New Report Again Shows Global Telecom Networks Aren't Remotely Secure
from the maybe-we-should-fix-that dept
Last year, when everybody was freaking out over TikTok, we noted that TikTok was likely the least of the internet's security and privacy issues. In part because TikTok wasn't doing anything that wasn't being done by thousands of other app makers, telecoms, data brokers, or adtech companies in a country that can't be bothered to pass even a basic privacy law for the internet era. If we're serious about security and privacy solutions, we need to take a much broader view.
For example, while countless people freaked out about TikTok, none of those same folks seem bothered by the parade of nasty vulnerabilities in the nation's telecom networks, whether we're talking about the SS7 flaw that lets governments and bad actors spy on wireless users around the planet or the constant drumbeat of location data scandals that keep revealing how your granular location data is being sold to any nitwit with a nickel. Or the largely nonexistent privacy and security standards in the internet of broken things. Or the dodgy security in our satellite communications networks.
This week, Crowdstrike drove this myopia home again with a new report showcasing how Chinese hackers have compromised global telecom networks for years. The security firm found that since 2016 or so, a (likely Chinese state backed) hacking organization dubbed "LightBasin" or "UNC1945" targeted global telecom companies and was able to compromise 13 of them since 2019. First accessing an eDNS server through an SSH connection from the network of another compromised company, the hackers were able to obtain a trove of telecom data including subscriber information, call metadata, text messages and more, helping them develop a wide collection of snooping tricks:
"The report lays out how this group has developed highly customized tools and a precise working knowledge of global telecommunications network architectures such that it can emulate network protocols to allow scanning and “to retrieve highly specific information from mobile communication infrastructure.” The nature of the data targeted “aligns with information likely to be of significant interest to signals intelligence operations."
Of course this comes on the heels of a steady parade of other telecom security scandals, ranging from the SS7 flaw we still haven't fully fixed (opening the door to covert surveillance), revelations that most satellite networks have the security of damp cardboard, and recent reports of a company that handles billions of global text messages from carriers all over the world was compromised for years before anybody knew anything about it. Most of these reports come and go quietly without even a tiny fraction of the hysteria we saw aimed at TikTok.
Speaking to the press, Crowdstrike researchers were quick to point out that freaking out about malware and apps doesn't mean much if the underlying telecom infrastructure is compromised (and it very much is):
"People leverage their cellphones like they’re magic,” said Adam Meyers, CrowdStrike’s senior vice president of intelligence. “They don’t think about the fact that there’s this whole infrastructure that makes it work … and that infrastructure is not something that you can take for granted."..."They don’t need to deploy the malware onto your phone if they’re owning the network that your phone is riding on,” he said.
Granted much like everyday infrastructure issues like bridge repair, shoring up overall internet network security isn't a sexy topic that sees much traction. Unless you're a U.S. company lobbyist leveraging Xenophobia to your competitive and political tactical advantage (see the sometimes narrow hysteria surrounding 5G), much of this stuff doesn't see anywhere near the attention it deserves in a press and policy discourse that often couldn't care less.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: privacy, security, ss7, telco equipment, telcos, telecom networks
Companies: crowdstrike
Reader Comments
Subscribe: RSS
View by: Time | Thread
That's really not true. A lot that happens on smartphones isn't visible to the network operators. Facebook encrypts everything, for example (not because they want to protect your privacy—just to ensure nobody else can free-ride on their invasions of it). Indeed, the whole purpose of the now-ubiquitous HTTPS encryption was to enable security on a presumed-compromised network. Attackers will still gain useful information, like where people are and what they're connecting to; and, with the telephone networks, the contents of phonecalls and texts (and if you're running any software from them, that could be bad... but I think Apple at least don't allow such crapware).
There is a proposal called Pretty Good Phone Privacy that "protects users from fake cell phone towers (IMSI-catchers) and surveillance by cell providers" (but, for now, doesn't support voice or SMS, and does require specific telco support—though apparently an MVNO could do it). If the infrastructure provider couldn't locate specific people, that would make it a hell of a lot harder for an attacker to target them.
[ link to this | view in chronology ]
BUT, BUT, the Former POTUS
He started the screaming about TikTok. Which was just a magician's trick of look over here where I want you to look. Do NOT look at the HUGE problems over there where my telecom buddies are not fixing any of their privacy problems in the global telecom infrastructure.
[ link to this | view in chronology ]
To much history
To take the old building of the internet, and overlap it with HTML, and 6-7 other formats, and then Think all this stuff is secure?
Who wants to pay to reinvent all the protocols and building of the internet.
Wow, we could create tracing of emails, we could track every person that does anything. But no, we cant do that. IT WOULD COST MONEY.
[ link to this | view in chronology ]
We do throttling and data caps, we don't have time for all that other network management. [Whoever has that person as a customer, throttle them just for mentioning it.]
-telecom industry
[ link to this | view in chronology ]