Millions of U.S. Cellphones Could Be Vulnerable to Chinese Government Surveillance (washingtonpost.com) 73
Millions of U.S. cellphone users could be vulnerable to Chinese government surveillance, warns a Washington Post columnist, "on the networks of at least three major U.S. carriers."
They cite six current or former senior U.S. officials, all of whom were briefed about the attack by the U.S. intelligence community. The Chinese hackers, who the United States believes are linked to Beijing's Ministry of State Security, have burrowed inside the private wiretapping and surveillance system that American telecom companies built for the exclusive use of U.S. federal law enforcement agencies — and the U.S. government believes they likely continue to have access to the system.... The U.S. government and the telecom companies that are dealing with the breach have said very little publicly about it since it was first detected in August, leaving the public to rely on details trickling out through leaks...
The so-called lawful-access system breached by the Salt Typhoon hackers was established by telecom carriers after the terrorist attacks of Sept. 11, 2001, to allow federal law enforcement officials to execute legal warrants for records of Americans' phone activity or to wiretap them in real time, depending on the warrant. Many of these cases are authorized under the Foreign Intelligence Surveillance Act (FISA), which is used to investigate foreign spying that involves contact with U.S. citizens. The system is also used for legal wiretaps related to domestic crimes.
It is unknown whether hackers were able to access records about classified wiretapping operations, which could compromise federal criminal investigations and U.S. intelligence operations around the world, multiple officials told me. But they confirmed the previous reporting that hackers were able to both listen in on phone calls and monitor text messages. "Right now, China has the ability to listen to any phone call in the United States, whether you are the president or a regular Joe, it makes no difference," one of the hack victims briefed by the FBI told me. "This has compromised the entire telecommunications infrastructure of this country."
The Wall Street Journal first reported on Oct. 5 that China-based hackers had penetrated the networks of U.S. telecom providers and might have penetrated the system that telecom companies operate to allow lawful access to wiretapping capabilities by federal agencies... [After releasing a short statement], the FBI notified 40 victims of Salt Typhoon, according to multiple officials. The FBI informed one person who had been compromised that the initial group of identified targets included six affiliated with the Trump campaign, this person said, and that the hackers had been monitoring them as recently as last week... "They had live audio from the president, from JD, from Jared," the person told me. "There were no device compromises, these were all real-time interceptions...." [T]he duration of the surveillance is believed to date back to last year.
Several officials told the columnist that the cyberattack also targetted senior U.S. government officials and top business leaders — and that even more compromised targets are being discovered. At this point, "Multiple officials briefed by the investigators told me the U.S. government does not know how many people were targeted, how many were actively surveilled, how long the Chinese hackers have been in the system, or how to get them out."
But the article does include this quote from U.S. Senate Intelligence Committee chairman Mark Warner. "It is much more serious and much worse than even what you all presume at this point."
One U.S. representative suggested Americans rely more on encrypted apps. The U.S. is already investigating — but while researching the article, the columnist writes, "The National Security Council declined to comment, and the FBI did not respond to a request for comment..." They end with this recommendation.
"If millions of Americans are vulnerable to Chinese surveillance, they have a right to know now."
They cite six current or former senior U.S. officials, all of whom were briefed about the attack by the U.S. intelligence community. The Chinese hackers, who the United States believes are linked to Beijing's Ministry of State Security, have burrowed inside the private wiretapping and surveillance system that American telecom companies built for the exclusive use of U.S. federal law enforcement agencies — and the U.S. government believes they likely continue to have access to the system.... The U.S. government and the telecom companies that are dealing with the breach have said very little publicly about it since it was first detected in August, leaving the public to rely on details trickling out through leaks...
The so-called lawful-access system breached by the Salt Typhoon hackers was established by telecom carriers after the terrorist attacks of Sept. 11, 2001, to allow federal law enforcement officials to execute legal warrants for records of Americans' phone activity or to wiretap them in real time, depending on the warrant. Many of these cases are authorized under the Foreign Intelligence Surveillance Act (FISA), which is used to investigate foreign spying that involves contact with U.S. citizens. The system is also used for legal wiretaps related to domestic crimes.
