I was watching the video when I saw the post. I don't believe the title is alarming enough. This is not something only affecting localized technologies or networks, but rather a fundamental...
I was watching the video when I saw the post. I don't believe the title is alarming enough. This is not something only affecting localized technologies or networks, but rather a fundamental failure that is largely unavoidable and deeply entrenched into mobile networks everywhere.
Doesn't seem all that unavoidable, there's few legitimate reasons to be using SS7 and it's likely possible to turn off the majority of messages. Seems like the most useful thing about it 2/3G is...
Doesn't seem all that unavoidable, there's few legitimate reasons to be using SS7 and it's likely possible to turn off the majority of messages.
Seems like the most useful thing about it 2/3G is emergency services.
If I set my phone to only use 5G am I safe? In the video he says that part of the exploit is in tricking the network into thinking the victim is roaming. So it seems like you can be made insecure...
If I set my phone to only use 5G am I safe? In the video he says that part of the exploit is in tricking the network into thinking the victim is roaming. So it seems like you can be made insecure regardless of your personal choices.
I would hazard a guess and say no (i.e. this comment is based on speculation). If the attack hinges on the number on your SIM card, then as long as they have that number they can pretend to be you...
I would hazard a guess and say no (i.e. this comment is based on speculation).
If the attack hinges on the number on your SIM card, then as long as they have that number they can pretend to be you regardless of whether you are connected via 2G/3G. Some things might not work, like the location tracking or man-in-the-middle-ing a live call, but other like intercepting 2FA codes sent via SMS would still work as your provider would see the connection over SS7 as the most recent connection from you.
So the way to protect yourself would be to use a SIM that your provider only accepts connections from using newer wireless protocols, but I don't know if such a thing even exists (nothing after a cursory search, but I didn't look deeply).
This seems a really important point that I didn’t fully appreciate until you said it. I wonder if making roaming opt-in at the network level (not the device level) could help? Send a notification...
your provider would see the connection over SS7 as the most recent connection from you
This seems a really important point that I didn’t fully appreciate until you said it. I wonder if making roaming opt-in at the network level (not the device level) could help?
Send a notification via the carrier’s app (across the internet, not the mobile network layer) for the user to explicitly authenticate that they’re on a different network, similar to the “is this really you?” credit card alerts, and deny the SS7 request if not authorised. The mentions of firewalls in the video suggest that sometimes denying SS7 requests is already standard, so it doesn’t seem like that’d break any deeply embedded systems. Maybe whitelist the last however many for convenience, apply a bit of sanity checking on location (no pings from New Zealand if there was an authorised ping from Nova Scotia two minutes ago), and it at least moves a lot of the trust back to your local carrier rather than SS7 as a whole.
The biggest issue I see would be the catch-22 of receiving/responding to those app pings when by definition you can’t join the network in the country you’ve just landed in until you’ve authorised it - but if SS7 whitelisting were an option in my carrier’s settings I’d happily enable it and accept having to find WiFi before using my device elsewhere.
Or, actually, more realistically I’d never need to whitelist anything because the amount they charge for roaming means I always just load up a data-only eSIM when travelling nowadays anyway…
That all seems pretty reasonable to me. Just have it opt in, like Apple’s lockdown mode. There is another very simple change that I thought of. It’s so simple that I hope it is just me...
That all seems pretty reasonable to me. Just have it opt in, like Apple’s lockdown mode.
There is another very simple change that I thought of. It’s so simple that I hope it is just me misunderstanding the whole network. Just deny every request made by all MVNOs unless that IMSI was issued by that MVNO. If a carrier doesn’t have physical towers, all requests it makes, except for SIM cards it issues, are by definition fraudulent. With that simple change, you now have to infiltrate the network of an actual carrier instead of just whatever MVNO wants to sell access. This certainly won’t fix the problem, but it should make it significantly more difficult to perform this sort of attack.
