The Tribune

By YOURI KEMP

Tribune Business Reporter

ykemp@tribunemedia.net

Bahamas-based cyber security experts yesterday argued that the Bahamas Telecommunications Company's (BTC) outdated network equipment left it vulnerable to penetration by malign actors.

Scott MacKenzie, Cloud Carib's managing director, told Tribune Business that it was easy to access BTC’s systems because the carrier, and possibly its immediate parent, Cable and Wireless Communications (CWC), were using legacy networks and equipment that are at least 20 years out-of-date.

Speaking following allegations that Chinese state-owned entities had used BTC's network to spy on US citizens, Mr MacKenzie said: “The issue relating to the SS7 network that China allegedly hacked into is that SS7 is a very, very old protocol that was primarily used in PSTN (Public switched telephone network).

"So moving away from legacy network operator protocols would be important.” He said major telecommunications companies such as AT&T had begun to do this back in 1999-2000, and added: “Those large telecommunications companies started to move away from SS7, more towards SIP (Session Initiation Protocol) based protocols for their telecommunications operator.”

Describing SS7 as an “ancient protocol” for telecommunications providers, Mr McKenzie said it was vulnerable to hacking and other attacks from “bad actors” unless BTC and CWC were constantly upgrading their networks.

BTC, which is 49 percent owned by the Government, earlier this week told Tribune Business in a statement it was "carefully reviewing" claims - first published in the Guardian newspaper in the UK - that state-owned Chinese communications providers had used its systems to conduct surveillance on Americans roaming on their mobile phones in The Bahamas.

Other CWC subsidiaries in the Caribbean, especially Barbados, were also identified as major sources of these alleged breaches which - if true - have huge national security and economic implications for The Bahamas, as well as its ability to safeguard the personal data and civil liberties of both its own citizens and US visitors that make up 85 percent of its tourism market.

The assertion that major security vulnerabilities exist in the Bahamian telecommunications system was based on a report by Gary Miller, a US former mobile network security executive, who was said by the UK Guardian to have "spent years analysing mobile threat intelligence reports, and observations of signalling traffic between foreign and US mobile operators".

Miller and his business, Exigent Media, a cyber threat research firm, have published two reports that detail how BTC's mobile phone system was purportedly used in a "co-ordinated attack" on US cellular phone numbers by Chinese state-owned mobile providers.

The first report, Far from home - active foreign surveillance of US mobile users, argued that international roaming - the practice whereby Bahamians use a foreign carrier's network for communications services overseas, just as Americans use BTC and Aliv's systems when they are in this nation - has enabled "covert foreign surveillance" of mobile users.

It explained that hostile actors can exploit this to send signalling messages to Americans' mobile phones while they are in The Bahamas and other countries without alerting the user. While these SS7 signals can legitimately be used by operators to locate mobile users, connect calls and assess roaming fees, Mr Miller's report argued that they can also be deployed for illicit purposes.

He added that most such intrusions were intended to trace the mobile user's location, but they could also extend to monitoring and covert surveillance once the phone's "network identity" and number are obtained. Such information can be exploited to "purge" a user from their mobile network, and ultimately take over all communications they send and receive.

Mr McKenzie, meanwhile, said SIP allows for more encryption protocols for mobile networks, which makes technology of 20 years ago appear like using telegrams compared to fax machines and keypad telephones.

He added: “But, at the end of the day, it's not just BTC. It's just not those named operators. There are still a lot of legacy telecoms that are using SS7. It's just that companies have to move away from it over time, and there's different ways of protecting it and securing it as well.”

Suggesting that securing the old SS7 technology is “not as simple as flicking a switch”, Mr McKenzie said: “There's architectural planning, and they have to change all of the equipment out and it's not a simple thing.”

Philip Darville, SolveIT Bahamas' managing director, said there is “no such thing as an impenetrable network". He encouraged the Government to look closely at BTC, and said an investigation needs to take place into the Chinese spying allegations.

He added that he found it amusing, however, that the Americans were outraged over China allegedly spying on their citizens when several year ago their government was accused of doing the same thing in The Bahamas through a covert operation called “Operation Mystic".

That relates to claims made in 2014 by National Security Agency (NSA) whistleblower, Edward Snowden, that the US was intercepting almost every mobile call made in The Bahamas via a spying/surveillance initiative called SOMALGET.

BTC, as the then-monopoly provider, said it would investigate the allegations but asserted that "no such activity is ongoing". The then-Christie administration promised to take the matter up with US officials, but the outcome was seemingly inconclusive.