It is unknown whether hackers were able to access records about classified wiretapping operations, which could compromise federal criminal investigations and U.S. intelligence operations around the world, multiple officials told me. But they confirmed the previous reporting that hackers were able to both listen in on phone calls and monitor text messages. "Right now, China has the ability to listen to any phone call in the United States, whether you are the president or a regular Joe, it makes no difference," one of the hack victims briefed by the FBI told me. "This has compromised the entire telecommunications infrastructure of this country."
The Wall Street Journal first reported on Oct. 5 that China-based hackers had penetrated the networks of U.S. telecom providers and might have penetrated the system that telecom companies operate to allow lawful access to wiretapping capabilities by federal agencies... [After releasing a short statement], the FBI notified 40 victims of Salt Typhoon, according to multiple officials. The FBI informed one person who had been compromised that the initial group of identified targets included six affiliated with the Trump campaign, this person said, and that the hackers had been monitoring them as recently as last week... "They had live audio from the president, from JD, from Jared," the person told me. "There were no device compromises, these were all real-time interceptions...." [T]he duration of the surveillance is believed to date back to last year.
Several officials told the columnist that the cyberattack also targetted senior U.S. government officials and top business leaders — and that even more compromised targets are being discovered. At this point, "Multiple officials briefed by the investigators told me the U.S. government does not know how many people were targeted, how many were actively surveilled, how long the Chinese hackers have been in the system, or how to get them out."
But the article does include this quote from U.S. Senate Intelligence Committee chairman Mark Warner. "It is much more serious and much worse than even what you all presume at this point."
One U.S. representative suggested Americans rely more on encrypted apps. The U.S. is already investigating — but while researching the article, the columnist writes, "The National Security Council declined to comment, and the FBI did not respond to a request for comment..." They end with this recommendation.
"If millions of Americans are vulnerable to Chinese surveillance, they have a right to know now."
Is there space left in US cellphones? (Score:2, Redundant)
I mean Google and Apple are already doing surveillance there. The place is already taken.
Re:Is there space left in US cellphones? (Score:4, Insightful)
Re:Is there space left in US cellphones? (Score:5, Insightful)
Governments would love you to believe that foreign spying is bad but domestic spying is good. That is true for government, military, and some industrial sectors. It is the exact opposite of what is true for everybody else.
Restating some points (Score:5, Informative)
>which is used to investigate foreign spying that involves contact with U.S. citizens
1) Not really, calls between the US and foreign countries have a different set of laws allow the call information to be monitored (number, date/time, duration, etc).
2) Other countries have similar to the USA prohibitions of watching people inside the country calling within the country. They monitor within the US and the US monitors within their country. Then they exchange information on each other's internals without having any of the countries directly monitor what goes on inside of itself.
https://www.theguardian.com/wo... [theguardian.com]
Not so secret: deal at the heart of UK-US intelligence
1946 agreement tied allies into spying network
Freedom of information requests bring publication
A six-page "British-US Communication Intelligence Agreement", known as BRUSA, later UKUSA, tied the two countries into a worldwide network of listening posts run by GCHQ, Britain's biggest spying organisation, and its US equivalent, the National Security Agency.
Though its existence has long been known, the agreement, negotiated in London in March 1946, is only now being published, and for the first time officially acknowledged, after freedom of information requests in Britain and the US. Under the agreement, the countries agreed to exchange the knowledge from operations involving intercepting, decoding and translating foreign communications, including the "acquisition of communication documents and equipment". In a passage which ensured that GCHQ's activities remained wrapped in official secrecy, the agreement states: "It will be contrary to this agreement to reveal its existence to any third party whatever." ...
Re: (Score:2)
Re: (Score:2)
Personally I do not mind the spying.