Edit: Also I agree that carriers should make it possible to disable out of country roaming entirely. When I vacationed to Europe, I wanted to do exactly what you do with a temporary eSIM. In theory, I could have still used my Verizon account for calls and texts through WiFi calling (which can work over a data only sim). But to prevent outrageous charges, I had to disable my Verizon sim for the trip. To make matters worse, when you disable a sim, Apple automatically removes it from iMessage. So iMessage to an email would still work in theory, but all of my group chats are set up to go to my cell number. So iMessage effectively broke until I reenabled my Verizon sim. Thank god I was already planning to use WhatsApp. The only carrier I have seen that disables international roaming by default is Tello, which I use currently. They have a package that allows overseas roaming, but by default it doesn’t have any. So I can leave that sim enabled and use WiFi calling and sms, and iMessage with that number.
That also makes a lot of sense; it looks like the first few digits of the IMSI uniquely identify the operator, so checking whether the request is one of their issued SIMs could be done without any...
That also makes a lot of sense; it looks like the first few digits of the IMSI uniquely identify the operator, so checking whether the request is one of their issued SIMs could be done without any additional coordination between systems. The only potential stumbling block I can think of would be if real roaming requests are forwarded by an MVNO rather than the tower operator in the situation that a major national MVNO is the international partner of another carrier - but I won't claim to know close to enough about cellular routing to know whether that's even possible!
Makes me wonder what signals the firewalls mentioned in the video are looking at to judge trustworthiness, actually. Clearly not enough, given the demonstrations there, but if they're in place already it gives me a bit of hope that adding stricter rules might not be too difficult.
Thankfully the home networks where I am don't (aren't allowed to?) charge for incoming messages even when roaming, so from a cost perspective it's always been safe for me to leave the main SIM active (as long as I don't use it for anything outbound) and just disable data on it when travelling, but obviously that doesn't do much when it comes to network-level threats so I'd definitely appreciate the option to turn it off at their end as a stopgap now I know about this.
One thing that I am wondering about is (assuming that I am understanding this correctly, which I could very well not be), is if it would disable connections to other domestic networks causing you...
One thing that I am wondering about is (assuming that I am understanding this correctly, which I could very well not be), is if it would disable connections to other domestic networks causing you to no longer communicate with people on another carrier. For example Verizon to AT&T. Since they are technically "out of network" do they not use SS7 to communicate anyway?
We're rapidly heading towards the edge of my own knowledge here, but as I understand it the threat is part of the system that allows your device to connect itself to infrastructure owned by other...
We're rapidly heading towards the edge of my own knowledge here, but as I understand it the threat is part of the system that allows your device to connect itself to infrastructure owned by other carriers, rather than to communicate with other people's devices connected to those carriers.
It's the ability for roaming networks to act on your behalf when your device is in physical range of them that's being exploited, by tricking them into saying they're acting on your behalf even when you're not connected to them, so even blocking that part completely shouldn't affect your ability to send normal transmission data in and out of those same networks.
This could well still affect domestic use if you disabled everything but first-party connections - my understanding is that "roaming" exists between some carriers in the same countries as reciprocal agreements to increase coverage for both - but that's a lot easier to keep to a single-digit whitelist given the operators know who they have direct partnerships with, and (ideally) know they're bound by the same laws and data security standards.
Would disabling roaming at the device level help with any of this? I mean it wouldn't disable it at the network level, so the spoofing part would obviously not be affected, but maybe some of the...
This seems a really important point that I didn’t fully appreciate until you said it. I wonder if making roaming opt-in at the network level (not the device level) could help?
Would disabling roaming at the device level help with any of this? I mean it wouldn't disable it at the network level, so the spoofing part would obviously not be affected, but maybe some of the other attacks like geolocation no longer work since the device would not need to relay that information causing the attack to fail? Or maybe it wouldn't do anything because the attacks are not dependent on the device itself but rather the service. If that is the case then maybe it would even make it worse to disable on the device level somehow.
That's a really good question! I was very focused on the spoofing attacks, those seemed a lot more worrying to me for most people's use cases, but obviously the example they gave of the...
That's a really good question! I was very focused on the spoofing attacks, those seemed a lot more worrying to me for most people's use cases, but obviously the example they gave of the consequences of a geolocation attack when that did matter were pretty compelling.
