Telecom Lobbyists Downplayed 'Theoretical' Security Flaws in Mobile Data Backbone

An anonymous reader shares a report: According to a confidential document obtained by Motherboard, wireless communications lobby group CTIA took issue with an in-depth report by the Department of Homeland Security on mobile device security, including flaws with the SS7 network. In a white paper sent to members of Congress and the Department of Homeland Security, CTIA, a telecom lobbying group that represents Verizon, AT&T, and other wireless carriers, argued that "Congress and the Administration should reject the [DHS] Report's call for greater regulation" while downplaying "theoretical" security vulnerabilities in a mobile data network that hackers may be able to use to monitor phones across the globe, according to the confidential document obtained by Motherboard. However, experts strongly disagree about the threat these vulnerabilities pose, saying the flaws should be taken seriously before criminals exploit them. SS7, a network and protocol often used to route messages when a user is roaming outside their provider's coverage, is exploited by criminals and surveillance companies to track targets, intercept phone calls or sweep up text messages. In some cases, criminals have used SS7 attacks to obtain bank account two-factor authentication tokens, and last year, California Rep. Ted Lieu said that, for hackers, "the applications for this vulnerability are seemingly limitless."

The risks are to their customers, not them

So why spend a cent to fix the issue. The free market is the best! It fixes everything. I'll just go to the carrier who fixes it. Oh wait, this is collective bargaining. No one fixes it and there is no where to go.

Re:The risks are to their customers, not them

[Archangel+Michael]

In theory, when a vendor's product or service is defective, consumers have a right to sue and recover damages. The problem still isn't the Free Market, it is the rule and regulations placed on it by Government that limits the natural options.

Re:The risks are to their customers, not them

[omnichad]

Oh wait, this is collective bargaining.

No, they aren't forming a labor union. The word you're looking for is collusion.

Re:The risks are to their customers, not them

Not only that, but flaws are BUSINESS OPPORTUNITIES, right? Look at all the extra money Microsoft has made for AV companies!

Re:The risks are to their customers, not them

[uCallHimDrJ0NES]

In theory, when a vendor's product or service is defective, consumers have a right to sue and recover damages. The problem still isn't the Free Market, it is the rule and regulations placed on it by Government that limits the natural options.

The problem is that you start off with "in theory", and then make conclusions in reality.

Re:The risks are to their customers, not them

Binding fucking arbitration...

Re:The risks are to their customers, not them

[Archangel+Michael]

Right, the problem is the theory and practice aren't the same, because in practice we fuck things up with all sorts of goofy permanent rules for things that we can't get rid of, because people will die ...

https://www.youtube.com/watch?...

Re:The risks are to their customers, not them

[sl3xd]

That's making a few (dangerous) assumptions:

1. That actors involved will always act rationally, or at least in their own self interest. History proves that to be false, because "Humans."
2. Customers can sue to recover damages. (ie. Mandatory 'arbitration' clauses removing your ability to sue; arbiters rarely side with customers.)

Also... just what rules and regulations are forcing the carriers to use SS7? Absolutely none. SS7 is an interoperable standard that's very convenient for the industry. The industry has long known that SS7 is ancient and insecure, and has begun transitioning to a designated replacement: DIAMETER.

Right now, SS7 can be used by foreign powers to eavesdrop on Capital Hill, including transparently forwarding calls (effectively a wiretap), intercepting text messages, and more.

That is not a small security hole, it's not limited to a few users, and there are actual attacks happening.

In other words, it's a threat to "Homeland Security," something the DHS is supposed to care about.

Here, the DHS is saying "It's time to recognize that SS7 is a threat to National Security. It's time to encourage a faster transition to its replacement."

Re:The risks are to their customers, not them

[coofercat]

I was gonna say something similar... you guys have a whole slew of agencies who should be all over this - DHS, NSA, CIA, your new cyber whatsit, and probably half a dozen others. That all that in mind, how does an industry body successfully lobby for less regulation to be placed upon it?

Re:The risks are to their customers, not them

[EndlessNameless]

Oh wait, this is collective bargaining. No one fixes it and there is no where to go.

This not collective bargaining at all. It appears you do not know what that means.

The carriers need a standard to allow interoperability. ATT customers need to be able to call Sprint customers. The SS7 implementation is how they achieve that technical requirement.

Any carrier who fails to interoperate with SS7 will die. Who is going to sign up for a new carrier if you can only call other people on that carrier?

