Surveillance and Our Insecure Infrastructure
Since Edward Snowden revealed to the world the extent of the NSA’s global surveillance network, there has been a vigorous debate in the technological community about what its limits should be.
Less discussed is how many of these same surveillance techniques are used by other—smaller and poorer—more totalitarian countries to spy on political opponents, dissidents, human rights defenders; the press in Toronto has documented some of the many abuses, by countries like Ethiopia , the UAE, Iran, Syria, Kazakhstan , Sudan, Ecuador, Malaysia, and China.
That these countries can use network surveillance technologies to violate human rights is a shame on the world, and there’s a lot of blame to go around.
We can point to the governments that are using surveillance against their own citizens.
We can certainly blame the cyberweapons arms manufacturers that are selling those systems, and the countries—mostly European—that allow those arms manufacturers to sell those systems.
There’s a lot more the global Internet community could do to limit the availability of sophisticated Internet and telephony surveillance equipment to totalitarian governments. But I want to focus on another contributing cause to this problem: the fundamental insecurity of our digital systems that makes this a problem in the first place.
IMSI catchers are fake mobile phone towers. They allow someone to impersonate a cell network and collect information about phones in the vicinity of the device and they’re used to create lists of people who were at a particular event or near a particular location.
Fundamentally, the technology works because the phone in your pocket automatically trusts any cell tower to which it connects. There’s no security in the connection protocols between the phones and the towers.
IP intercept systems are used to eavesdrop on what people do on the Internet. Unlike the surveillance that happens at the sites you visit, by companies like Facebook and Google, this surveillance happens at the point where your computer connects to the Internet. Here, someone can eavesdrop on everything you do.
This system also exploits existing vulnerabilities in the underlying Internet communications protocols. Most of the traffic between your computer and the Internet is unencrypted, and what is encrypted is often vulnerable to man-in-the-middle attacks because of insecurities in both the Internet protocols and the encryption protocols that protect it.
There are many other examples. What they all have in common is that they are vulnerabilities in our underlying digital communications systems that allow someone—whether it’s a country’s secret police, a rival national intelligence organization, or criminal group—to break or bypass what security there is and spy on the users of these systems.
These insecurities exist for two reasons. First, they were designed in an era where computer hardware was expensive and inaccessibility was a reasonable proxy for security. When the mobile phone network was designed, faking a cell tower was an incredibly difficult technical exercise, and it was reasonable to assume that only legitimate cell providers would go to the effort of creating such towers.
At the same time, computers were less powerful and software was much slower, so adding security into the system seemed like a waste of resources. Fast forward to today: computers are cheap and software is fast, and what was impossible only a few decades ago is now easy.
The second reason is that governments use these surveillance capabilities for their own purposes. The FBI has used IMSI-catchers for years to investigate crimes. The NSA uses IP interception systems to collect foreign intelligence. Both of these agencies, as well as their counterparts in other countries, have put pressure on the standards bodies that create these systems to not implement strong security.
Of course, technology isn’t static. With time, things become cheaper and easier. What was once a secret NSA interception program or a secret FBI investigative tool becomes usable by less-capable governments and cybercriminals.
Man-in-the-middle attacks against Internet connections are a common criminal tool to steal credentials from users and hack their accounts.
IMSI-catchers are used by criminals, too. Right now, you can go onto Alibaba.com and buy your own IMSI catcher for under $2,000.
Despite their uses by democratic governments for legitimate purposes, our security would be much better served by fixing these vulnerabilities in our infrastructures.
These systems are not only used by dissidents in totalitarian countries, they’re also used by legislators, corporate executives, critical infrastructure providers, and many others in the US and elsewhere.
That we allow people to remain insecure and vulnerable is both wrongheaded and dangerous.
Earlier this month, two American legislators—Senator Ron Wyden and Rep Ted Lieu—sent a letter to the chairman of the Federal Communications Commission, demanding that he do something about the country’s insecure telecommunications infrastructure.
They pointed out that not only are insecurities rampant in the underlying protocols and systems of the telecommunications infrastructure, but also that the FCC knows about these vulnerabilities and isn’t doing anything to force the telcos to fix them.
Wyden and Lieu make the point that fixing these vulnerabilities is a matter of US national security, but it’s also a matter of international human rights. All modern communications technologies are global, and anything the US does to improve its own security will also improve security worldwide.
Yes, it means that the FBI and the NSA will have a harder job spying, but it also means that the world will be a safer and more secure place.
This essay previously appeared on AlJazeera.com.
Z.Lozinski • April 17, 2017 7:28 AM
Perhaps one step to improve the situation is in documenting the (now incorrect) assumptions we have collectively made in designing and implementing the world’s communications infrastructure. I think one of the problems is that how these assumptions have been broken is not well understood, and so people ignore them.
We need everyone building systems and devices – not just the security engineers – to understand how these have changed.
1 – Anyone that can connect to the SS7 network is a legitimate telecom operator. That was true in the 1970s when C7 was being designed and the 1980s when it was first implemented. It is not true now, with SIGTRAN gateways allowing anyone with an IP connection to send SS7 messages. Examples where this is being exploited: telecom accounting fraud, fake CallerId for incoming calls, and fake SMSes to subvert multi-factor authentication. (Hence the recent change in accepting SMS as a valid 2F).
2 – Anyone that can put up wireless infrastructure is a a legitimate operator. Valid in the 1980s, when a cell site was a USD 100K investment. Not true any more for mobile telecoms, with the growth of IMSI catchers (USD 2000 per Bruce’s example. Not true any more for WiFi and mobile data (USD 100). How many people trust the nearest hot-spot? Even those who should know better still make this mistake: see the wall of sheep at any CCC or HOPE.
3 – Anyone that connect to the international banking system is a legitimate bank. True when corresponding banks literally had each others physical name, address and registered signature. We have seen ATM scams based on setting up a bank in New York, We have seen fake SWIFT transactions (Bank of Bangladesh).
4 – Digital certificates provide any assurance about the security of a connection. Maybe in theory, if the entire trust chain is properly implemented; not in practice. There are too many Certificate Authorities; too many domain registrars have weak security; certificate trust is imbedded in browsers; too many examples of vulnerability to MITM.
5 – Apps from a trusted AppStore solve all these problems. I believe Apple and Google are doing their best, as their business really does depend on this model working. Look at the recent Brazilian bank incident – how would using an App help the end user when the App believed it was communicating with a trusted endpoint?
6- The trickle down effect is massively underestimated. In WW2 it took a national effort by the UK and USA to break a high grade communications system (Engima, FISH etc.) that was comparable to the Manhattan Project in terms of people and resources. The Cold War had similar levels of investment. Even ignoring the script kiddies, we have gone from USD billions to tens/hundreds of thousands (constant 2017 currency) to mount a major attack. This is where I believe that the security community needs to get the national agencies of the major developed countries to re-think their assumptions.
I’m sure there are others.