Maybe the Phone System Surveillance Vulnerabilities Will Be Fixed

It seems that the FCC might be fixing the vulnerabilities in SS7 and the Diameter protocol:

On March 27 the commission asked telecommunications providers to weigh in and detail what they are doing to prevent SS7 and Diameter vulnerabilities from being misused to track consumers’ locations.

The FCC has also asked carriers to detail any exploits of the protocols since 2018. The regulator wants to know the date(s) of the incident(s), what happened, which vulnerabilities were exploited and with which techniques, where the location tracking occurred, and ­ if known ­ the attacker’s identity.

This time frame is significant because in 2018, the Communications Security, Reliability, and Interoperability Council (CSRIC), a federal advisory committee to the FCC, issued several security best practices to prevent network intrusions and unauthorized location tracking.

I have written about this over the past decade.

Tags: , , ,

Posted on April 5, 2024 at 7:00 AM10 Comments

Comments

Clive Robinson April 5, 2024 12:34 PM

@ Bruce, ALL,

Re : SS7 is older than security.

“It seems that the FCC might be fixing the vulnerabilities in SS7”

Hmm some might say “about time” and older wiser heads “Probably not”.

Because this id by no means the first time people have tried…

Back in April 2016 Congressman Ted Lieu called for an oversight committee investigation into the very significant security vulnerabilities of SS7 after they had been repeatedly highlighted in U.S. governmental bodies, and it was not the first call at this level, and here we are the better part of a decade later…

There are two observations you can apply,

The first is that SS7 is from a time when security was not an issue between telco operators and resources were still electromechanical in nature. It was brought in as had SS6 to try and get rid of the “in-band signalling” that could and was being exploited by the likes of “Capt Crunch Rings” and “blue boxes” of the 1960’s and 1970’s

Thus whilst it fixed the perceived problem of half a century ago, it had no chance of fixing the known security problems of this century.

So

“Trying to fix SS7 problems is like trying to get rid of air bubbles when hanging wall paper. If you push down in one place it pops right up in at least another three.

But also SS7 is an old protocol from the old Analogue POTS days. Whilst only half jokingly said,

“It’s older than the trees but not quite as old as the hills…”

Some know that as far as telco company developments go it’s potentially older than Bakelite and before integrated circuits…

There is an old joke that applies,

A pair of young newly weds were trying to drive to their honeymoon cottage, and either the directions or the roads themselves were not making sense. So they decided being happily in love that the next person they saw they would stop and ask. They saw a very old guy with long long grey beard leaning on a gate and smoking a pipe and watching the world in that cautious way some do. On being asked how to get to the cottage he nodded and puffed his pipe a couple of times and then said, “If I was you, I’d not start from here”

Which kind of says all most need to know about SS7…

If the world had progressed at the rate some think it should have, we’d be on SS13 or 14 by now 😉

Because above SS7 in the comms stack everything has changed. Likewise below SS7 in the comms stack everything has changed, yet SS7 endures for some unknown reason of human logic…

“For all it’s many and grievous failings it actually does what it was designed to do.”

Trying to update SS7 is… some feel, like holding a “re-run on IPSec”…

LUCIAN April 5, 2024 2:49 PM

“FCC might be fixing the vulnerabilities …”

No, the worthless FCC government bureaucrats are now merely asking private telecoms to analyze the current problem for THEM

lurker April 5, 2024 4:01 PM

The FCC has also asked carriers to detail any exploits of the protocols since 2018.

The carriers might not know or care of any exploits if no money was lost. Sr.Wyden’s pious handwringing will need to demonstrate a benefit to their balance sheets to make the carriers move.

Al April 5, 2024 5:11 PM

Perhaps having insecure protocols benefits the government. Or allied governments. I guess the problem is that bad actors benefit too.

ResearcherZero April 6, 2024 12:54 AM

@Clive Robinson

If they fixed it, then how would they trace people’s locations during emergency calls? 😉

“I can see some rocks, a tree, there are hills in the distance. I’m facing to the left.”

SS7 was used in 2G/3G mobile networks for connectivity between core network elements in the circuit-switched domain, for international roaming between carriers and services like Local Number Portability and Toll Free numbers.

Emergency calls often also use G2, and for that reason G2 cannot be completely disabled yet. It is also used of course in some parts of G4 networks. Although G3 is being switched off in many areas, G2 network functions are still in operation. Eventually they will be replaced by Diameter and 5G, yet it will take time to replace all of those functions.

(though the newer protocol stack is not exactly free of it’s own flaws)
https://troopers.de/events/troopers16/653_assaulting_ipx_diameter_roaming_network/

diagrams

‘https://www.slideshare.net/yodresh/assaulting-diameter-ipxnetwork

“Technically speaking, more people use the SS7 than use the Internet.”

‘https://spectrum.ieee.org/alarming-security-defects-in-ss7-the-global-cellular-networkand-how-to-fix-them

ResearcherZero April 6, 2024 1:06 AM

SS7 is used by switches, routers, service control points (SCPs), home location registers (HLRs), and a bunch of other stuff. SS7 also “facilitates the establishment, maintenance, and termination of calls, as well as the delivery of various supplementary services such as call forwarding and caller ID.”

As Clive pointed out, it’s a hard problem to fix.

The SS7 site itself is not particularly helpful, but there is a bit of an overview here.

‘https://www.patton.com/whitepapers/intro-to-ss7-tutorial/

ResearcherZero April 9, 2024 5:47 AM

Post’s concept imagines this scenario as a human worker dealing with an infinite series of boxes or rooms. The worker’s agency is highly restricted.
She or he may only perform the “following primitive acts”:

  1. Marking the box he is in (assumed empty),
  2. Erasing the mark in the box he is in (assumed marked),
  3. Moving to the box on his right,
  4. Moving to the box on his left,
  5. Determining whether the box he is in, is or is not marked.