You have a very limited understanding of spying. Keep looking for food, while being potential food. And you wonder why no one respects you....
Re: Restating some points (Score:2)
Re: (Score:1)
Re: (Score:2)
Governments would love you to believe that foreign spying is bad but domestic spying is good. That is true for government, military, and some industrial sectors. It is the exact opposite of what is true for everybody else.
Domestic spying is very bad, but foreign spying is far, fast worse. It's not just the military problems, but perhaps more importantly the economic ones. Industrial spying by China results in loss of American jobs, markets, and money. When American companies lose trade secrets to China, it's ordinary Americans that will suffer the most.
Re: (Score:2)
China is scary because China can potentially violate my privacy, and China doesn't have my interests at heart.
US agencies and US Big Data monopolies are scarier because they for sure violate my privacy and they don't have my interests at heart either.
Quite frankly, I'm a lot more concerned about actual domestic surveillance than potential foreign one.
Re:Is there space left in US cellphones? (Score:4, Informative)
Re: (Score:2)
"Ad-rape"? "Abusive advertisements"?? Bruh, I'm advertised to at the fucking GAS PUMP by random adverts. The whole "targeted ad" concept is only in place to mask the truth, which is actual illegal surveillance.
If you really want to know what's happening, you should watch this: "Everything is a rich man's trick" [youtube.com].
Re: (Score:1)
China is not so scary to me. Because I don't intend to go to China and so far China is far less likely to do "rendition" of non-citizens and non-ex-citizens.
Whereas the USA on the other hand has the power and will to do stuff like this: https://en.wikipedia.org/wiki/... [wikipedia.org]
https://www.theguardian.com/me... [theguardian.com]
https://www.theguardian.com/te... [theguardian.com]
https://www.theguardian.com/wo... [theguardian.com]
Most (not all) citizens have more to fear from their own government than from China.
Re: (Score:2, Insightful)
Yeah, it's equivalent. Right, Chi-com?
Yes, because China is going to send it's goons around to knock down your door and kill your pet squirrel [google.com]
That would never happen in freedom loving America.
Re: (Score:1)
Re: Is there space left in US cellphones? (Score:2)
Re: (Score:3)
The solution is really simple: The Chinese just hack and steal the data-sets. Why go to all the trouble surveilling users directly?
Few people are really affected (Score:2, Insightful)
1) Anyone who works in a sensitive government position (or adjacent to one where your movements could reveal something) and is stupid enough to carry around an insecure phone.
2) Anyone who works in an industry within which the Chinese government might like to engage in some industrial espionage.
3) Chinese expats worried about Xi wanting to exert control over them and threaten family members back in China.
4) Pretty much nobody else.
I don't want Xi snooping in my phone, but it's incredibly unlikely to have an
Re:Few people are really affected (Score:5, Insightful)
1) Anyone who works in a sensitive government position (or adjacent to one where your movements could reveal something) and is stupid enough to carry around an insecure phone.
This is specifically about phone independent monitoring. If you make a phone call from a "secured" phone to an actual normal number.
2) Anyone who works in an industry within which the Chinese government might like to engage in some industrial espionage.
Or anyone who works in an industry like banking where the Chinese might profit from insider knowledge. Or anyone who works in support of an industry China wants to take over.
3) Chinese expats worried about Xi wanting to exert control over them and threaten family members back in China.
Or anyone who's doing things like this Slashdot story that are uncomfortable for the Chinese government. Or anyone who might travel to China and have mistakenly visited an anti-China web page or be useful for China to kidnap and hold hostage.
4) Pretty much nobody else.
Except for people like Americans where China has been explicitly flying Nuclear Bombers near to their country recently.
I don't want Xi snooping in my phone, but it's incredibly unlikely to have any significant effect on my life. In fact, whatever resources they devote to monitoring me, however meagre, are a wasted effort for them.
