Intelligence agency withheld information from statement about MP's phone hack

Five months after a Radio-Canada/CBC investigation revealed that the country's major mobile networks are vulnerable to hacking and fraud, documents obtained through Access to Information show that the agency responsible for the security of the federal government's networks withheld some information from the public at the time.

Using only the cellphone number of MP Matthew Dubé — and with the New Democrat's consent as part of the Radio-Canada/CBC investigation​ — cybersecurity experts in Germany proved they were able to intercept his communications and track his movements.

The experts exploited a weakness in a global telecommunications network known as Signalling System No. 7 (SS7). Dubé's cellphone was connected to the Rogers network, but telephones connected to Bell Canada's network were also successfully hacked by the experts based in Berlin.

The Communications Security Establishment (CSE), Canada's electronic communications spying agency, responded to Radio-Canada/CBC's questions for the government. The CSE told CBC/Radio Canada that, among other things, the security issues with SS7 had been known for many years and that it had been actively working with Canada's telecommunications industry on ways to reduce the risks associated with SS7.

The CSE later published a similar declaration on its website.

But the intelligence agency originally planned to say more. Documents obtained under Access to Information legislation reveal that the CSE's initial response was modified at the last minute following discussions between the agency and the Ministry of Innovation, Science and Economic Development.

In its first — and unpublished — statement, the CSE revealed the existence of a working group looking into SS7's flaws that the agency had co-led with the telecommunications industry within the last year.

The statement also went into greater detail about measures mobile phone vendors could take to protect their networks and the privacy of their subscribers.

"Some SS7 mitigation measures may be easier for industry to implement, while others could require significant investment and effort," the federal agency wrote in its initial draft.

Those elements were missing from the agency's official response.

After these documents were brought to CSE's attention, the agency confirmed that a working group related to SS7 meets on a regular basis to "discuss various updates, challenges and concerns our telecoms partners may have."

The agency would not comment further.

"As a result of the working group agreement, CSE is prohibited from discussing further details of meetings and we are not authorized to disclose the participation of individual, private telecom partners," the agency wrote in an email.

The Access to Information documents also show that in November, when Radio-Canada/CBC requested a response to the hacking of Dubé's cellphone, the government wasn't sure which ministry was responsible for the file — Public Safety, Innovation or Shared Services. After two days of hesitating, the CSE was tasked with drafting a response.

The documents ultimately were obtained from Public Safety. A similar Access to Information request made to CSE remains unanswered after four months; by law, such requests are to be answered within 30 days in most cases.