Source: securityboulevard.com – Author: Richi Jennings
The Federal Communications Commission is finally minded to address decades-old vulnerabilities.
Dusty, moldy, prehistoric protocols from the 1980s and ’90s still underpin our phone networks. Full of security holes, they allow scrotes to track our locations—whether mobile or wired (ask your parents). The FCC is asking the industry to do something about it.
We’ve known about the problems since the mid-1990s. In today’s SB Blogwatch, we ask, “Why now?”
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Steamed Hams, but it’s Netflix.
Fast Enough for Government Work
What’s the craic? Suzanne Smalley reports, FCC to probe ‘grave’ weaknesses in phone network infrastructure:
“Critical role”
The … FCC says it is taking action to address significant weaknesses in telecommunications networks that can enable cybercrime and spying. The agency is investigating how vulnerabilities in the protocols Signaling System No. 7 (SS7) and Diameter … allow breaches, particularly by revealing consumers’ locations to malicious hackers and spies.
…
The commission’s Public Safety and Homeland Security Bureau is spearheading the effort. The FCC said … SS7 and Diameter play a “critical role” in U.S. telecommunications infrastructure [and] it wants to ensure the protocols’ vulnerabilities can’t allow hackers to “track” consumers’ locations.
Horse’s mouth? Rebecca Clinton and friends from the FCC’s Public Safety and Homeland Security Bureau: Requests Comment on Implementation of Measures to Prevent Location Tracking
“Security countermeasures”
Over the last several years, numerous reports have called attention to security vulnerabilities present within SS7 networks and suggest that attackers target SS7 to obtain subscribers’ location information. … The Diameter protocol provides the same services as SS7 and as a result presents similar vulnerabilities. [The] protocols are still the foundation for mobile telephone networks, especially for roaming capabilities.
…
The Bureau finds it is important to more specifically examine the area of location tracking. To that end, the Bureau seeks renewed public comment, including from communications service providers, … on the implementation and effectiveness of security countermeasures … with respect to location tracking.
Wait. Pause. “Over the last several years”? I feel like we’ve been talking about this for decades. Why now? A few weeks ago, Ryan Gallagher wrote, Senator Demands Overhaul of Telecom Security:
“Trick the phone network”
Foreign governments are abusing security flaws in mobile phone networks to secretly track Americans in the US and journalists and dissidents abroad, Senator Ron Wyden has warned. In a letter sent to President Joe Biden … Wyden [D-OR] is urging the White House to counter the threat by supporting a major overhaul of cybersecurity standards.
…
At the center of the senator’s concern is an obscure telecom protocol called SS7, [which] is used to route communications between phone networks. SS7 contains known security vulnerabilities that governments and private surveillance companies have exploited. … It can be used to trick the phone network itself into handing over communications or location information from a particular phone. Multiple companies are now providing foreign governments with these “phone company hacking services,” according to Wyden, [who] accuses CISA of “actively hiding information” about the problem.
Why didn’t the standards bodies do something? This Anonymous Coward has a long memory:
Back [in] 1994/95, … I was working on a system to monitor and manage SS7 networks. [We] discovered holes in the SS7 protocol.
…
The ITU didn’t want to know, so we shut up and mostly went to work in other industries. It was a disaster waiting to happen once PC CPU speeds [improved]. Then the latency of the SS7 network could be exploited by a hacker to inject packets and even shut down a link.
These days it is a lot easier.
Easy? Really, though? What’s the problem? ronsor neatly boils it down:
There are insecure SS7 nodes exposed to the Internet. I’ve seen them before.
Yikes. The FCC had better fix it—and fast. satsuke calls that a “tall order”:
I was an SS7 network engineer for 20 years. The problem will take much [more] than a few federal inquiries, because SS7 was built with almost no security. … In the 1970s, the only organizations that could talk on an SS7 network were other SS7 providers—namely large telcos and some businesses.
…
Diameter is better … but it’s still largely unencrypted. … There’s functionally no barrier to entry and telcos are obliged to interconnect on a non-preferential basis to prevent the fracturing of the telephone system (e.g., if Verizon decided to not interconnect a competitor’s customers).
Sounds like a tricky problem. Kevin McMurtrie draws comparisons with 5G/NR:
Faster — yes!
mmWave crazy fast — yes!
