Chinese Access To AT&T/Verizon Wiretap System Shows Why We Cannot Backdoor Encryption
from the backdoors-can-be-opened-by-spies-too dept
Creating surveillance backdoors for law enforcement is just asking for trouble. They inevitably become targets for hackers and foreign adversaries. Case in point: the US just discovered its wiretapping system has been compromised for who knows how long. This should end the encryption backdoor debate once and for all.
The law enforcement world has been pushing for backdoors to encryption for quite some time now, using their preferred term for it: “lawful access.” Whenever experts point out that backdooring encryption breaks the encryption entirely and makes everyone less safe and less secure, you’ll often hear law enforcement say that it’s really no different than wiretapping phones, and note that that hasn’t been a problem.
Leaving aside the fact that it’s not even that much like wiretapping phones, this story should be thrown back in the faces of all of law enforcement folks believing that backdooring “lawful access” into encryption is nothing to worry about. Chinese hackers have apparently had access to the major US wiretapping system “for months or longer.”
A cyberattack tied to the Chinese government penetrated the networks of a swath of U.S. broadband providers, potentially accessing information from systems the federal government uses for court-authorized network wiretapping requests.
For months or longer, the hackers might have held access to network infrastructure used to cooperate with lawful U.S. requests for communications data, according to people familiar with the matter, which amounts to a major national security risk. The attackers also had access to other tranches of more generic internet traffic, they said.
According to the reporting, the hackers, known as “Salt Typhoon,” a known Chinese state-sponsored hacking effort, were able to breach the networks of telco giants Verizon and AT&T.
The Wall Street Journal says that officials are freaking out about this, saying that the “widespread compromise is considered a potentially catastrophic security breach.”
Here’s the thing: whenever you set up a system that allows law enforcement to spy on private communications, it’s going to become a massive target for all sorts of sophisticated players, from organized crime to nation states. So, this shouldn’t be a huge surprise.
But it should also make it clear why backdoors to encryption should never, ever be considered a rational decision. Supporters say it’s necessary for law enforcement to get access to certain information, but as we keep seeing, law enforcement has more ways than ever to get access to all sorts of information useful for solving crimes.
Putting backdoors into encryption, though, makes us all less safe. It opens up so many private communications to the risk of hackers getting in and accessing them.
And again, for all the times that law enforcement has argued for backdoors to encryption being just like wiretaps, it seems like this paragraph should destroy that argument forever.
The surveillance systems believed to be at issue are used to cooperate with requests for domestic information related to criminal and national security investigations. Under federal law, telecommunications and broadband companies must allow authorities to intercept electronic information pursuant to a court order. It couldn’t be determined if systems that support foreign intelligence surveillance were also vulnerable in the breach.
It’s also worth highlighting how this breach was only just discovered and has been in place for months “or longer” (meaning years, I assume). Can we not learn from this, and decide not to make encryption systems vulnerable to such an attack by effectively granting a backdoor that hackers will figure out a way to get into?
On an unrelated note, for all the talk of how TikTok is a “threat from China,” it seems like maybe we should have been more focused on stopping these kinds of actual hacks?
Filed Under: breach, china, encryption, lawful access, security, wiretaps
Companies: at&t, verizon
Comments on “Chinese Access To AT&T/Verizon Wiretap System Shows Why We Cannot Backdoor Encryption”
I disagree. This is why we need more back doors. If everything is Swiss cheese, no one can hide anything from anyone. Its diabolical!
Re: That being said...
This is why ISPs in the US need to charge less. They can’t even keep their own computers secure.
The law enforcement world has been pushing for backdoors to encryption for quite some time now
Must be those Chinese police stations that have access.
If they cared about privacy and security they wouldn't be trying to break both
As much as this should be a huge warning for why mandating crippled encryption is a terrible idea the sad fact is that it’s not likely to change any minds because if those pushing for encryption to be broken cared about the privacy and security of the general public they wouldn’t be trying to mandate crippled encryption to begin with.
So you’re saying we should maybe address potential security risks from China, before they actively exploit it? Perhaps we could do both.
