How '60 Minutes' played 'Telephone' with public-hacking hysteria

Rehashing a misleading segment led to panic, even on Capitol Hill.

Shutterstock / Hugo Felix

On Sunday, 60 Minutes took a year-old segment on phone hacking it shot and aired in Australia, fluffed it up with other old hacks from last year's Def Con and repackaged it for an American audience.

Almost no one noticed those particular details.

But just about everyone panicked. "Hacking Your Phone" set off a scare that raged through headlines and social media all week. As the miasmic cherries on top, the episode also freaked out California Rep. Ted Lieu (D), who has called for a congressional investigation, and the FCC is now involved.

The 13-minute segment based its hysteria on a hole in phone-routing protocol SS7 (Signaling System 7), a flaw which, incidentally, isn't easy to exploit. But perhaps thinking the combination of hacker boogeymen and SS7's potential wouldn't make for dramatic TV, the show blurred in a handful of different -- and extremely unrelated -- ways that smartphones can be hacked.

Demonstrations included listening to calls, intercepting email and spying on users with a smartphone's built-in camera. In one short scene, reporter Sharyn Alfonsi got a demo from the Australian maker of a security product called CryptoPhone, with the 60 Minutes segment telling viewers, "you may need a 'CryptoPhone' if you want to avoid hacking."

The SS7 network hacking bit had Alfonsi and 60 Minutes traveling to Germany to seek out "the best hackers in the world" for an SS7 hacking demo in a subterranean concrete bunker. For this, CBS provided US Rep. Ted Lieu (D–Calif.) with an iPhone and the researchers were filmed recording his conversations (with permission). The show cautioned viewers that they could be hacked and tracked from anywhere, concluding with a sinister warning that we now live in a world where technology can't be trusted.

Well, no shit, Sherlock.

The first version of this segment aired in August 2015 on 60 Minutes Australia and had the same baseline message: "You can be bugged, tracked and hacked from anywhere in the world." The segment opens tragicomically cut with melodramatic phone-tracking scenes from the James Bond film Skyfall, as Australian 60 Minutes reporter Ross Coulthart traveled to -- you guessed it -- Berlin.

Coulthart descends into the same underground offices we saw in the episode's American remake, this time identifying security researcher Luca Melette (whom Sharyn Alfonsi neglected to identify). Melette then demonstrated the use of SS7 to intercept a call between Mr. Coulthart and Australian Senator Nick Xenophon, who was as predictably shocked and outraged as his American counterpart. The Australian reporter went to Las Vegas as well, where he inexplicably interviewed the maker of a security product you might've just heard about called CryptoPhone.

Throughout the episode, 60 Minutes Australia repeated its claim that this demo of tracking and call interception using SS7 "has never been shown before."

If you've already guessed that this particular plop of kangaroo fudge isn't true, I'd like to recommend you for the obviously unfilled fact-checking position at 60 Minutes.

The first public disclosure of research into tracking and surveilling smartphone users via SS7 was in a Black Hat 2007 talk by Philippe Langlois. But the real in-your-face presentation was in Tobias Engel's 2008 presentation at German hacking conference CCC (25c3), called "Locating Mobile Phones using SS7." Since then, talks on tracking people through these exact kinds of telecommunication network attacks have appeared steadily at security and hacking conferences, peaking with The Carmen Sandiego Project by Don Bailey and Nick DePetrillo at Black Hat in 2010.

And 60 Minutes put Herculean effort into convincing viewers that at any moment they could unknowingly become victims to some dude in a dark basement tracking their location and listening to their calls, thanks to his unfettered access to SS7.

While a hole in phone-routing protocol is a serious problem, it's an avenue of attack that's in the realm of nation-states and espionage. It requires access to backbone phone networks. It's the kind of hacking that is costly in many ways, and so is used only to go after specific high-profile or information-rich targets, by entities with resources and privileges. In the case of 60 Minutes Australia, Luca Melette was given access to SS7 by the German government -- which renders the fear-mongering and warnings of both segments moot.

I don't know if it's because 60 Minutes is low on balls or brains -- or both -- but the show utterly failed to tell viewers about actually scary ways SS7 is probably being abused to violate our privacy. Like in state-sponsored data-collection dragnets, in which authorities take advantage of the flaw to gather info "just in case." Or companies, like Facebook, that have a dead-serious financial motivation to track and surveil us and are well known for doing things that aren't technically illegal until they are caught.

But the American 60 Minutes didn't stop at SS7 with its reductive game of hacker-terror Telephone.

For reasons that are anyone's guess, CBS's reporter had Lookout Security founder John Hering assemble what Alfonsi called "the all-stars, the super hackers, to be part of our demonstration." In the 60 Minutes Overtime supplemental to the segment, Alfonsi remarked in surprise that "they just look like a bunch of regular guys." Apparently no one wore their balaclavas and sunglasses to the all-star roundtable. With a completely straight face, Alfonsi hit Hering and the group with nail-biting questions such as, "Is everything hackable?"

Lookout's main man then walked Alfonsi step-by-step into connecting her iPhone to his own spoofed network, while they both pretended she had connected to some rando's creepy malicious network all on her own. Then he read through Alfonsi's (apparently unencrypted) CBS News email.

Hering's next proof of his superhacker power was to show Alfonsi that he could spy on her using the front facing camera on her phone. At the beginning of this contrived little drama, Alfonsi is using an iPhone. You know how everyone and everything these days is telling you not to click links, download files or install applications you don't expect to receive? Well, he told her to do exactly that -- click, download, install his app -- with a text message he sent her. To do this in real life, she's receive warnings, and she'd have to disable the security features on her iPhone. But in the next shot, suddenly our reporter is being spied on by Hering though an Android phone propped up on her desk.

Don't get me wrong: SS7 surveillance, network spoofing, phishing and spurious product placement are all very real issues that consumers need to be on top of. But 60 Minutes got it all backward in the name of drama. The show may as well have told people to soak their phones in bleach before burning them after their next sext for all the uselessness and flat-out fakety-fake hysteria in "Hacking Your Phone."

There are a million great, truly chilling and unbelievably urgent hacking stories to be told. Ones that desperately need to be addressed by the FCC and congressional investigations. Stories that can be all those things only when they're told accurately.

But after this, I don't believe we'll see any of them on 60 Minutes.