I’m firmly convinced this was a psyop to move people to encrypted platforms where they could more easily be spied on by the government through backdoors or broken encryption. The telecom networks have had inferior security for decades with the SS7 and Diameter networks (EFF article below headline article), and never fully addressed it which I always thought was by design for government interception. Though, it would be funny if they finally address it due to another government using their backdoor. Moreover, governments want backdoors to all encrypted platforms, which naturally can be exploited by others and renders the platform defective for the purpose.
By Lily Zhou via The Epoch Times
AT&T and Verizon were targeted by China-backed hacking group Salt Typhoon, but their networks are now secure, the telecommunications companies said on Saturday in their first acknowledgement of the hacking.
Meanwhile, Lumen Technologies, which owns CenturyLink, said on Sunday that it has no evidence of Chinese actors in its network.
It comes after the White House said on Friday that it had identified a ninth U.S. telecom network that had been compromised by the wide-ranging espionage campaign, which began 2022, and that they are still accessing the scope of the breach.
Officials didn’t provide a full list of the compromised networks. Earlier this month, the FBI said malware from Salt Typhoon and two other Beijing-backed hacking groups, dubbed by Microsoft as Flax Typhoon and Volt Typhoon, were still embedded in some U.S. systems.
Verizon said in a statement to The Epoch Times that it has notified “a small number of high-profile customers in government and politics” who were targeted by the hackers.
The company said it has contained the threat, and that “an independent and highly respected cyber security firm” had confirmed the containment.
“Immediately upon learning of this incident, Verizon took several key actions to protect its customers and its network including partnering with federal law enforcement and national security agencies, industry partners, and private cybersecurity firms,” Verizon’s Chief Legal Officer Vandana Venkatesh said in a statement.
“We have not detected threat actor activity in Verizon’s network for some time, and after considerable work addressing this incident, we can report that Verizon has contained the activities associated with this particular incident.”
On Saturday, an AT&T spokesperson told Reuters the company detected “no activity by nation-state actors in our networks at this time.”
“Based on our current investigation of this attack, the People’s Republic of China targeted a small number of individuals of foreign intelligence interest,” the spokesperson said.
While only a few cases of compromised information were identified, AT&T was monitoring and remediating its networks to protect customers’ data and continues to work with authorities to assess and mitigate the threat, the spokesperson said.
A spokesperson for Lumen Technologies told The Epoch Times there’s no evidence of Chinese actors in its network.
“An independent forensics firm has confirmed Salt Typhoon is no longer in our network. In addition, our federal partners have not shared any information that would suggest otherwise. To date, there is no evidence that customer data was accessed on our network,” the spokesperson said in a statement.
Meanwhile, T-Mobile’s Chief Security Officer Jeff Simon said in a blog published on Friday that the operator stopped attempts to infiltrate its systems “within the last few weeks,” but could not definitively identify the attacker’s identity.
Government officials have previously said Salt Typhoon targeted a limited number of high-profile officials and politicians over a long time. Simon said that is “not the case at T-Mobile.”
Chinese officials have previously described the allegations as disinformation and said Beijing “firmly opposes and combats cyber attacks and cyber theft in all forms.”
The FBI and the Cybersecurity & Infrastructure Security Agency (CISA) confirmed in October that they were investigating cyber threats linked to the Chinese regime following media reports of Salt Typhoon’s operation.
In November, the FBI and the CISA issued a joint statement, saying Chinese hackers had targeted commercial telecommunications infrastructure in a “broad and significant cyber espionage campaign,” in which they stole customer call records data, compromised private communications of government officials and politicians, and copied information “that was subject to U.S. law enforcement requests pursuant to court orders.”
Anne Neuberger, deputy national security adviser for cyber and emerging technologies, told reporters on Dec. 7 that the hackers had stolen a large volume of Americans’ metadata while targeting some “very senior political individuals.”
On Friday, Neuberger said it’s believed the hackers geolocated a large number of individuals in the Washington DC, Virginia area, and targeted “probably less than 100 on the actual individuals.”
Earlier this month, the CISA issued a guidance for “highly targeted” senior government officials and politicians, urging them to “use only end-to-end encrypted communications” and to adopt other measures to mitigate risks posed by Chinese hackers.
https://www.eff.org/deeplinks/2024/07/eff-fcc-ss7-vulnerable-and-telecoms-must-acknowledge
EFF to FCC: SS7 is Vulnerable, and Telecoms Must Acknowledge That
By Cooper Quintin and Babette Ngene
July 15, 2024
It’s unlikely you’ve heard of Signaling System 7 (SS7), but every phone network in the world is connected to it, and if you have ever roamed networks internationally or sent an SMS message overseas you have used it. SS7 is a set of telecommunication protocols that cellular network operators use to exchange information and route phone calls, text messages, and other communications between each other on 2G and 3G networks (4G and 5G networks instead use the Diameter signaling system). When a person travels outside their home network’s coverage area (roaming), and uses their phone on a 2G or 3G network, SS7 plays a crucial role in registering the phone to the network and routing their communications to the right destination. On May 28, 2024, EFF submitted comments to the Federal Communications Commision demanding investigation of SS7 and Diameter security and transparency into how the telecoms handle the security of these networks.
What Is SS7, and Why Does It Matter?
