[HN Gopher] Cyberespionage Using SS7 via Circles
___________________________________________________________________
Cyberespionage Using SS7 via Circles
Author : sroussey
Score : 143 points
Date : 2020-12-02 17:15 UTC (5 hours ago)
(HTM) web link (citizenlab.ca)
(TXT) w3m dump (citizenlab.ca)
| __jf__ wrote:
| "Using Internet scanning, we found a unique signature associated
| with the hostnames of Check Point firewalls used in Circles
| deployments. This scanning enabled us to identify Circles
| deployments in at least 25 countries."
|
| Nice OSINT find!
| nbzso wrote:
| "Given that the company deals with wiretapping in the service of
| criminals and dictatorial regimes and is probably indirectly
| responsible for the deaths of many people, discriminatory
| treatment of employees and candidates is a petty crime. Don't
| bother if you're a normal person." This is google translated
| reaction in Bulgarian web-site for quality of workplaces. In
| other comments is obvious that paying 3500 eur salary is tied to
| working on undefined and risky situations.
|
| https://bgrabotodatel.com/company/10131?__cf_chl_jschl_tk__=...
| nbzso wrote:
| Interesting comment from Circles Bulgaria Ltd worker from 2019.
| "The last opinions are very old, so I decided to write how
| things really are in the company. For now, everything is pretty
| good, especially after the management has changed almost
| completely. They take very good care of their people, and the
| only downside is the lack of a home office, but this is not
| felt. I don't know another company, or at least I think there
| are very few that take care of their people like that. The
| atmosphere is very positive and relaxed, and the projects we
| are working on are unique, once in a lifetime. Don't pay any
| attention to the grumblers, there will always be some. The
| information about the projects on the Internet is very small,
| but believe me, there is no place to touch such work."
| noja wrote:
| Context:
| https://en.wikipedia.org/wiki/Signalling_System_No._7#Protoc...
| sroussey wrote:
| It would be great if Apple and Google had a setting to disable 2G
| and 3G at the very least.
| sudosysgen wrote:
| My phone does it.
|
| You have to enter this code in the dialer:
| *#*#4636#*#*
|
| After which you can navigate to "Phone Information" and decide
| which networks to use.
|
| For example, if you select "LTE Only", then the phone will not
| connect to 2G/3G networks, and instead show that there is no
| signal.
|
| This works for most Android phones.
| angott wrote:
| This will break phone calls if your carrier does not support
| Voice over LTE (VoLTE), as the device will be unable to
| switch over to 3G to handle incoming/outgoing calls.
| sudosysgen wrote:
| Yes. That's a necessary side effect of disabling 2G/3G. If
| that's an issue, you can either only disable 2G, or switch
| to a carrier that supports VoLTE.
| phh wrote:
| Yup this should work on most Android smartphones.
| odiroot wrote:
| There's like 20 options there. Do you know how to just
| disable 2G (keep LTE/3G enabled)?
| dragonwriter wrote:
| > It would be great if Apple and Google had a setting to
| disable 2G and 3G at the very least.
|
| I don't know if its a Google, Samsung, or AT&T feature, but my
| Android has a default-off setting to _enable_ 2G service.
| Nothing on 3G though.
| mic_ozar wrote:
| which android phone model?
| dragonwriter wrote:
| S10+
| baybal2 wrote:
| It will not make much if your phone company doesn't do the
| same, and stops accepting roaming requests from rogue
| countries.
|
| Somebody should also punch Google in the face for building in
| an "espionage API" into Android: reading sim card serial, imsi,
| and imei without even a notice. I doubt the thriving market of
| SS7 interceptions would be anywhere if not for Android creating
| a market for such data.
| slim wrote:
| maybe we could build android without it ?
| mandragon wrote:
| go to the apple store and ask for a "cdma-less" iphone
|
| got this trick from a verizon engineer after complaining about
| such risks. carriers dont carry them but apple should be able
| to sell you one
| gruez wrote:
| >and ask for a "cdma-less" iphone
|
| isn't that just a regular GSM phone? According to https://www
| .techwalls.com/iphone-11-a2111-a2221-a2223-model-... there's
| only 3 variants of the iphone 11: the north american variant
| (with CDMA support), rest of the world variant, and a chinese
| variant.