They will have an AI system monitoring you. If you are honestly as boring as you say they might just be using your location to improve their ICBM targeting, but they will still do that. They might also use the data to get you fired so that one of their agents can take your job to have something to pay for their life when the want a sleeper agent in the US.
It's very likely that the truth is that you personally won't have bad things happen to you, however the Chinese government has become pretty hostile. This should not just be discounted because these things will happen to someone.
Re: (Score:3)
Except for people like Americans where China has been explicitly flying Nuclear Bombers near to their country recently.
they might just be using your location to improve their ICBM targeting.
They might also use the data to get you fired so that one of their agents can take your job to have something to pay for their life when the want a sleeper agent in the US.
I think you're wearing your tin foil hat a bit too tightly. Their nuclear bombers aren't even stealthy, so they'll be shot down in no time assuming they even get airborne. As for their ICBMs, those are all nuclear tipped and aimed at large cities (they use the minimum deterrence strategy). If they can't figure out where those are, then there's nothing for us to worry about. And firing you when there's 100 applicants for every opening? That's a 1% chance for their agent to get the job. Just wiring them some
Start getting privacy laws, then we will talk... (Score:1)
Problem is that the entire phone ecosystem in the US is about deliberately leaking stuff, be it telemetry, or all that juicy data from the microphone, cameras, GPS, and all the data stored on the device. This is how Android continues to exist, because without the data coming in, Google couldn't really exist.
Of course, those same mechanisms to feed the ad companies are easily hijacked to redirect the data to China, or whatever hostile power wants them. Private industry won't do jack shit because they proba
Re:Start getting privacy laws, then we will talk.. (Score:5, Insightful)
Exactly. Don't create a dystopian domestic surveillance infrastructure here in the US and the Chinese won't have anything to "burrow" into.
Because I don't want to be put under surveillance by anyone, be it semi-unconstitutional three-letter agencies, private big data monopolies or foreign dictatorships.
Re: Start getting privacy laws, then we will talk. (Score:3)
Lawful-access system (Score:5, Insightful)
This is why you don't build back doors into your stuff. Even if they are only meant for the "good guys".
Re: (Score:2)
Good guys don't need backdoors. Only people up to no good do.
Re: (Score:2)
The "good guys" use front doors! So you do not even get to complain when they rape you...
For context, some deeply immoral asshole German politicos complained their deeply desired surveillance mechanisms were called "backdoors" by all experts and claimed that government surveillance would, of course, use "front doors".
Re:Lawful-access system (Score:5, Informative)
Re: (Score:2)
I wish I had moderator points today in order to give you a +1 to this.
Re: (Score:2)
Came here for this comment. Thank you.
Re: (Score:2)
Who could have predicted it? It's almost like the thing that every cryptography professional told them from the outset would happen, happened!
Yep. I was there in the standards meeting when the feds turned up and gave a talk about the mandatory LA features we had to add. We all pointed out how this was stupid and would be exploited by everyone and anyone to spy on everyone and anyone including those feds demanding we add LA.
And here we are 20 years later.
A system can be secure or... (Score:5, Insightful)
...insecure. Those are the only options.
It's impossible to allow the good guys to get in while keeping the bad guys out.
If there is a secret back door, the bad guys will find it.
It's not even possible to make sure the good guys are always good.
Re: (Score:2)
Do you have updates turned off on your phone?
Re: (Score:1)
A system can be secure or......insecure.
I think you meant a system can be insecure or believed to be reasonably secure.
Spam (Score:1)
Get payed... (Score:2)
cover story (Score:1, Insightful)
Re: (Score:2)
Yea, all good questions which I notice you were suspiciously modded down for. Of course, I had known someone had been monitoring my cellphone communications for years already, and now I'm wondering if these are the same people, or if it has been someone else who has also had this level of access all along. I wonder if there's anyone left in the world who doesn't have this level of access at this point. It seems like security is a joke to these companies.
Open doors are OPEN for bad actors (Score:1)
Techdirt (https://www.techdirt.com) has covered this for decades.