In the present formulation the symbol space is to consist of a two way infinite sequence of spaces or boxes, i.e., ordinally similar to the series of integers …, − 3, − 2, − 1, 0, 1, 2, 3, …. The problem solver or worker is to move and work in this symbol space, being capable of being in, and operating in but one box at a time. And apart from the presence of the worker, a box is to admit of but two possible conditions, i.e., being empty or unmarked, and having a single mark in it, say a vertical stroke.

‘https://www.wolframscience.com/prizes/tm23/images/Post.pdf

Part 1 — Purpose-Based Access Controls at Palantir

‘https://www.youtube.com/watch?v=7zqE8J4WKOU

“All [license plate] data is investigatory.”

While NSA data is highly restricted, scans of license plates, collected at police departments across the country, are highly susceptible to unauthorized access and official misuse.

https://medium.com/backchannel/the-drive-to-spy-80c4f85b4335

Part 2 — Eliminate Your Opponent

‘https://www.youtube.com/watch?v=XEM5qz__HOU

The inked cliques and their alleged misconduct have spawned academic reports, an FBI probe and a steady stream of lawsuits that have cost taxpayers more than $55 million.

“Arrangement would allow the department to keep sensitive information confidential” — That report was due in February, but when the department finally submitted it in early March, oversight officials said it was woefully incomplete and “inexplicably” cited irrelevant laws to justify refusing to turn over more detailed information.

https://www.latimes.com/california/story/2024-03-29/county-watchdog-pushes-to-subpoena-sheriffs-department-over-industry-station-indians-investigation

Clive Robinson April 9, 2024 9:30 AM

@ ResearcherZero, ALL,

Re : Take a proof add a hypothesis and what do you get?

“Post’s concept imagines this scenario as a human worker dealing with an infinite series of boxes or rooms. The worker’s agency is highly restricted.”

That is a first order description of the somewhat contentious “Searl’s Chinese Room” 1980’s hypothesis that AI is in effect a pile of crud.

‘She or he may only perform the “following primitive acts”:’

With the acts being the base rules of Church-Turing answer to the halting problem realised as a “Universal Engine”.

But then come the “constraints” the first of which,

“The problem solver or worker is to move and work in this symbol space, being capable of being in, and operating in but one box at a time.”

Is an interesting take on the use of the “pigeonhole principle” to stop certain unwanted side effects[1] that few appear to realise.

What Emil Post was demonstrating was that human “mathematics” not just logic has problems that both the Church-Turing and slightly earlier Gödel proofs showed that there are natural laws that preclude any type of deterministic system being able to solve/answer.

But qualitatively humans can…

Thus it shows it’s “kiss goodbye” to the notion of AGI.

But more importantly and why I independently went through almost exactly the same reasoning showed that,

“Are you secure?”

Can never be reliably answered by a computer system of the two fundamental architectures we currently have.

I showed it was possible using certain techniques to get a system that could answer the question against “external attackers”, but only if the Turing Engine was suspended from operating and both it’s state and the state of the tape “verified” but not used to effect execution[2].

The upshot and problem is that the checking only answerers the question at a point in time when the Turing Engine is suspended, so you get into the,

“Efficiency v Security”

Issue and it becomes “probabilistic”.

[1] I’ve been through this independently to realise that if “the tape” the Turing “Universal Engine” sits on –and takes input from and puts output to,– has two or more Universal Engine’s or their equivalent on it that work independently of each other then there can be no “Security Reporting”. And yes I also took a turn through Gödel’s work.

[2] Explaining this idea of looking at data but not being effected by it can be hard to explain. However we routinely do it with DSP systems. Thinking in simpler terms, take the XOR of two input values and save the result in a third value. No matter what you do to the input values it does not stop the process or in any way effect it’s behaviour. Now think about a second process that reads the third value, and if it’s not zero sets a flag. It will indicate that the two data sources are not equivalent but not where or when the difference was discovered.

ResearcherZero April 17, 2024 1:01 AM

@Clive

And then there is experience again and if any bastard will listen. 😉

But there is also the incredulous listener. My dentist’s hand might break for example.
He might say something inappropriate to my wife. I might squeeze when shaking it.

In case of problems when 3G switches off…

If you see SOS or “SOS only” in the status bar, your device isn’t connected to a network, but you can still make emergency calls. This feature is available in Australia, Canada, and the United States. iPhone and iPad devices that support 5G networks are not affected by the phasing out of 3G networks. (unsurprisingly)

(you may need to perform a software update to the latest operating system for your phone)

‘https://support.apple.com/en-us/HT201415

Check in phone settings that Network and SIM are set to ‘auto’.

Turn on Airplane Mode for at least 15 seconds.
Turn off Airplane Mode.

or

Restart your phone.

If that does not work -try cleaning your SIM card and then restarting your phone.

‘https://www.androidauthority.com/lte-not-working-1005678/

The LTE-only (4G-LTE) feature is used only to disable 2G, 3G and 5G. (and maybe some old legacy code and bleeding edge)
LTE does provide basic network authentication / encryption, but it’s for the network itself, not for you.
Text messaging, voice calls, and other activities will not be magically secured and end-to-end encrypted.

Traditional voice calls will only work in LTE-only mode with an LTE connection if VoLTE is enabled on your phone.

(AT&T uses the label ‘5Ge’ for 4G-LTE as a marketing gimmick)

‘https://www.androidauthority.com/activate-4g-lte-868847/

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.