Re:
Good luck tossing everything you have with electronic or software components from China.
Let us know how you get on. Oh wait, you won’t be able to do that.
Re: Re:
“Would you forget about it? I already tried! It’s
magnetically sealedcongressionally underfunded!”Re:
Effective privacy legislation would do that equally well as well as addressing attacks on privacy from other sources, but then, the link tax shill has never met a strawman they’re unwilling to erect.
So as it turns out, backdooring communications for “the good guys” means it can also be (gasp!) used by the bad guys?!
GEE, WHO WOULD’VE THOUGHT?!
Nothing to hide
If you have nothing to hide surveillance won’t hurt you.. oh wait my identity has now been stolen by a foreign government because I foolishly believed my own government that I had nothing to hide! Everyone has something to hide.
It’s probably been in place since sometime around 2002.
Another tick for the simulation hypothesis
In sequence on my TD feed
Chinese Access To AT&T/Verizon Wiretap System Shows Why We Cannot Backdoor Encryption
and
EU’s Commission’s Anti-Encryption Plans On The Ropes (Again) After Rejection By The Dutch Gov’t
It’s almost as if I’m reading a cyberpunk dystopian story by Neal Stephenson.
Re:
Truth is stranger than fiction. I would invoke Rule 34, but Halting State is a more appropriate reference. When you have to rewrite dystopian science fiction because it has already come to pass, things are kinda dire.
Re: Re:
I guess you didn’t read the articles you linked to. Rule 34 is the sequel to Halting State written by the same author, so neither one is actually a rewrite of the other.
Technically this isn’t a backdoor. Cellular connections are only encrypted on the wireless link. Once the signal is received by the BTS it is decrypted. It then moves through the wired portion of the network. Lawful intercept taps into audio in the wired portion of the network.
Ideally we’d have end to end encryption of the audio in phone calls. I’ve never seen any effort by 3GPP to achieve that.
Re:
I have to ask, do you really think wiretaps are only used on cellular networks?
And it’s a backdoor if you engineer the function into the network for easy access, like you know, lawful intercept taps into audio in the wired portion of the network.
If this ease of access didn’t exist, the hackers wouldn’t have been able to use it to tap into the communications as easy as they did, could they?
Re: Re:
Lawful intercept is done in the core network which isn’t encrypted. Not even the control messages are encrypted (SS7 is very vulnerable).
The point was that it isn’t an encryption back door if only one part of the network is encrypted. And all communications are automatically decrypted when they enter the core network (everything behind the tower).
Re: Re: Re:
Nobody stated this was an encryption backdoor. They stated that this is a communications intercept backdoor.
And then TD compared phone-based lawful intercept to the push for encryption lawful intercept because that’s what those who want encryption lawful intercept were doing — and this breach shows why it would be a horrible idea.
Re:
It’s not for them to solve. Legally, their hands are kind of tied; too many of the countries in which their standards are used have “lawful intercept” laws that make it explicitly illegal for telcos to provide end-to-end-encryption.
It’s usually not illegal to use end-to-end encryption (except maybe in France and China and an assortment of countries of minimal relevance). So, you could install some app; if the app-makers stopped trying to control the world and actually allowed for an open protocol, one might actually take over. Or Apple and Google could provide some encrypted voice-over-IP system, but until unlimited data is ubiquitous, I doubt it will replace voice calls (for which cheap unlimited plans are available, in many countries).
Pretty big "I told you so" moment
Quite a few people who actually built the Internet warned that this day was inevitable, but those warnings were dismissed as “naive” or “uninformed” or “anti-law enforcement”. Turns out, though, that the people who pulled the cables and wrote the code and built the systems were right.
Whenever something like CALEA is proposed, it’s always good to remember: “It’s a poor atom blaster that won’t point both ways.” (Isaac Asimov, “Foundation”)
Re:
Be grateful that the Clipper Chip was killed with fire (lest it regenerate). (See especially the technical vulnerabilities section of the wikipedia page for the chip.)