When you CREATE AN OPEN DOOR then bad actos WILL gain access and WILL use it.
Today that may be a nation state hell bent on figuring out how much interest my bank account collected.
Tomorrow it may be those spammer scammers who will TRANSFER ALL MY MONEY elsewhere.
What will the US government do? Blame other people. Even though they DEMANDED the breaking of
encryption and creation of the access, and the banks and other instituions acceded to the
Can they block messages too? (Score:1)
Just curious.
Backdoor wide open (Score:5, Insightful)
>"The Chinese hackers,[] have burrowed inside the private wiretapping and surveillance system that American telecom companies built for the exclusive use of U.S. federal law enforcement agencies"
Please remember this if you are tempted to support "back doors" in encryption, for ANY reason. Security by obscurity doesn't work, and keeping something like that "secret" is not only nearly impossible in the long-term, it presents a weakness that can eventually be cracked, even if it remains secret.
So who is being blackmailed? (Score:3, Insightful)
That's my opinion, I'd like to hear some debate. Is there anything that might limit the fallout from this attack? I guess one thing is individual values, some people may not have done anything they can be blackmailed for (although they also have relatives/friends/associates).
Re: (Score:3)
Funny the way you have been modded off topic when you are directly asking about the results of this. Maybe the Slashdot mods are being blackmailed \j.
You've got a point, but typically data like this would be too valuable to risk by directly using for blackmail. I'd imagine this would be used more for target selection and similar. You then use something like parallel construction to get the blackmail data.
Major carriers. (Score:1)
So, all of them? If you have a cell phone in the US it's pretty much on one of three networks: TMO, VZW, and ATT. There is US Cellular but they don't have much of a footprint.
Yes! Communications Assistance for LE Act (Score:2)
Per the FCC:
The Communications Assistance for law Enforcement Act (CALEA) is a statute enacted by Congress in 1994 to require that telecommunications carriers and manufacturers of telecommunications equipment design their equipment, facilities, and services to ensure that they have the necessary surveillance capabilities to comply with legal requests for information.
https://www.fcc.gov/calea
Per Wikipedia:
In the years since CALEA was passed it has been greatly expanded to include all VoIP and broadband In
Let me fix that headline.. (Score:2)
Waitaminute... (Score:2)
Don't put confidential stuff on your phone (Score:2)
Or use your phone to talk about it. Or have your phone in the room when you do (except battery removed).
There, really not that hard and not even a new thing.
Accuracy please (Score:5, Insightful)
The phones themselves are fine. Or at least as fine as they were previously.
The issue here is the network they connect to. Professionals need to fix the jacked up network. Normal users that don't understand how electricity even works do NOT need to go buy new phones.
Ooops (Score:2)
Insert WaPo neocon waffle (Score:1)
Apr 2023: A Step by Step Guide to SS7 Attacks [firstpoint-mg.com]
Feb 2022: Whistleblower claims NSO offered 'bags of cash' for access to US phone networks [theregister.com]
2018: SS7 vulnerabilities and attack exposure Report [gsma.com]
It's an own goal (Score:2)
So China is using the "secret" back doors built in to the U.S. phone network by the U.S. government? Who other than world+dog could have seen that coming? This is truly an own goal.
But I don't hear any hint of the easy and effective solution: disable the back doors.
Engage the AI bot army (Score:2)
* Russian / Iranian
Can they inject deepfake calls? (Score:2)
tldr; If it is "worse than you all even presume" does that mean the vulnerability allows the attackers to dial up a deepfake service to initiate faked calls or even take over existing calls for a short period without one side being aware of it?
Any back door... (Score:2)
\o/ (Score:1)
Millions of U.S. Cellphones Should Be Vulnerable to American Government Surveillance, Dammit!
Do your part (Score:2)
I'm shocked (Score:1)
(for the emo-divergent, I should point out that the above statement is positively dripping with sarcasm.)