New Report Again Shows Global Telecom Networks Aren't Remotely Secure

from the maybe-we-should-fix-that dept

Last year, when everybody was freaking out over TikTok, we noted that TikTok was likely the least of the internet’s security and privacy issues. In part because TikTok wasn’t doing anything that wasn’t being done by thousands of other app makers, telecoms, data brokers, or adtech companies in a country that can’t be bothered to pass even a basic privacy law for the internet era. If we’re serious about security and privacy solutions, we need to take a much broader view.

For example, while countless people freaked out about TikTok, none of those same folks seem bothered by the parade of nasty vulnerabilities in the nation’s telecom networks, whether we’re talking about the SS7 flaw that lets governments and bad actors spy on wireless users around the planet or the constant drumbeat of location data scandals that keep revealing how your granular location data is being sold to any nitwit with a nickel. Or the largely nonexistent privacy and security standards in the internet of broken things. Or the dodgy security in our satellite communications networks.

This week, Crowdstrike drove this myopia home again with a new report showcasing how Chinese hackers have compromised global telecom networks for years. The security firm found that since 2016 or so, a (likely Chinese state backed) hacking organization dubbed “LightBasin” or “UNC1945” targeted global telecom companies and was able to compromise 13 of them since 2019. First accessing an eDNS server through an SSH connection from the network of another compromised company, the hackers were able to obtain a trove of telecom data including subscriber information, call metadata, text messages and more, helping them develop a wide collection of snooping tricks:

“The report lays out how this group has developed highly customized tools and a precise working knowledge of global telecommunications network architectures such that it can emulate network protocols to allow scanning and ?to retrieve highly specific information from mobile communication infrastructure.? The nature of the data targeted ?aligns with information likely to be of significant interest to signals intelligence operations.”

Of course this comes on the heels of a steady parade of other telecom security scandals, ranging from the SS7 flaw we still haven’t fully fixed (opening the door to covert surveillance), revelations that most satellite networks have the security of damp cardboard, and recent reports of a company that handles billions of global text messages from carriers all over the world was compromised for years before anybody knew anything about it. Most of these reports come and go quietly without even a tiny fraction of the hysteria we saw aimed at TikTok.

Speaking to the press, Crowdstrike researchers were quick to point out that freaking out about malware and apps doesn’t mean much if the underlying telecom infrastructure is compromised (and it very much is):

“People leverage their cellphones like they?re magic,? said Adam Meyers, CrowdStrike?s senior vice president of intelligence. ?They don?t think about the fact that there?s this whole infrastructure that makes it work ? and that infrastructure is not something that you can take for granted.”…”They don?t need to deploy the malware onto your phone if they?re owning the network that your phone is riding on,? he said.

Granted much like everyday infrastructure issues like bridge repair, shoring up overall internet network security isn’t a sexy topic that sees much traction. Unless you’re a U.S. company lobbyist leveraging Xenophobia to your competitive and political tactical advantage (see the sometimes narrow hysteria surrounding 5G), much of this stuff doesn’t see anywhere near the attention it deserves in a press and policy discourse that often couldn’t care less.

Filed Under: , , , , ,
Companies: crowdstrike

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “New Report Again Shows Global Telecom Networks Aren't Remotely Secure”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Speaking to the press, Crowdstrike researchers were quick to point out that freaking out about malware and apps doesn’t mean much if the underlying telecom infrastructure is compromised

That’s really not true. A lot that happens on smartphones isn’t visible to the network operators. Facebook encrypts everything, for example (not because they want to protect your privacy—just to ensure nobody else can free-ride on their invasions of it). Indeed, the whole purpose of the now-ubiquitous HTTPS encryption was to enable security on a presumed-compromised network. Attackers will still gain useful information, like where people are and what they’re connecting to; and, with the telephone networks, the contents of phonecalls and texts (and if you’re running any software from them, that could be bad… but I think Apple at least don’t allow such crapware).

There is a proposal called Pretty Good Phone Privacy that "protects users from fake cell phone towers (IMSI-catchers) and surveillance by cell providers" (but, for now, doesn’t support voice or SMS, and does require specific telco support—though apparently an MVNO could do it). If the infrastructure provider couldn’t locate specific people, that would make it a hell of a lot harder for an attacker to target them.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...