA officials acknowledged problems with the network and said it was due to be replaced over the next decade because of a growing list of security and technical issues.