Edge compute power — OK, sure!
AI, robots, WFH surgeons — why not?
Unicorns — better believe it!
Fix legacy telco security — whoa, let’s be realistic.
Meanwhile, sounding slightly cynical, M0nkge thinks it’s “not needed anymore”:
This same flaw exists in foreign networks. Now that the US Intel agencies have a workaround, they gave the OK to fix it.
And Finally:
No, Mother. It’s Just the Northern Lights
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Mike Meyers (via Unsplash; leveled and cropped)
Recent Articles By Author
Original Post URL: https://securityboulevard.com/2024/04/fcc-ss7-diameter-richixbw-2/
Category & Tags: Analytics & Intelligence,API Security,AppSec,Cloud Security,Cyberlaw,Cybersecurity,Data Privacy,Data Security,Deep Fake and Other Social Engineering Tactics,DevOps,DevSecOps,Digital Transformation,Editorial Calendar,Endpoint,Featured,Governance, Risk & Compliance,Humor,Identity & Access,Identity and Access Management,Incident Response,Industry Spotlight,Insider Threats,IOT,IoT & ICS Security,Mobile Security,Most Read This Week,Network Security,News,Popular Post,Regulatory Compliance,Securing Open Source,Securing the Cloud,Securing the Edge,Security at the Edge,Security Awareness,Security Boulevard (Original),Security Challenges and Opportunities of Remote Work,Security Operations,Social – Facebook,Social – LinkedIn,Social – X,Social Engineering,Software Supply Chain Security,Spotlight,Threat Intelligence,Threats & Breaches,Vulnerabilities,Zero-Trust,Big Telecom,carrier,Carriers,Diameter,digital telecom,fcc,FCC Failures,FCC Follies,FCC privacy rules,Federal Communications Commission,Federal Government,Location,location access risks,location data,Location data privacy,location history,location intelligence,location privacy,location sharing location tracking,location tracking,mobile carrier,mobile carrier vulnerability,Mobile carriers,Mobile Location Tracking,Mobile Tracking,Phone Carrier,RADIUS,roaming,Ron Wyden,SB Blogwatch,Sen. Ron Wyden,Smartphone Location Tracking,ss7,telco,Telecom,Telecom Cybersecurity,Telecom Industry,Telecom Industry Vulnerabilities,telecommunications,Telecommunications Security,telephone,telephones,U.S. Federal Communications Commission,wireless carrier – Analytics & Intelligence,API Security,AppSec,Cloud Security,Cyberlaw,Cybersecurity,Data Privacy,Data Security,Deep Fake and Other Social Engineering Tactics,DevOps,DevSecOps,Digital Transformation,Editorial Calendar,Endpoint,Featured,Governance, Risk & Compliance,Humor,Identity & Access,Identity and Access Management,Incident Response,Industry Spotlight,Insider Threats,IOT,IoT & ICS Security,Mobile Security,Most Read This Week,Network Security,News,Popular Post,Regulatory Compliance,Securing Open Source,Securing the Cloud,Securing the Edge,Security at the Edge,Security Awareness,Security Boulevard (Original),Security Challenges and Opportunities of Remote Work,Security Operations,Social – Facebook,Social – LinkedIn,Social – X,Social Engineering,Software Supply Chain Security,Spotlight,Threat Intelligence,Threats & Breaches,Vulnerabilities,Zero-Trust,Big Telecom,carrier,Carriers,Diameter,digital telecom,fcc,FCC Failures,FCC Follies,FCC privacy rules,Federal Communications Commission,Federal Government,Location,location access risks,location data,Location data privacy,location history,location intelligence,location privacy,location sharing location tracking,location tracking,mobile carrier,mobile carrier vulnerability,Mobile carriers,Mobile Location Tracking,Mobile Tracking,Phone Carrier,RADIUS,roaming,Ron Wyden,SB Blogwatch,Sen. Ron Wyden,Smartphone Location Tracking,ss7,telco,Telecom,Telecom Cybersecurity,Telecom Industry,Telecom Industry Vulnerabilities,telecommunications,Telecommunications Security,telephone,telephones,U.S. Federal Communications Commission,wireless carrier