This is a market failure. It happens, and it's why we have regulations in the first place. I find myself in the unusual position of supporting DHS and Congressional intervention. We need security extensions or whole-cloth replacement of SS7.

Re:The risks are to their customers, not them

[EndlessNameless]

In theory, when a vendor's product or service is defective, consumers have a right to sue and recover damages.

You have to show harm to recover damages. Did your service stop as a result of SS7 weaknesses? Can you prove you were hacked? No? Too bad.

SS7 has serious security deficiencies, and no one wants to fix it---because it costs a lot of money to replace equipment and train staff on the new equipment.

Maybe the amount of hacking will justify that expense, but good luck getting enough victims together to put that level of financial pressure on the telecoms.

In some cases, it's simpler to cut through the layers of bullshit. It's bad, people will be compromised, and we know a lot of sensitive information travels over those networks.

Ordering the carriers to fix a serious problem now is better than waiting for the individual harms to occur.

Cheap bastards...

[Gravis+Zero]

... gonna be cheap.

Re:Cheap bastards...

[hey!]

It's not just cheap; it's about when the costs come due relative to your pay day.

For lobbyists and CEOs, problems three years out might as well be three hundred years out.

Of course they did

Cutting security with the added bonus of charging more for enough for even basic functionality is not only profitable but makes the more crooked subcontractor "hacking" them a minimal expense as well.

Doubt it

Doubt the authenticity of that document.

Re:Doubt it

[xxxJonBoyxxx]

Er...was it "confidential" or "a white paper sent to members of Congress". Probably not both.

Stingray

[DickBreath]

One man's security flaw is another man's way to implement Stingray?

Why the extreme secrecy about Stingray? A couple thoughts on that.

The digital cell phone system was designed when we were using Windows 3.1. The system cannot withstand 21st century attacks. There must be some fundamental weakness in the way the network operates. This cannot be corrected without significant changes throughout the network base stations and mobile equipment. Thus it is expensive and time consuming to fix over a generation or more of equipment. This vulnerability may be the very basis of how Stingray works. If the secret got out, chaos would ensue. Everyone would be building their own Stingray devices. Poor people would be spying on rich people. Therefore we see security through obscurity of the vulnerability. Thus secrecy is paramount above all else including prosecutions. How this works can never be disclosed in open court, not even under the belly of a court ordered seal. The stakes are just too high.

Another theory. Stingray involves the illegal use of stolen credentials, keys, code or other information, or violation of an NDA. Therefore Stingray itself is illegal. Use and possibly even possession of Stingray may itself may run afoul of the law. Possibly if the secret of Stingray's operation got out, it might reveal, down to a small group of individuals who stole what, or who colluded with who.

For the two foregoing reasons, don't expect Stingray to see the light of day. That is why police can't even disclose that they have, let along use Stingray. Stingray is so secret that they will let proven criminals go free rather than use Stingray evidence in court. Or they will engage in "parallel construction" to avoid disclosing Stingray. (eg, Parallel Construction: a conspiracy of the prosecution and law enforcement to commit perjury and lie to the court about what their evidence actually is and how the investigation was conducted. Withholding this vital information from the defense.)

Re:Stingray

Why would you think that nobody can't build stingray? You can, just need to set up GSM base station, which is illegal.

Re: Stingray

[Zero__Kelvin]

We know how Stingrays work; it isn't a secret.

lobbyists do what they are paid to do, news at 11

of course they down play it and label them as theoretical.. that is the lobbyist's job!

I mean they would actually lose their jobs if they didn't try to spin anything that came out that remotely related to the telco's. Not a single one of those companies that are represented by the lobbyists want anyone looking into how they operate with any detail, that way they can try to get away with as much slight of hand as possible and then offer up an apology when they get caught.

Lobbyists are nothing more than a marketing department for corporations that are geared towards policy makers, they are specifically used to spin things so that the policy makers think a certain way. This makes sense as they arent trying to sell things to the policy makers but trying to legalize how the companies work or at the very least distract and confuse them.

In this case it wouldn't really make a difference as most policy makers are technologically illiterate and wouldn't understand the severity of the problem if it was actually explained to them.

TL, DR: lobbyists do what lobbyists are paid to do, news at 11

Fine

Then they won't mind accepting unlimited and uncapped liability?

And you believe a politican?

SS7 networks are internal, you cannot get to them from the internet and you cannot insert transactions into them. They do not carry voice and they are not even used with LTE and VoIP. They only get used with CDMA and GSM.
This "vulnerability" has always been just advertisement and politics. It has never had any relation to the real world.

Re:And you believe a politican?

