[HN Gopher] Cyberespionage Using SS7 via Circles ___________________________________________________________________ Cyberespionage Using SS7 via Circles Author : sroussey Score : 143 points Date : 2020-12-02 17:15 UTC (5 hours ago) (HTM) web link (citizenlab.ca) (TXT) w3m dump (citizenlab.ca) | __jf__ wrote: | "Using Internet scanning, we found a unique signature associated | with the hostnames of Check Point firewalls used in Circles | deployments. This scanning enabled us to identify Circles | deployments in at least 25 countries." | | Nice OSINT find! | nbzso wrote: | "Given that the company deals with wiretapping in the service of | criminals and dictatorial regimes and is probably indirectly | responsible for the deaths of many people, discriminatory | treatment of employees and candidates is a petty crime. Don't | bother if you're a normal person." This is google translated | reaction in Bulgarian web-site for quality of workplaces. In | other comments is obvious that paying 3500 eur salary is tied to | working on undefined and risky situations. | | https://bgrabotodatel.com/company/10131?__cf_chl_jschl_tk__=... | nbzso wrote: | Interesting comment from Circles Bulgaria Ltd worker from 2019. | "The last opinions are very old, so I decided to write how | things really are in the company. For now, everything is pretty | good, especially after the management has changed almost | completely. They take very good care of their people, and the | only downside is the lack of a home office, but this is not | felt. I don't know another company, or at least I think there | are very few that take care of their people like that. The | atmosphere is very positive and relaxed, and the projects we | are working on are unique, once in a lifetime. Don't pay any | attention to the grumblers, there will always be some. The | information about the projects on the Internet is very small, | but believe me, there is no place to touch such work." | noja wrote: | Context: | https://en.wikipedia.org/wiki/Signalling_System_No._7#Protoc... | sroussey wrote: | It would be great if Apple and Google had a setting to disable 2G | and 3G at the very least. | sudosysgen wrote: | My phone does it. | | You have to enter this code in the dialer: | *#*#4636#*#* | | After which you can navigate to "Phone Information" and decide | which networks to use. | | For example, if you select "LTE Only", then the phone will not | connect to 2G/3G networks, and instead show that there is no | signal. | | This works for most Android phones. | angott wrote: | This will break phone calls if your carrier does not support | Voice over LTE (VoLTE), as the device will be unable to | switch over to 3G to handle incoming/outgoing calls. | sudosysgen wrote: | Yes. That's a necessary side effect of disabling 2G/3G. If | that's an issue, you can either only disable 2G, or switch | to a carrier that supports VoLTE. | phh wrote: | Yup this should work on most Android smartphones. | odiroot wrote: | There's like 20 options there. Do you know how to just | disable 2G (keep LTE/3G enabled)? | dragonwriter wrote: | > It would be great if Apple and Google had a setting to | disable 2G and 3G at the very least. | | I don't know if its a Google, Samsung, or AT&T feature, but my | Android has a default-off setting to _enable_ 2G service. | Nothing on 3G though. | mic_ozar wrote: | which android phone model? | dragonwriter wrote: | S10+ | baybal2 wrote: | It will not make much if your phone company doesn't do the | same, and stops accepting roaming requests from rogue | countries. | | Somebody should also punch Google in the face for building in | an "espionage API" into Android: reading sim card serial, imsi, | and imei without even a notice. I doubt the thriving market of | SS7 interceptions would be anywhere if not for Android creating | a market for such data. | slim wrote: | maybe we could build android without it ? | mandragon wrote: | go to the apple store and ask for a "cdma-less" iphone | | got this trick from a verizon engineer after complaining about | such risks. carriers dont carry them but apple should be able | to sell you one | gruez wrote: | >and ask for a "cdma-less" iphone | | isn't that just a regular GSM phone? According to https://www | .techwalls.com/iphone-11-a2111-a2221-a2223-model-... there's | only 3 variants of the iphone 11: the north american variant | (with CDMA support), rest of the world variant, and a chinese | variant. | mandragon wrote: | Isn't LTE different than CDMA and GSM? A CDMA-less Verizon | iPhone would support LTE (4g) only. | | Good find, but worth checking if Apple can fulfill this | request for Americans. | ComodoHacker wrote: | It would be better if telcos and their equipment vendors | implemented some protections. Like the ability to disable | roaming (and deny any related SS7 requests) at subscriber's | request. | anon9001 wrote: | SS7 is challenging to find info about, so I'll ask here: | | How hard are these attacks to actually execute? | | * Can someone with an SDR and no credentials start an attack? | | * Do you need a femtocell registered with a carrier to attack | SS7? | | * Do you need to be a registered carrier to have the access | required to attack a user? | | The attacks described in the article assume the attacker is a | nation-state, but is it possible for any random person with the | right hardware to gain access to sensitive info via SS7? | rmetzler wrote: | There have been several talks recorded on SS7 at CCC over the | years. Here are two from 2014: | | - https://m.youtube.com/watch?v=-wu_pO5Z7Pk | | - https://m.youtube.com/watch?v=nRdJ0vaQt0o | anonymousiam wrote: | The attacks are trivially easy. You need almost nothing. These | are digital protocols on the wire so a SIP trunk would give you | the same access as a cellular modem. An SDR would overly | complicate things. It's almost as if the SS7 protocol was | designed to support use by governments for collection and | cyber-warfare. | Zenst wrote: | SS7 is an old legacy standard that can be viewed in the same | vain as DNS and it's associated legacy and subsequent | mitigations and improvements over the years. For more | perspective, 2G came along decades later and that had more | thought, why it used cutting edge 56bit encryption, which | today is akin to plain text. | | A nice readup upon SS7 here: | https://www.infopulse.com/blog/telecom-security- | ss7-network-... which also links