I won't claim to know for sure, but I'd suspect there's still some attack surface there because the phone will likely be communicating with the towers in a basic way in order to discover whether it's a home network tower or a roaming one. That's not a strict technical necessity - it's feasible that the towers could broadcast their network's unique identifier continuously and the phone could just maintain radio silence until it hears an ID it's authorised to connect to - but the way these systems are used in real day-to-day life plus the fact we're talking about a trust-based legacy protocol here suggest to me that it won't actually be done that way.
It's an emergent property of a technological system built by apes who largely depend on the social convention of everyone usually not being an asshole. And if they are an asshole, it's usually a...
It's an emergent property of a technological system built by apes who largely depend on the social convention of everyone usually not being an asshole. And if they are an asshole, it's usually a small thing or a temporary thing. But all it takes is one psychopath to exploit those systems.
I was watching the video when I saw the post. I don't believe the title is alarming enough. This is not something only affecting localized technologies or networks, but rather a fundamental failure that is largely unavoidable and deeply entrenched into mobile networks everywhere.
Doesn't seem all that unavoidable, there's few legitimate reasons to be using SS7 and it's likely possible to turn off the majority of messages.
Seems like the most useful thing about it 2/3G is emergency services.
If I set my phone to only use 5G am I safe? In the video he says that part of the exploit is in tricking the network into thinking the victim is roaming. So it seems like you can be made insecure regardless of your personal choices.
I would hazard a guess and say no (i.e. this comment is based on speculation).
If the attack hinges on the number on your SIM card, then as long as they have that number they can pretend to be you regardless of whether you are connected via 2G/3G. Some things might not work, like the location tracking or man-in-the-middle-ing a live call, but other like intercepting 2FA codes sent via SMS would still work as your provider would see the connection over SS7 as the most recent connection from you.
So the way to protect yourself would be to use a SIM that your provider only accepts connections from using newer wireless protocols, but I don't know if such a thing even exists (nothing after a cursory search, but I didn't look deeply).
This seems a really important point that I didn’t fully appreciate until you said it. I wonder if making roaming opt-in at the network level (not the device level) could help?
Send a notification via the carrier’s app (across the internet, not the mobile network layer) for the user to explicitly authenticate that they’re on a different network, similar to the “is this really you?” credit card alerts, and deny the SS7 request if not authorised. The mentions of firewalls in the video suggest that sometimes denying SS7 requests is already standard, so it doesn’t seem like that’d break any deeply embedded systems. Maybe whitelist the last however many for convenience, apply a bit of sanity checking on location (no pings from New Zealand if there was an authorised ping from Nova Scotia two minutes ago), and it at least moves a lot of the trust back to your local carrier rather than SS7 as a whole.
The biggest issue I see would be the catch-22 of receiving/responding to those app pings when by definition you can’t join the network in the country you’ve just landed in until you’ve authorised it - but if SS7 whitelisting were an option in my carrier’s settings I’d happily enable it and accept having to find WiFi before using my device elsewhere.
Or, actually, more realistically I’d never need to whitelist anything because the amount they charge for roaming means I always just load up a data-only eSIM when travelling nowadays anyway…
That all seems pretty reasonable to me. Just have it opt in, like Apple’s lockdown mode.
There is another very simple change that I thought of. It’s so simple that I hope it is just me misunderstanding the whole network. Just deny every request made by all MVNOs unless that IMSI was issued by that MVNO. If a carrier doesn’t have physical towers, all requests it makes, except for SIM cards it issues, are by definition fraudulent. With that simple change, you now have to infiltrate the network of an actual carrier instead of just whatever MVNO wants to sell access. This certainly won’t fix the problem, but it should make it significantly more difficult to perform this sort of attack.