[IcyWolfy]

The problem lies that almost everyone directly deals with SS7.
Every ISP that offers voice services have direct access to SS7 protocols for fully implementing advanced calling features, multi-ring, international routing, cross-network billing, etc. in order to work seamlessly with the traditional phone systems.

The attack vector would be to get into one of the smaller isps, and hijack their internal link to SS7, which is likely a much easier vector in.

Judging by the number of ISP breaches... that this is probably much more easily done.
You can then insert message packets, change the source and destination identifiers, and then create a dual stream of data and insert yourself into the call set-up or modification process (like adding new callers to conference, pre-empt connection and connect to alternate priority number and re-signal the connection after you place your line into the loop.

And due to the sheer quantity of data, these additional, legitimate services (Spam pre-filtering/blocking, group calling, etc), will simply get lost in the mix.

Re:And you believe a politican?

CTIA, is that you??? 98.7% BS.

Re:And you believe a politican?

[dszd0g]

It has never had any relation to the real world.

Tell that to all the people who had their bank accounts drained using an SS7 exploit:

https://www.theregister.co.uk/...

Tell that to US congressman Ted Lieu who had his phone calls listened to using SS7:

https://www.theguardian.com/te...

I bet they believe you that the exploits don't exist in the real world...

The problem is the "internal" network is available to around 800 companies. If the ss7 network of one is hacked or an employee who has access to it is bribed, the entire network is compromised. SS7 is a basically a network protocol that uses usernames with no passwords. I don't know where you get the idea that it doesn't carry voice, but SS7 is used for roaming and it can re-route, block, or listen in on phone calls or texts. It also allows obtaining the cell tower a phone number is currently connected to (and thus rough location).

SS7 is the reason NIST no longer recommends using SMS for two-factor authentication.

Re:And you believe a politican?

[sl3xd]

Judging by the number of ISP breaches... that this is probably much more easily done.

Not only is it done "easily enough", but the consequences are pretty dire. So far, we're seeing folks getting their bank accounts drained.

That stuff lacks vision.

Imagine if somebody forwarded calls between ${a certain politician} and ${donor} to the staff at ${late night comedy show}.

Full Disclosure: I'm investing heavily in popcorn.

well, here's your Security Flaw

[turkeydance]

According to a confidential document obtained by Motherboard

Profit vs. reputation ?

Risk is a slippery customer.

Those highlighting the potential risks aren't financially motivated. Those required to spend money to resolve the issues have a vested interest in playing down the risks.

This nicely encapsulates one of the main issues facing corporations everywhere.

The real trick is avoiding all the obfuscation and misdirection.

Nothing to see here; move along.

[fahrbot-bot]

'Theoretical' Security Flaws

I think the NSA has a whole department for these.

Age of Alternate Facts

If people who are paid to lie and spread misinformation for rich people say that it's nothing to worry about, then it must be true.

SS7 is NOT a Mobile Data Backbone!!!

[williamyf]

For the last fileSytemChecking time! SS7 IS NOT a "Mobile Data Backbone"

SS7 is a SIGNALING protocol. Think of ICMP+OSPF+BGP... this is used for the "Switches" in the telecom network to coordinate among themselves, and NOT to carry data (unless you consider SMSs data). Very important, yes. I'd dare say critical. But, Mobile Data Backbone... NO!

Call it something other than Mobile Data BackBone.

Re:SS7 is NOT a Mobile Data Backbone!!!

[Strider-]

The issue is with people who use SMS as part of their 2FA, among others.

In the bank account thing, the attackers were able to breach the victim's computer to gain the initial credentials. They then used a compromise of the SS7 signalling to intercept the SMS message from the bank, obstensibly to the victim, to get the password to unlock the account. In effect, the Bank's 2FA wasn't proper, because they trusted the network to do the right thing, and didn't ensure that the password went to the account holder's device.

Re:SS7 is NOT a Mobile Data Backbone!!!

[EndlessNameless]

Think of ICMP+OSPF+BGP... this is used for the "Switches" in the telecom network to coordinate among themselves, and NOT to carry data (unless you consider SMSs data).

So if I could insert bogus routes/costs into your BGP exchange and then capture the traffic, you wouldn't count that as a compromise? Even when a lot of that "traffic" is not in an encrypted channel? Please.

Yes, SS7 itself is a protocol that contains little user data. But it is a control protocol that dictates where user data goes---which makes its weaknesses into pretty big problems. It can be used to eavesdrop and physically locate users, which are serious confidentiality violations.