Telecom Lobbyists Downplayed 'Theoretical' Security Flaws in Mobile Data Backbone (vice.com) 33
An anonymous reader shares a report: According to a confidential document obtained by Motherboard, wireless communications lobby group CTIA took issue with an in-depth report by the Department of Homeland Security on mobile device security, including flaws with the SS7 network. In a white paper sent to members of Congress and the Department of Homeland Security, CTIA, a telecom lobbying group that represents Verizon, AT&T, and other wireless carriers, argued that "Congress and the Administration should reject the [DHS] Report's call for greater regulation" while downplaying "theoretical" security vulnerabilities in a mobile data network that hackers may be able to use to monitor phones across the globe, according to the confidential document obtained by Motherboard. However, experts strongly disagree about the threat these vulnerabilities pose, saying the flaws should be taken seriously before criminals exploit them. SS7, a network and protocol often used to route messages when a user is roaming outside their provider's coverage, is exploited by criminals and surveillance companies to track targets, intercept phone calls or sweep up text messages. In some cases, criminals have used SS7 attacks to obtain bank account two-factor authentication tokens, and last year, California Rep. Ted Lieu said that, for hackers, "the applications for this vulnerability are seemingly limitless."
The risks are to their customers, not them (Score:2, Informative)
So why spend a cent to fix the issue. The free market is the best! It fixes everything. I'll just go to the carrier who fixes it. Oh wait, this is collective bargaining. No one fixes it and there is no where to go.
Re: (Score:2)
In theory, when a vendor's product or service is defective, consumers have a right to sue and recover damages. The problem still isn't the Free Market, it is the rule and regulations placed on it by Government that limits the natural options.
The problem is that you start off with "in theory", and then make conclusions in reality.
Re: (Score:3)
That's making a few (dangerous) assumptions:
1. That actors involved will always act rationally, or at least in their own self interest. History proves that to be false, because "Humans."
2. Customers can sue to recover damages. (ie. Mandatory 'arbitration' clauses removing your ability to sue; arbiters rarely side with customers.)
Also... just what rules and regulations are forcing the carriers to use SS7? Absolutely none. SS7 is an interoperable standard that's very convenient for the industry. The industry
Re: (Score:2)
I was gonna say something similar... you guys have a whole slew of agencies who should be all over this - DHS, NSA, CIA, your new cyber whatsit, and probably half a dozen others. That all that in mind, how does an industry body successfully lobby for less regulation to be placed upon it?
Re: (Score:2)
In theory, when a vendor's product or service is defective, consumers have a right to sue and recover damages.
You have to show harm to recover damages. Did your service stop as a result of SS7 weaknesses? Can you prove you were hacked? No? Too bad.
SS7 has serious security deficiencies, and no one wants to fix it---because it costs a lot of money to replace equipment and train staff on the new equipment.
Maybe the amount of hacking will justify that expense, but good luck getting enough victims together to put that level of financial pressure on the telecoms.
In some cases, it's simpler to cut through the layers of bu
Re: (Score:2)
Oh wait, this is collective bargaining.
No, they aren't forming a labor union. The word you're looking for is collusion.
Re: (Score:2)
Oh wait, this is collective bargaining. No one fixes it and there is no where to go.
This not collective bargaining at all. It appears you do not know what that means.
The carriers need a standard to allow interoperability. ATT customers need to be able to call Sprint customers. The SS7 implementation is how they achieve that technical requirement.
Any carrier who fails to interoperate with SS7 will die. Who is going to sign up for a new carrier if you can only call other people on that carrier?
This is a market failure. It happens, and it's why we have regulations in the first place. I find m
Cheap bastards... (Score:2)
... gonna be cheap.
Re: (Score:2)
It's not just cheap; it's about when the costs come due relative to your pay day.
For lobbyists and CEOs, problems three years out might as well be three hundred years out.
Re: (Score:2)
Stingray (Score:2)
Why the extreme secrecy about Stingray? A couple thoughts on that.
The digital cell phone system was designed when we were using Windows 3.1. The system cannot withstand 21st century attacks. There must be some fundamental weakness in the way the network operates. This cannot be corrected without significant changes throughout the network base stations and mobile equipment. Thus it is expensive and time consuming to fix over a generati
Re: Stingray (Score:1)
Fine (Score:1)
Then they won't mind accepting unlimited and uncapped liability?
Re: (Score:2)
The problem lies that almost everyone directly deals with SS7.
Every ISP that offers voice services have direct access to SS7 protocols for fully implementing advanced calling features, multi-ring, international routing, cross-network billing, etc. in order to work seamlessly with the traditional phone systems.
The attack vector would be to get into one of the smaller isps, and hijack their internal link to SS7, which is likely a much easier vector in.
Judging by the number of ISP breaches... that this is prob
Re: (Score:2)
Judging by the number of ISP breaches... that this is probably much more easily done.
Not only is it done "easily enough", but the consequences are pretty dire. So far, we're seeing folks getting their bank accounts drained.
That stuff lacks vision.
Imagine if somebody forwarded calls between ${a certain politician} and ${donor} to the staff at ${late night comedy show}.
Full Disclosure: I'm investing heavily in popcorn.
Re: (Score:2)
It has never had any relation to the real world.
Tell that to all the people who had their bank accounts drained using an SS7 exploit:
https://www.theregister.co.uk/... [theregister.co.uk]
Tell that to US congressman Ted Lieu who had his phone calls listened to using SS7:
https://www.theguardian.com/te... [theguardian.com]
I bet they believe you that the exploits don't exist in the real world...
The problem is the "internal" network is available to around 800 companies. If the ss7 network of one is hacked or an employee who has access to it is bribed, the entire network is compromised. SS7 is a
well, here's your Security Flaw (Score:2)
Nothing to see here; move along. (Score:2)
'Theoretical' Security Flaws
I think the NSA has a whole department for these.
SS7 is NOT a Mobile Data Backbone!!! (Score:3)
For the last fileSytemChecking time! SS7 IS NOT a "Mobile Data Backbone"
SS7 is a SIGNALING protocol. Think of ICMP+OSPF+BGP... this is used for the "Switches" in the telecom network to coordinate among themselves, and NOT to carry data (unless you consider SMSs data). Very important, yes. I'd dare say critical. But, Mobile Data Backbone... NO!
Call it something other than Mobile Data BackBone.
Re:SS7 is NOT a Mobile Data Backbone!!! (Score:4, Insightful)
The issue is with people who use SMS as part of their 2FA, among others.
In the bank account thing, the attackers were able to breach the victim's computer to gain the initial credentials. They then used a compromise of the SS7 signalling to intercept the SMS message from the bank, obstensibly to the victim, to get the password to unlock the account. In effect, the Bank's 2FA wasn't proper, because they trusted the network to do the right thing, and didn't ensure that the password went to the account holder's device.
Re: (Score:2)
Think of ICMP+OSPF+BGP... this is used for the "Switches" in the telecom network to coordinate among themselves, and NOT to carry data (unless you consider SMSs data).
So if I could insert bogus routes/costs into your BGP exchange and then capture the traffic, you wouldn't count that as a compromise? Even when a lot of that "traffic" is not in an encrypted channel? Please.
Yes, SS7 itself is a protocol that contains little user data. But it is a control protocol that dictates where user data goes---which makes its weaknesses into pretty big problems. It can be used to eavesdrop and physically locate users, which are serious confidentiality violations.