[Cryptography] "60 Minutes" hacks Congressman's phone

Jerry Leichter leichter at lrw.com
Sat May 21 07:00:51 EDT 2016


>> http://www.cbsnews.com/news/60-minutes-hacking-your-phone/
> [big snip]
>> Rep. Ted Lieu: You cannot have 300-some million Americans-- and really, right, the global citizenry be at risk of having their phone conversations
>> intercepted with a known flaw, simply because some intelligence agencies mightget some data.  That is not acceptable.
> 
> If these are the same SS7 vulnerabilities that were widely discussed
> in the WP (e.g.,
> https://www.washingtonpost.com/news/the-switch/wp/2014/12/18/german-researchers-discover-a-flaw-that-could-let-anyone-listen-to-your-cell-calls-and-read-your-texts/)
> and other new media outlets in Dec 2014 (and it certainly sounds like
> it) then the
> only explanation is the that intelligence community are responsible
> for they still
> not being fixed....
Hardly.  While I don't don't the intelligence community provides a word in the ear here and there, the fundamental problem here is much more deep-seated.  The telcos and their systems were built in an age of mutual trust - well-place or otherwise.  Before SS7, all switching was based on in-band signaling:  Various tones transmitted over the same lines as voice.  That's why the Black and Red Boxes of the late 1960's/early 1970's could be built:  There were tones you could send of a phone line that gave you direct control over the switching equipment.  "No one would do that" ... until they did.

Before that, everything controlled by human beings (operators) - mainly over the same lines.  If you knew the right lingo, you could fool operators into treating you as telco employees, letting you manipulate all kinds of stuff.  "No one would do that".

SS7 solved the in-band signaling problem by moving the signaling out of band.  Nothing you sent on the line went to the switching equipment.  Hook into the network used by SS7, though, and you were completely trusted.  After all - who could hook into those lines?  Just the telco's - initially AT&T and a few small companies in the US, and government-run PTT's in the rest of the world.  "NOBUS" in a different sense.  We're all friends here; we trust each other.

Retrofitting SS7 with a system that's not based on trust would be a huge undertaking - but even that pales compared to the organizational changes needed.  The telcos world-wide work as a fairly closed community.  They would have to move to a system of mutual distrust and verification.

Another place you can see this issue is in some of the billing abuses that the system has historically been rife with.  In the US, you can switch LD carriers. As initially set up, your new carrier told your old one that you had switched - and by law, they had to allow the switch to take place.  After all, all LD carriers are trustworthy and wouldn't take over an account without permission.  Mutual trust, NOBUS.  Similar things happened with third-party LD charges.

The telcos are hardly alone here.  Once you're accepted as a bank - anywhere in the world, vetted by any local government - you've historically had insider access to the entire banking system.  After all, one bank wouldn't abuse another's trust, right?

Our world was built on these kinds of trust relationships.  The diamond trade is an example where this is very explicit.  Before you can be accepted into the community, your picture is circulated to and posted very visibly at all the major trading floors for some period of time.  If anyone recognizes your picture as that of someone they don't trust, you won't be accepted.  Once you're in, you're in - deals for millions in diamonds are made with the shake of a hand.  Abuse that trust and you're tossed out of the community.  The word is spread very quickly; the community isn't that large.  Here you clearly see the extension into an institution of the way individuals maintain their trust relationships.

Of course, the entire Internet was built on similar ideas.  Enter the IS-IS network and grab nearby packets for yourself.  Get accepted as a BGP speaker and grab packets on a world-wide scale.

Today's institutions work at scales and at speeds way beyond human abilities to judge trust.  Global interconnectivity has removed the need for physical presence to carry out many attacks.  And attackers have become much more technologically sophisticated.

Changing what is often a century or more of design and practice is difficult and will take a long time, even given the best of intentions and the strongest motivations.  In fact, many of these institutions will never change.  Instead, solutions will get built "over the top".  Do end-to-end encryption - realistic for phone conversations on a mass scale only in the last decade - and leakage of phone conversations by the SS7-based network becomes irrelevant.  (Notice, BTW, that the cellphone network encrypts - for better or worse - *between cell and base station*.  Once it's on a landline ... it's NOBUS, "our lines are secure". And people believe this stuff:  There's a quote at the end of the WaPo article in which someone says he won't trust his cellphone any more, for confidential stuff he'll use a landline.  Right.)  Metadata is much harder because that's the  stuff SS7 is saying *to itself*.  Tor is an over-the-top solution for metadata on the Internet, but it's probably not the right solution for phone conversations.  And the location information is entirely between your phone and the SS7 infrastructure - it's not clear that any over-the-top solution is possible.  And ... if you eliminate the notion that all telco's trust each other to exchange location information, how do you do roaming?  (You can get that effect for non-real-time communication using "dead drops", but real-time is much harder.)

Very difficult problems.  A golden age for the intelligence guys, and they only have to tap into it, not get it designed for them.
                                                        -- Jerry



More information about the cryptography mailing list