When you roam onto different 2G or 3G networks, or send an SMS message internationally the SS7 system works behind the scenes to seamlessly route your calls and SMS messages. SS7 identifies the country code, locates the specific cell tower that your phone is using, and facilitates the connection. This intricate process involves multiple networks and enables you to communicate across borders, making international roaming and text messages possible. But even if you don’t roam internationally, send SMS messages, or use legacy 2G/3G networks, you may still be vulnerable to SS7 attacks because most telecommunications providers are still connected to it to support international roaming, even if they have turned off their own 2G and 3G networks. SS7 was not built with any security protocols, such as authentication or encryption, and has been exploited by governments, cyber mercenaries, and criminals to intercept and read SMS messages. As a result, many network operators have placed firewalls in order to protect users. However, there are no mandates or security requirements placed on the operators, so there is no mechanism to ensure that the public is safe.
Many companies treat your ownership of your phone number as a primary security authentication mechanism, or secondary through SMS two-factor authentication. An attacker could use SS7 attacks to intercept text messages and then gain access to your bank account, medical records, and other important accounts. Nefarious actors can also use SS7 attacks to track a target’s precise location anywhere in the world.
These vulnerabilities make SS7 a public safety issue. EFF strongly believes that it is in the best interest of the public for telecommunications companies to secure their SS7 networks and publicly audit them, while also moving to more secure technologies as soon as possible.
Why SS7 Isn’t Secure
SS7 was standardized in the late 1970s and early 1980s, at a time when communication relied primarily on landline phones. During that era, the telecommunications industry was predominantly controlled by corporate monopolies. Because the large telecoms all trusted each other there was no incentive to focus on the security of the network. SS7 was developed when modern encryption and authentication methods were not in widespread use.
In the 1990s and 2000s new protocols were introduced by the European Telecommunication Standards Institute (ETSI) and the telecom standards bodies to support mobile phones with services they need, such as roaming, SMS, and data. However, security was still not a concern at the time. As a result, SS7 presents significant cybersecurity vulnerabilities that demand our attention.
SS7 can be accessed through telecommunications companies and roaming hubs. To access SS7, companies (or nefarious actors) must have a “Global Title,” which is a phone number that uniquely identifies a piece of equipment on the SS7 network. Each phone company that runs its own network has multiple global titles. Some telecommunications companies lease their global titles, which is how malicious actors gain access to the SS7 network.
Concerns about potential SS7 exploits are primarily discussed within the mobile security industry and are not given much attention in broader discussions about communication security. Currently, there is no way for end users to detect SS7 exploitation. The best way to safeguard against SS7 exploitation is for telecoms to use firewalls and other security measures.
With the rapid expansion of the mobile industry, there is no transparency around any efforts to secure our communications. The fact that any government can potentially access data through SS7 without encountering significant security obstacles poses a significant risk to dissenting voices, particularly under authoritarian regimes.
Some people in the telecommunications industry argue that SS7 exploits are mainly a concern for 2G and 3G networks. It’s true that 4G and 5G don’t use SS7—they use the Diameter protocol—but Diameter has many of the same security concerns as SS7, such as location tracking. What’s more, as soon as you roam onto a 3G or 2G network, or if you are communicating with someone on an older network, your communications once again go over SS7.
FCC Requests Comments on SS7 Security
Recently, the FCC issued a request for comments on the security of SS7 and Diameter networks within the U.S. The FCC asked whether the security efforts of telecoms were working, and whether auditing or intervention was needed. The three large US telecoms (Verizon, T-Mobile, and AT&T) and their industry lobbying group (CTIA) all responded with comments stating that their SS7 and Diameter firewalls were working perfectly, and that there was no need to audit the phone companies’ security measures or force them to report specific success rates to the government. However, one dissenting comment came from Cybersecurity and Infrastructure Security Agency (CISA) employee Kevin Briggs.
We found the comments by Briggs, CISA’s top expert on telecom network vulnerabilities, to be concerning and compelling. Briggs believes that there have been successful, unauthorized attempts to access network user location data from U.S. providers using SS7 and Diameter exploits. He provides two examples of reports involving specific persons that he had seen: the tracking of a person in the United States using Provide Subscriber Information (PSI) exploitation (March 2022); and the tracking of three subscribers in the United States using Send Routing Information (SRI) packets (April 2022).
This is consistent with reporting by Gary Miller and Citizen Lab in 2023, where they state: “we also observed numerous requests sent from networks in Saudi Arabia to geolocate the phones of Saudi users as they were traveling in the United States. Millions of these requests targeting the international mobile subscriber identity (IMSI), a number that identifies a unique user on a mobile network, were sent over several months, and several times per hour on a daily basis to each individual user.”
Briggs added that he had seen information describing how in May 2022, several thousand suspicious SS7 messages were detected, which could have masked a range of attacks—and that he had additional information on the above exploits as well as others that go beyond location tracking, such as the monitoring of message content, the delivery of spyware to targeted devices, and text-message-based election interference.
As a senior CISA official focused on telecom cybersecurity, Briggs has access to information that the general public is not aware of. Therefore his comments should be taken seriously, particularly in light of the concerns expressed by Senator Wyden in his letter to the President, referenced a non-public, independent, expert report commissioned by CISA, and alleged that CISA was “actively hiding information about [SS7 threats] from the American people.” The FCC should investigate these claims, and keep Congress and the public informed about exploitable weaknesses in the telecommunication networks we all use.
These warnings should be taken seriously and their claims should be investigated. The telecoms should submit the results of their audits to the FCC and CISA so that the public can have some reassurance that their security measures are working as they say they are. If the telecoms’ security measures aren’t enough, as Briggs and Miller suggest, then the FCC must step in and secure our national telecommunications network.