Edit: Also I agree that carriers should make it possible to disable out of country roaming entirely. When I vacationed to Europe, I wanted to do exactly what you do with a temporary eSIM. In theory, I could have still used my Verizon account for calls and texts through WiFi calling (which can work over a data only sim). But to prevent outrageous charges, I had to disable my Verizon sim for the trip. To make matters worse, when you disable a sim, Apple automatically removes it from iMessage. So iMessage to an email would still work in theory, but all of my group chats are set up to go to my cell number. So iMessage effectively broke until I reenabled my Verizon sim. Thank god I was already planning to use WhatsApp. The only carrier I have seen that disables international roaming by default is Tello, which I use currently. They have a package that allows overseas roaming, but by default it doesn’t have any. So I can leave that sim enabled and use WiFi calling and sms, and iMessage with that number.
That also makes a lot of sense; it looks like the first few digits of the IMSI uniquely identify the operator, so checking whether the request is one of their issued SIMs could be done without any additional coordination between systems. The only potential stumbling block I can think of would be if real roaming requests are forwarded by an MVNO rather than the tower operator in the situation that a major national MVNO is the international partner of another carrier - but I won't claim to know close to enough about cellular routing to know whether that's even possible!
Makes me wonder what signals the firewalls mentioned in the video are looking at to judge trustworthiness, actually. Clearly not enough, given the demonstrations there, but if they're in place already it gives me a bit of hope that adding stricter rules might not be too difficult.
Thankfully the home networks where I am don't (aren't allowed to?) charge for incoming messages even when roaming, so from a cost perspective it's always been safe for me to leave the main SIM active (as long as I don't use it for anything outbound) and just disable data on it when travelling, but obviously that doesn't do much when it comes to network-level threats so I'd definitely appreciate the option to turn it off at their end as a stopgap now I know about this.
One thing that I am wondering about is (assuming that I am understanding this correctly, which I could very well not be), is if it would disable connections to other domestic networks causing you to no longer communicate with people on another carrier. For example Verizon to AT&T. Since they are technically "out of network" do they not use SS7 to communicate anyway?
We're rapidly heading towards the edge of my own knowledge here, but as I understand it the threat is part of the system that allows your device to connect itself to infrastructure owned by other carriers, rather than to communicate with other people's devices connected to those carriers.
It's the ability for roaming networks to act on your behalf when your device is in physical range of them that's being exploited, by tricking them into saying they're acting on your behalf even when you're not connected to them, so even blocking that part completely shouldn't affect your ability to send normal transmission data in and out of those same networks.
This could well still affect domestic use if you disabled everything but first-party connections - my understanding is that "roaming" exists between some carriers in the same countries as reciprocal agreements to increase coverage for both - but that's a lot easier to keep to a single-digit whitelist given the operators know who they have direct partnerships with, and (ideally) know they're bound by the same laws and data security standards.
Would disabling roaming at the device level help with any of this? I mean it wouldn't disable it at the network level, so the spoofing part would obviously not be affected, but maybe some of the other attacks like geolocation no longer work since the device would not need to relay that information causing the attack to fail? Or maybe it wouldn't do anything because the attacks are not dependent on the device itself but rather the service. If that is the case then maybe it would even make it worse to disable on the device level somehow.
That's a really good question! I was very focused on the spoofing attacks, those seemed a lot more worrying to me for most people's use cases, but obviously the example they gave of the consequences of a geolocation attack when that did matter were pretty compelling.
I won't claim to know for sure, but I'd suspect there's still some attack surface there because the phone will likely be communicating with the towers in a basic way in order to discover whether it's a home network tower or a roaming one. That's not a strict technical necessity - it's feasible that the towers could broadcast their network's unique identifier continuously and the phone could just maintain radio silence until it hears an ID it's authorised to connect to - but the way these systems are used in real day-to-day life plus the fact we're talking about a trust-based legacy protocol here suggest to me that it won't actually be done that way.
It is honestly terrifying how little privacy and security we actually have in this age of technology.
It's an emergent property of a technological system built by apes who largely depend on the social convention of everyone usually not being an asshole. And if they are an asshole, it's usually a small thing or a temporary thing. But all it takes is one psychopath to exploit those systems.
This was a very good and informative watch about how the SS7 Protocol that has some pretty big vulnerabilities that have yet to be patched.