Re: Re:
I have mixed feelings about that. Had Matt Blaze had the good sense to keep quiet about the vulnerability—which only compromised the backdoor, not the user’s privacy—we might have gotten used to the idea of encrypted phone calls. And then phone-makers could’ve started taking advantage of the flaw to close the backdoor, or could’ve used entirely different encryption chips, and what could the government have done? The legal requirements to use only backdoored crypto were struck down pretty quickly.
Not that it matters.
But the systems have been hacked for years. Its been known as it was Built into the system over time. And witht he installation of DIGITAL communications, it became abit easier.
Very easy to prove also. With Faked phone numbers and Scammers using them from around the world.
We dont even need to mention the time a USA gov. representative recorded the private backdoor into the system to record Private Un-encoded mdg. between nations leaders..Do we?
Re:
You’re conflating things here. We’ve known that SS7 was compromised for years, especially with the US able to access all European and African SS7 data in an automated fashion. And we’ve known about the AT&T lawful intercept station for decades, so we’ve known that the domestic system was only as secure as that station.
The faked international exchanges and caller ID values are totally different, also insecure, components of the ITT telecoms system.
Just because it’s all insecure doesn’t mean it’s all the same thing; each of these flawed technologies has its own security implications when breached.
That's not what he said
I think you might have misread the article.
I think the argument Mike was making was that the people demanding “lawful access” to encrypted systems (via back-doors) are the same people who already have “lawful access” to telecommunications systems (wiretaps). They have been claiming that the wiretapping system has never been hacked as a justification for why they could also be trusted with back-doors into encrypted systems. That “never hacked” claim has just been proven to be false so their entire argument is destroyed.
Re:
They already knew that lawful intercept had been hacked. Because they did it.
A long time ago (20ish years) there were reports that telecom equipment sold to operators in other nations were used by NSA (or other three letter organization) for spying. They activated lawful intercept and listen to wired and cellular calls remotely. Without the knowledge of the foreign operator or foreign country.
I’ve honestly lost track of how long this very scenario was warned about, but I suspect that, rather than learning that the stove is hot, authorities will respond by doubling down on the “nerd harder” business because asking for the impossible is just a minor challenge that others can tackle.
Re:
“Surely brighter people than us can solve the issue such that traffic lights are always green for Law Enforcement, but have regular controls in place for everyone else!”
Re: Re:
I’m not sure what you’re getting at with this comment. We have the technology for such traffic-light control. It’s deployed in a few areas near me—for the benefit of fire trucks rather than law enforcement, but that’s just a matter of configuration.
Re: Re: Re:
Sure, but to get to a point where such intervention becomes necessary, you used to need extraordinary proof or a warrant or some similar procedure to merit such an override.
That process has been slowly chipped away because law enforcement increasingly thinks it can take a hammer to due process, on grounds that it thinks it is infallibly noble and altruistic and “the good guys” – despite NSA’s LOVEINT and all examples to the contrary. It will not surprise me in the slightest if similar requests be made for all industries to roll the red carpet out for law enforcement, regardless of ethics or practicality.
Re: Re: Re:2
I’m still not really seeing the comparison. What you write would generally be true for “lawful access” to encryption backdoors, in non-dystopian countries.
The traffic light systems, by contrast, often operate automatically, based on some communication between in-vehicle GPS, the dispatching system, and the city’s traffic control computers.
A pessimist weighs in.
But it won’t.
So you’re expecting deliberately ignorant politicians to deliberately give up “Nerd Harder”?
Re:
He said it’d end the debate, not that the government or politicians would do a thing about it.
But point taken. Ignorance for me, but not for thee has always been the privilege of the ruling class. Absolutely no lessons will be learned from this besides screaming at the tech sector for not protecting politicians from the consequences that they’d been repeatedly warned about.
Just like Section 230 and Net Neutrality, it’s impossible to argue against encryption without lying.
Re:
Define the latter.
Re: Re:
Back when I was in school, I was taught that I had to do my own homework rather than expecting others to do it for me, and I had genuine problems with academics because no none knew about my autism at the time.
Oh no, we definitely can. And do, and will continue to.
It’s just we shouldn’t, but no one who has any ability to actually stop it cares and will ever care.