| mandragon wrote:
| Isn't LTE different than CDMA and GSM? A CDMA-less Verizon
| iPhone would support LTE (4g) only.
|
| Good find, but worth checking if Apple can fulfill this
| request for Americans.
| ComodoHacker wrote:
| It would be better if telcos and their equipment vendors
| implemented some protections. Like the ability to disable
| roaming (and deny any related SS7 requests) at subscriber's
| request.
| anon9001 wrote:
| SS7 is challenging to find info about, so I'll ask here:
|
| How hard are these attacks to actually execute?
|
| * Can someone with an SDR and no credentials start an attack?
|
| * Do you need a femtocell registered with a carrier to attack
| SS7?
|
| * Do you need to be a registered carrier to have the access
| required to attack a user?
|
| The attacks described in the article assume the attacker is a
| nation-state, but is it possible for any random person with the
| right hardware to gain access to sensitive info via SS7?
| rmetzler wrote:
| There have been several talks recorded on SS7 at CCC over the
| years. Here are two from 2014:
|
| - https://m.youtube.com/watch?v=-wu_pO5Z7Pk
|
| - https://m.youtube.com/watch?v=nRdJ0vaQt0o
| anonymousiam wrote:
| The attacks are trivially easy. You need almost nothing. These
| are digital protocols on the wire so a SIP trunk would give you
| the same access as a cellular modem. An SDR would overly
| complicate things. It's almost as if the SS7 protocol was
| designed to support use by governments for collection and
| cyber-warfare.
| Zenst wrote:
| SS7 is an old legacy standard that can be viewed in the same
| vain as DNS and it's associated legacy and subsequent
| mitigations and improvements over the years. For more
| perspective, 2G came along decades later and that had more
| thought, why it used cutting edge 56bit encryption, which
| today is akin to plain text.
|
| A nice readup upon SS7 here:
| https://www.infopulse.com/blog/telecom-security-
| ss7-network-... which also links to
| https://www.gsma.com/security/wp-
| content/uploads/2019/03/GSM... which fleshes out the picture
| even further.
|
| Remember that SS7 was invented in 1975, so if they designed
| cyber warfare into it, I'd be impressed with that level of
| planning.
| anonymousiam wrote:
| I did not mean to imply that there was a conscious effort
| to enable cyber-warfare when developing the SS7 protocols.
| What I meant was that it's so damn easy to do all of the
| mischievous things needed for cyber, that it sure seems
| like SS7 was made for that!
| [deleted]
| Zenst wrote:
| If you look at anything from the 70's, very very few
| stand the test of time security wise and the ethos of
| security has become more mainstream at a technology level
| which see's today's technology that surpassed the wildest
| dreams of technology back then. Making many attack
| vectors non-viable to even state players back then,
| consumer accessible today.
|
| Might be why I've grown to love and appreciate analogue
| systems that just work.
| saynoja wrote:
| > The attacks are trivially easy. You need almost nothing.
|
| Nothing except a connection to the SS7 network, which is not
| easy to get. You need to be a cellular operator, virtual
| (MVNO) or real.
| buildbuildbuild wrote:
| > "a SIP trunk would give you the same access as a cellular
| modem"
|
| Can you please cite your source?
|
| I frequently hear that SS7 is "trivially easy" to exploit,
| yet do not hear of how people get access to SS7 in the first
| place.
| aj3 wrote:
| Why would you burn that sort of access when you can at the
| very least resell it? -
| https://www.blackhat.com/presentations/bh-
| europe-07/Langlois/Presentation/bh-eu-07-langlois-ppt-
| apr19.pdf - https://0x00sec.org/t/into-the-wild-
| gaining-access-to-ss7-part-1-finding-an-access-point/12418
| kingnothing wrote:
| Australia is in Five Eyes, so it's reasonable to assume that
| Canada, US, UK, and NZ are also all involved.
