Profile picture
Mudge @dotMudge
, 16 tweets, 3 min read Read on Twitter
Ok. Here goes another one.

SMS intercept, hi-jack, access, ...

So there are a few things going on that the media, and others, are confusing:

Social engineering attacks (number slamming), and SS7 interaction. Sure, on the backend both influe HLR (home location registers).
The social engineering/physical can range from mugging someone to get their phone sim (good job Apple on making iPhone theft itself less valuable through your hardware design, albeit a dilemma with right-to-repair), which is a tactic where people literally steal/mug your phone/ID
The physical perpetrator takes the SIM card and puts it into a different phone.
There are a surprising number of significant services that let you reset everything if you know only the phone number (and can respond to OTP messages sent to the number).

More than you realize.
The goal of this, and what I’ll describe next, is to take over an email ‘Recovery’ account.

You know, the main e-mail acct you use to have all your email-reset passwords sent to fit your bank/amazon/venmo/paypal/bitcoin-y/etc type accounts.

But this is a modest risk...
It requires some targeting and human interaction. Sometimes the ‘mugging’ is just social engineering a mobile phone store after you have been targeted in order to ‘port’ your mobile number to a new SIM.

Either way, there’s some work required if the adversary.

It can be worth it
For instance this event apparently used a team of people who spent significant(?) time to slam/port 40 numbers ala social engineering.

Leaving likely physical evidence along with digital inference. Maybe worth it for 5M (BTC equiv, ymmv).

motherboard.vice.com/en_us/article/…
Then comes the part tgat everyone is implying in the media, but seemingly nit grasping the significance thereof: direct SS7 messaging.

The social engineering / physical aspect of stealing a mobile number is not to be scoffed at. It works. It’s doable at the ‘street-crime’ level,
And still groups and orgs running major political campaigns fought U2F entirely, as many have, and didn’t even go as far as confirming/enforcing SMS 2fa (previous thread).

And yes, I’m saying SMS 2FA is better than no 2FA.

But here’s where it gets good/scary, in my opinion.
It all got really interesting a while back. Local number portability and national number portability.

en.wikipedia.org/wiki/Local_num…

People could keep their numbers, when they moved homes... when they went mobile.

Along with a lot of other enhancements to SS7, this was special.
The thing about SS7[0], which is the protocol for orchestrating and ultimately creating your voice call connections (circuits), is that it was intended to be interfaced with by trusted parties: ILECS (Incumbent Lical Exchange Carriers) and later CLECS (Competitive...)...
But... CLECS were an inflection point.

They were reselling access (SS7) into the walled garden. This later became VoIP providers. The more promiscuous ones running the media gateways that international robo-callers use. Cheaply.

They are plentiful, and many have direct SS7...
Initial address messages (IAMs), various updates/lookups(dips) to home location registers (HLRs)... the world of SS7 is open, because you *must* be a telco because you’re talking SS7 to ‘the network’.
Not just cheap media gateway and spam/robocol prividers...

Your cable/ISP/broadband/home VoIP system? It likely accepts SIP-T (SS7 messages inside VoIP signaling).

So telcos literally place trusted infrastructure in your home.

(Just like in-band signaling [blue box etc.])
I worry about targeted intercepts, it’s an actual problem.

What keeps me up at night is that SS7 had an access model for its security that is now wrong. That was (largely) its security model.
Ease of access for SMS intercept at scale, by SS7, on a moments notice, cheaply, and already has a ready and willing industry in place (‘business friendly’ media gateways):

“Give us ~1000 numbers and get OTPs for the next 5mins”.

Yikes!

I’m scared for e-mail recovery accounts.
Familiar with Internet (packetswitch TCP/IP) but not familiar with telco (circuitswitch SS7)?

Think of it like this:

BGP, DNS, and TCP transport rolled into one: SS7.

Protection = allowed to talk to it.

(And “VoIP” talks to it...)

Good night :)

EOL

/HT MCP
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Mudge
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @dotMudge see all

Profile picture
A few weeks back the non-profit group CITL, cyber-itl.org, released a comparative report of software hygiene in 28 home routers...

and vulnerabilities that affect all Linux MIPS systems (not just IoT).

Some thoughts and data...

(Thread 1/N)

cyber-itl.org/2018/12/07/a-l…
This thread intends to get past some security nihilism, use data to refute some assumptions put forward by people as “facts”, and point out the big picture... which the security community largely missed.

Something about not being able to see the forrest through the trees ;)

2/
Let’s look at the router paper first.

cyber-itl.org/assets/papers/…

It’s true that none of the routers did well in regards to basic software safety hygiene, but thinking there’s nothing consumers can do is security nihilism and misses the actionable information in the paper...
Read 16 tweets
Profile picture
Due to Floating Point emulation, Linux MIPS (Kernels 2.4.3.4 through 4.7 2001-2016) have executable stacks.

The patch, released in 2016 and still present - Kernel 4.8, introduces a universal DEP and ASLR bypass.

cyber-itl.org/2018/12/07/a-l…

cyber-itl.org/assets/papers/…
Think about this for a moment...

MIPS is the most common architecture for home routers (ubiquity, Netgear, Asus, linksys) and similar devices.