to | https://www.gsma.com/security/wp- | content/uploads/2019/03/GSM... which fleshes out the picture | even further. | | Remember that SS7 was invented in 1975, so if they designed | cyber warfare into it, I'd be impressed with that level of | planning. | anonymousiam wrote: | I did not mean to imply that there was a conscious effort | to enable cyber-warfare when developing the SS7 protocols. | What I meant was that it's so damn easy to do all of the | mischievous things needed for cyber, that it sure seems | like SS7 was made for that! | [deleted] | Zenst wrote: | If you look at anything from the 70's, very very few | stand the test of time security wise and the ethos of | security has become more mainstream at a technology level | which see's today's technology that surpassed the wildest | dreams of technology back then. Making many attack | vectors non-viable to even state players back then, | consumer accessible today. | | Might be why I've grown to love and appreciate analogue | systems that just work. | saynoja wrote: | > The attacks are trivially easy. You need almost nothing. | | Nothing except a connection to the SS7 network, which is not | easy to get. You need to be a cellular operator, virtual | (MVNO) or real. | buildbuildbuild wrote: | > "a SIP trunk would give you the same access as a cellular | modem" | | Can you please cite your source? | | I frequently hear that SS7 is "trivially easy" to exploit, | yet do not hear of how people get access to SS7 in the first | place. | aj3 wrote: | Why would you burn that sort of access when you can at the | very least resell it? - | https://www.blackhat.com/presentations/bh- | europe-07/Langlois/Presentation/bh-eu-07-langlois-ppt- | apr19.pdf - https://0x00sec.org/t/into-the-wild- | gaining-access-to-ss7-part-1-finding-an-access-point/12418 | kingnothing wrote: | Australia is in Five Eyes, so it's reasonable to assume that | Canada, US, UK, and NZ are also all involved. | rubatuga wrote: | Australia seems to be a testing ground for fucked up internet | policies. | ajcp wrote: | Given Australia is in the Five Eyes I doubt it needs to get | this capability from a third-party provider. More reasonable to | assume that there is a maligned private actor in AUS. I don't | believe Circle's admission that they only do business with | nation-states on bit. | rurban wrote: | Indeed. In this case it points to Malaysia | [deleted] | 14 wrote: | We have seen this vulnerability for years and nothing has been | done to change it. Is it safe to say that is intentional? | Obviously a valuable too if you want to spy on your citizens. | LinuxBender wrote: | Do you mean the weakness of SS7? If so, the answer is, it would | be easier to entirely build a new telco network and new cities | than to overhaul the SS7 signalling network. I would have to | write a book to explain the complexities (technical, | bureaucratic, legal challenges). To sum up, SS7 will probably | be with us in its current state long after our great great | grand-children. It is best to just avoid using it if you can. | POTS lines, SMS Text messages currently depend on it, but SMS | could be changed to use data only if all the wireless carriers | could agree to block SS7 for SMS or tear down their SMS | gateways. There would need to be an agreed upon standard to re- | route all the SMS messages. Landline calls and mobile to | landline and mobile carrier to mobile carrier will still use | SS7 for the foreseeable future and will always be vulnerable to | interception. Mobile devices would have to solve this with some | type of device validation, at least for mobile to mobile calls | and home/business systems would need to implement that | validation. | helios_invictus wrote: | A great deal of technical patching could occur in the SS7 | based on lesson's learned from the Internet. But the telco's | are strapped for resources and interoperability concern that | this won't occur with our a massive push by a third party to | support it. The idea of implement something like reverse-path | forwarding on SS7 switches would for example greatly cut down | on robo-calling. | jlgaddis wrote: | > The idea of implement something like reverse-path | forwarding on SS7 switches would for example greatly cut | down on robo-calling. | | SHAKEN & STIR [0] _should_ (hopefully!) eliminate most of | the issues which result from "spoofing" caller ID. | | From "Combating Spoofed Robocalls with Caller ID | Authentication" [1]: | | > _" [The FCC] adopted new rules requiring all originating | and terminating voice service providers to implement caller | ID authentication using STIR/SHAKEN technological standards | in the Internet Protocol (IP) portions of their networks by | June 30, 2021."_ | | -- | | [0]: https://en.wikipedia.org/wiki/STIR/SHAKEN | | [1]: https://www.fcc.gov/call-authentication | LinuxBender wrote: | That idea is great, but the SS7 network was never built to | even understand those concepts. Some of the equipment could | be updated, but a vast majority of systems would have to be | replaced. Getting telco companies to agree to things like | that is not even conceivable. It would take some | international political groups to push for it. Maybe I am | just jaded from my telco background, but even when an | entire telco company agrees to implement a change, it | rarely gets completed. | at-fates-hands wrote: | >> Some of the equipment could be updated, but a vast | majority of systems would have to be replaced. | | Just curious, would this mean digging up cable and other | stuff which would include parts of this system you're | referring to? | toast0 wrote: | SMPP sort of fills the need for a standard way to send SMS | between carriers. Although you still need to know which | carrier to send it to, and have a working connection to them. | | I think HD voice calls can't be made over SS7? So to the | extent that carriers interconnect for those (which isn't a | lot, but it's more than zero), that's a parallel system too. | sneak wrote: | See also: | | * Wifi lack of forward secrecy | | * SNI unencrypted | | * OCSP unencrypted | | * DNS unencrypted | | CloudFlare is banging the drum on at least two of these, and | Chrome on another, and I think FS is now optional in the latest | Wifi spec. | spacemanmatt wrote: | The pushback on ESNI was...telling ___________________________________________________________________ (page generated 2020-12-02 23:00 UTC)