| rubatuga wrote:
| Australia seems to be a testing ground for fucked up internet
| policies.
| ajcp wrote:
| Given Australia is in the Five Eyes I doubt it needs to get
| this capability from a third-party provider. More reasonable to
| assume that there is a maligned private actor in AUS. I don't
| believe Circle's admission that they only do business with
| nation-states on bit.
| rurban wrote:
| Indeed. In this case it points to Malaysia
| [deleted]
| 14 wrote:
| We have seen this vulnerability for years and nothing has been
| done to change it. Is it safe to say that is intentional?
| Obviously a valuable too if you want to spy on your citizens.
| LinuxBender wrote:
| Do you mean the weakness of SS7? If so, the answer is, it would
| be easier to entirely build a new telco network and new cities
| than to overhaul the SS7 signalling network. I would have to
| write a book to explain the complexities (technical,
| bureaucratic, legal challenges). To sum up, SS7 will probably
| be with us in its current state long after our great great
| grand-children. It is best to just avoid using it if you can.
| POTS lines, SMS Text messages currently depend on it, but SMS
| could be changed to use data only if all the wireless carriers
| could agree to block SS7 for SMS or tear down their SMS
| gateways. There would need to be an agreed upon standard to re-
| route all the SMS messages. Landline calls and mobile to
| landline and mobile carrier to mobile carrier will still use
| SS7 for the foreseeable future and will always be vulnerable to
| interception. Mobile devices would have to solve this with some
| type of device validation, at least for mobile to mobile calls
| and home/business systems would need to implement that
| validation.
| helios_invictus wrote:
| A great deal of technical patching could occur in the SS7
| based on lesson's learned from the Internet. But the telco's
| are strapped for resources and interoperability concern that
| this won't occur with our a massive push by a third party to
| support it. The idea of implement something like reverse-path
| forwarding on SS7 switches would for example greatly cut down
| on robo-calling.
| jlgaddis wrote:
| > The idea of implement something like reverse-path
| forwarding on SS7 switches would for example greatly cut
| down on robo-calling.
|
| SHAKEN & STIR [0] _should_ (hopefully!) eliminate most of
| the issues which result from "spoofing" caller ID.
|
| From "Combating Spoofed Robocalls with Caller ID
| Authentication" [1]:
|
| > _" [The FCC] adopted new rules requiring all originating
| and terminating voice service providers to implement caller
| ID authentication using STIR/SHAKEN technological standards
| in the Internet Protocol (IP) portions of their networks by
| June 30, 2021."_
|
| --
|
| [0]: https://en.wikipedia.org/wiki/STIR/SHAKEN
|
| [1]: https://www.fcc.gov/call-authentication
| LinuxBender wrote:
| That idea is great, but the SS7 network was never built to
| even understand those concepts. Some of the equipment could
| be updated, but a vast majority of systems would have to be
| replaced. Getting telco companies to agree to things like
| that is not even conceivable. It would take some
| international political groups to push for it. Maybe I am
| just jaded from my telco background, but even when an
| entire telco company agrees to implement a change, it
| rarely gets completed.
| at-fates-hands wrote:
| >> Some of the equipment could be updated, but a vast
| majority of systems would have to be replaced.
|
| Just curious, would this mean digging up cable and other
| stuff which would include parts of this system you're
| referring to?
| toast0 wrote:
| SMPP sort of fills the need for a standard way to send SMS
| between carriers. Although you still need to know which
| carrier to send it to, and have a working connection to them.
|
| I think HD voice calls can't be made over SS7? So to the
| extent that carriers interconnect for those (which isn't a
| lot, but it's more than zero), that's a parallel system too.
| sneak wrote:
| See also:
|
| * Wifi lack of forward secrecy
|
| * SNI unencrypted
|
| * OCSP unencrypted
|
| * DNS unencrypted
|
| CloudFlare is banging the drum on at least two of these, and
| Chrome on another, and I think FS is now optional in the latest
| Wifi spec.
| spacemanmatt wrote:
| The pushback on ESNI was...telling
___________________________________________________________________
(page generated 2020-12-02 23:00 UTC)