It is also found in telecom gear, next gen corporate firewalls, corporate switch fabric, etc. for control plane, data plane, or both.
What makes this particularly tough to remediate is that addressing the issue needs the Kernel fix and *also* updates to the compiler toolchains and *also* that vendors/developers adopt both of these and *also* turn on the needed settings if they aren’t default enabled...
Read 5 tweets
Profile picture
On ‘names are hard’, X509 Distinguished Names (DN) can be a downright minefield.

Consider military (gov) where rank is part of the distinguished name field.

So what happens when someone gets a pay raise (get’s promoted)?

Each time that happens the DN changes which means...
The old certificate needs to be revoked.

Onto the certificate revocation list it goes...

New digital certificates are issued, access cards re-provisioned, CAs updated (and eventually synchronized).

Life goes on...

But what happens to the certificate revocation list (CRL)?
According to Wikipedia there were over 17 million Common Access Cards issued by 2008.

That’s a decade ago and there are ~1.4 million people in the US military this year alone (according to Google). Don’t forget that we’re talking about a lot more than just military people...
Read 5 tweets

Related threads

Profile picture
64 years ago today, Luis Antonio Miranda Jr. was born in Vega Alta, Puerto Rico. Obsessed w showtunes, politics and Debbie Reynolds. Sleeps 4 hours a night. Hates mushrooms.
This is my father and he is the weirdest, hardest working man in the world. Happy birthday Pa. I love you.
My father @Vegalteno has a weekly segment on @UniNoticias where he debates a Republican every Tuesday night.
He also only has two albums in his phone: The 25 Greatest Show Tunes and the U2 album they gave everyone.
When I was a child, my father @Vegalteno used to lean over during animated movies, point at the main character, and say, "That one dies."
He was usually kidding, except during Bambi that one time 😳
Read 23 tweets
Profile picture
1. O tipo de congresso, reformista ou gastão, é consequência, e não protagonista. O ciclo econômico determina o ciclo político. País na lama demanda corte de gastos. País surfando mundo forte, produz congresso leniente, gastão irresponsável.
2. O mesmo parlamentar pode ser gastão, ou reformista, dependendo das necessidades circunstanciais. Essa é a nossa história. Nem os "super-heróis" abaixo (fig 1) conseguiram impedir a alta da bolsa e não nos desvincularam do ciclo de commodities no mundo (fig 2).
3. O motivo de existir ciclos, principalmente no Brasil q gravita em torno do centro, é uma analogia com o provérbio oriental abaixo:

"Homens fortes criam tempos fáceis,
Tempos fáceis geram homens fracos,
Homens fracos criam tempos difíceis,
Tempos difíceis geram homens fortes."
Read 9 tweets
Profile picture
Ok, here goes.

For every one 'like' this tweet gets I'll write one tweet celebrating men - I think we read enough nonsense that cuts them down.

Now, if you crazy people go over 100 it'll take time ... but let's see what we can do FOR MEN. :)

Go!
HOLY SHIT I'M AT 87 ALREADY.
You bastards.
lol

1. Men are natural protectors and defenders.
2. Men are fathers, and without fathers, our families aren't quite ever whole.
Read 251 tweets
Profile picture
Here's a critique of the UK database entries of our Financial Secrecy Index, from a lawyer at Clifford Chance - one of the world's ten biggest law firms (per Wikipedia). And what follows is a response on the points raised.
To begin, we really value expert feedback. We had a nearly two-year review process before the Jan.2018 release, which we were delighted to find brought in a great many stakeholders, including experts, users and subject jurisdiction policymakers..
You can find more information about the methodology and review, including a statistical analysis by the European Commission's index experts, here: financialsecrecyindex.com/introduction/m…
Read 139 tweets
Profile picture
One important thing about Aadhaar or any centralized system,particularly connected to money, which I have not said so far, is how it completely destroys any security by obscurity which we have enjoyed so far. Take the example of mobile OTP.
Aadhaar uses SMS One Time Password (OTP) to secure Aadhaar transactions. But we have seen how process to update mobile for Aadhaar itself is hopeless destroy-the-aadhaar.blogspot.in/2017/12/regist…
It is hopeless in terms of security as well as frustrations experienced by the user. Some of the security risks can be fixed if UIDAI is more transparent about the process, as we have seen in that article. Some frustrations also may reduced if Aadhaar centres more nearby. But...
Read 84 tweets
Profile picture
Things that surprised/amazed me about Japan, an ongoing thread.

(More likely UI than food, but you know this already.)

It’s my first time here. Please comment away and/or point out my cultural insensitivities!
1. A very friendly immigration officer and I laughed together, and when I said “I don’t really know where I’ll be staying,” he actually applauded it.
2. Very nice and clean train from the airport, with power sockets, and vending machines onboard.

Tons of solar panels passed by on the way.
Read 427 tweets

Trending hashtags

#Jewish #elite #media #apocalyptic #30daysofChrisCornell #BanDigitalElections #diversitymatters #womeninSTEM #NEC4 #auction #HannahArendt #construction #DoomsdayCult #standup #isolate #DJT #LiveSTSplus #regimes #teaching #totalitarian #MAGA #ipr #winfieldrock #EdgarDegas #powerlessness

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!