Most people assume their phone calls are private by default, protected by layers of modern encryption and corporate security. Derek Muller dismantles that assumption with a chilling demonstration: the entire global mobile network is built on a 40-year-old protocol that can be infiltrated for a few thousand dollars a month, allowing attackers to reroute calls, steal two-factor codes, and spy on anyone without ever touching their device.
The Ghost in the Machine
Muller begins not with a complex hack, but with a historical lesson that reframes the entire vulnerability. He traces the lineage of phone hacking back to the 1970s, when Steve Jobs and Steve Wozniak built "blue boxes" to exploit the analog signaling of the time. "We were young and what we learned was that we could build something ourselves that could control billions of dollars worth of infrastructure in the world," Muller writes, quoting the founders. This historical context is crucial; it establishes that the phone network was never designed with security as a primary constraint, but rather with cost and automation in mind.
The piece details how the transition from rotary dials to touch-tone phones introduced a fatal flaw: control signals were sent as audible tones within the voice band. "When you made a long-distance call it was first routed to a central node... this would trick the remote node into thinking the call had been disconnected," Muller explains. This allowed early hackers to hijack lines simply by whistling a specific frequency. While the industry eventually moved to a digital protocol called Signaling System 7 (SS7) to separate control signals from voice, Muller argues that the fundamental trust model remained broken.
The whole system is designed to be a closed network with few barriers once inside.
This framing is effective because it shifts the blame from individual user error to systemic architectural failure. The network operates on a "Walled Garden" approach, where telecom operators trust each other implicitly. As Muller notes, "Telcos generally accept messages only from Global titles with which they have agreements." The problem, he argues, is that the garden has become overrun. With over 1,200 operators and 4,500 networks today, the "closed" system is now a chaotic marketplace where trust is easily bought.
The Price of Access
The most disturbing revelation in the piece is the accessibility of the exploit. Muller doesn't describe a shadowy state actor with unlimited resources; he describes a commercial marketplace. "Buying a single SS7 connection isn't that expensive we're talking a few thousand per month," he writes. The barrier to entry is so low that the network is vulnerable to anyone with a credit card and a grudge.
Muller illustrates this by purchasing access to the network himself, paying for a valid Global Title to demonstrate how easily one can bypass firewalls. "The people who do sell access I mean why why would they do it people sell SS7 access for one reason money," he observes. This commercialization of surveillance infrastructure is a stark departure from the era of state-sponsored hacking. The vulnerability isn't just a bug; it's a business model.
Critics might note that major carriers have implemented firewalls to block suspicious traffic, and that this attack requires specific conditions to succeed. However, Muller counters this by showing that these defenses are inconsistent. "There are probably thousands of ways into SS7 at reasonable effort or cost," he argues, pointing out that virtual operators and smaller providers often lack the security rigor of their larger counterparts.
The Demonstration of Failure
To prove the point, Muller stages a live attack on a willing participant, Lonus. The result is a masterclass in how invisible the breach is. "I didn't get I mine didn't even ring we didn't touch his phone we didn't send him an email or a text nothing we did it all remotely," Muller recounts. The attacker, posing as a friend, calls Lonus, but the call is silently rerouted to Muller's computer. Lonus's phone remains silent, yet the attacker can speak to the caller and intercept the conversation.
The mechanism relies on tricking the network into believing the target's phone is roaming in a different country. "By tricking the network into thinking his phone is roaming we can rewrite the number he is calling to a number that we control," Muller explains. This allows the attacker to intercept calls even if the target is in their home country, effectively hijacking the identity of the SIM card without a SIM swap.
This is like freaking but on a completely different level.
The demonstration highlights a terrifying reality: two-factor authentication, which relies on SMS codes, is fundamentally compromised if the network itself can be hijacked. "We intercepted his phone calls and stole his two Factor passcodes," Muller notes, showing that the very tool meant to secure accounts can be the vector for their destruction.
Bottom Line
Derek Muller's piece succeeds by stripping away the technical mystique to reveal a mundane, profit-driven vulnerability that has persisted for decades. The strongest part of the argument is the demonstration that the "closed" global network is actually a porous, commercialized marketplace where trust is a commodity. The biggest vulnerability in the current system is the lack of a unified, modern protocol to replace SS7, leaving billions of users exposed to low-cost, high-impact surveillance. Until the industry moves beyond this legacy architecture, every phone call remains a potential public broadcast.