Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Communications AT&T Government Security Verizon

Telecom Lobbyists Downplayed 'Theoretical' Security Flaws in Mobile Data Backbone (vice.com) 33

An anonymous reader shares a report: According to a confidential document obtained by Motherboard, wireless communications lobby group CTIA took issue with an in-depth report by the Department of Homeland Security on mobile device security, including flaws with the SS7 network. In a white paper sent to members of Congress and the Department of Homeland Security, CTIA, a telecom lobbying group that represents Verizon, AT&T, and other wireless carriers, argued that "Congress and the Administration should reject the [DHS] Report's call for greater regulation" while downplaying "theoretical" security vulnerabilities in a mobile data network that hackers may be able to use to monitor phones across the globe, according to the confidential document obtained by Motherboard. However, experts strongly disagree about the threat these vulnerabilities pose, saying the flaws should be taken seriously before criminals exploit them. SS7, a network and protocol often used to route messages when a user is roaming outside their provider's coverage, is exploited by criminals and surveillance companies to track targets, intercept phone calls or sweep up text messages. In some cases, criminals have used SS7 attacks to obtain bank account two-factor authentication tokens, and last year, California Rep. Ted Lieu said that, for hackers, "the applications for this vulnerability are seemingly limitless."
This discussion has been archived. No new comments can be posted.

Telecom Lobbyists Downplayed 'Theoretical' Security Flaws in Mobile Data Backbone

Comments Filter:
  • by Anonymous Coward

    So why spend a cent to fix the issue. The free market is the best! It fixes everything. I'll just go to the carrier who fixes it. Oh wait, this is collective bargaining. No one fixes it and there is no where to go.

    • Oh wait, this is collective bargaining.

      No, they aren't forming a labor union. The word you're looking for is collusion.

    • Oh wait, this is collective bargaining. No one fixes it and there is no where to go.

      This not collective bargaining at all. It appears you do not know what that means.

      The carriers need a standard to allow interoperability. ATT customers need to be able to call Sprint customers. The SS7 implementation is how they achieve that technical requirement.

      Any carrier who fails to interoperate with SS7 will die. Who is going to sign up for a new carrier if you can only call other people on that carrier?

      This is a market failure. It happens, and it's why we have regulations in the first place. I find m

  • ... gonna be cheap.

    • by hey! ( 33014 )

      It's not just cheap; it's about when the costs come due relative to your pay day.

      For lobbyists and CEOs, problems three years out might as well be three hundred years out.

  • One man's security flaw is another man's way to implement Stingray?

    Why the extreme secrecy about Stingray? A couple thoughts on that.

    The digital cell phone system was designed when we were using Windows 3.1. The system cannot withstand 21st century attacks. There must be some fundamental weakness in the way the network operates. This cannot be corrected without significant changes throughout the network base stations and mobile equipment. Thus it is expensive and time consuming to fix over a generati
  • by Anonymous Coward

    Then they won't mind accepting unlimited and uncapped liability?

  • According to a confidential document obtained by Motherboard
  • 'Theoretical' Security Flaws

    I think the NSA has a whole department for these.

  • by williamyf ( 227051 ) on Wednesday July 19, 2017 @05:27PM (#54842551)

    For the last fileSytemChecking time! SS7 IS NOT a "Mobile Data Backbone"

    SS7 is a SIGNALING protocol. Think of ICMP+OSPF+BGP... this is used for the "Switches" in the telecom network to coordinate among themselves, and NOT to carry data (unless you consider SMSs data). Very important, yes. I'd dare say critical. But, Mobile Data Backbone... NO!

    Call it something other than Mobile Data BackBone.

    • by Strider- ( 39683 ) on Wednesday July 19, 2017 @05:52PM (#54842669)

      The issue is with people who use SMS as part of their 2FA, among others.

      In the bank account thing, the attackers were able to breach the victim's computer to gain the initial credentials. They then used a compromise of the SS7 signalling to intercept the SMS message from the bank, obstensibly to the victim, to get the password to unlock the account. In effect, the Bank's 2FA wasn't proper, because they trusted the network to do the right thing, and didn't ensure that the password went to the account holder's device.

    • Think of ICMP+OSPF+BGP... this is used for the "Switches" in the telecom network to coordinate among themselves, and NOT to carry data (unless you consider SMSs data).

      So if I could insert bogus routes/costs into your BGP exchange and then capture the traffic, you wouldn't count that as a compromise? Even when a lot of that "traffic" is not in an encrypted channel? Please.

      Yes, SS7 itself is a protocol that contains little user data. But it is a control protocol that dictates where user data goes---which makes its weaknesses into pretty big problems. It can be used to eavesdrop and physically locate users, which are serious confidentiality violations.

A successful [software] tool is one that was used to do something undreamed of by its author. -- S. C. Johnson

Working...