Profile picture
Mudge @dotMudge
, 16 tweets, 3 min read Read on Twitter
Ok. Here goes another one.

SMS intercept, hi-jack, access, ...

So there are a few things going on that the media, and others, are confusing:

Social engineering attacks (number slamming), and SS7 interaction. Sure, on the backend both influe HLR (home location registers).
The social engineering/physical can range from mugging someone to get their phone sim (good job Apple on making iPhone theft itself less valuable through your hardware design, albeit a dilemma with right-to-repair), which is a tactic where people literally steal/mug your phone/ID
The physical perpetrator takes the SIM card and puts it into a different phone.
There are a surprising number of significant services that let you reset everything if you know only the phone number (and can respond to OTP messages sent to the number).

More than you realize.
The goal of this, and what I’ll describe next, is to take over an email ‘Recovery’ account.

You know, the main e-mail acct you use to have all your email-reset passwords sent to fit your bank/amazon/venmo/paypal/bitcoin-y/etc type accounts.

But this is a modest risk...
It requires some targeting and human interaction. Sometimes the ‘mugging’ is just social engineering a mobile phone store after you have been targeted in order to ‘port’ your mobile number to a new SIM.

Either way, there’s some work required if the adversary.

It can be worth it
For instance this event apparently used a team of people who spent significant(?) time to slam/port 40 numbers ala social engineering.

Leaving likely physical evidence along with digital inference. Maybe worth it for 5M (BTC equiv, ymmv).

motherboard.vice.com/en_us/article/…
Then comes the part tgat everyone is implying in the media, but seemingly nit grasping the significance thereof: direct SS7 messaging.

The social engineering / physical aspect of stealing a mobile number is not to be scoffed at. It works. It’s doable at the ‘street-crime’ level,
And still groups and orgs running major political campaigns fought U2F entirely, as many have, and didn’t even go as far as confirming/enforcing SMS 2fa (previous thread).

And yes, I’m saying SMS 2FA is better than no 2FA.

But here’s where it gets good/scary, in my opinion.
It all got really interesting a while back. Local number portability and national number portability.

en.wikipedia.org/wiki/Local_num…

People could keep their numbers, when they moved homes... when they went mobile.

Along with a lot of other enhancements to SS7, this was special.
The thing about SS7[0], which is the protocol for orchestrating and ultimately creating your voice call connections (circuits), is that it was intended to be interfaced with by trusted parties: ILECS (Incumbent Lical Exchange Carriers) and later CLECS (Competitive...)...
But... CLECS were an inflection point.

They were reselling access (SS7) into the walled garden. This later became VoIP providers. The more promiscuous ones running the media gateways that international robo-callers use. Cheaply.

They are plentiful, and many have direct SS7...
Initial address messages (IAMs), various updates/lookups(dips) to home location registers (HLRs)... the world of SS7 is open, because you *must* be a telco because you’re talking SS7 to ‘the network’.
Not just cheap media gateway and spam/robocol prividers...

Your cable/ISP/broadband/home VoIP system? It likely accepts SIP-T (SS7 messages inside VoIP signaling).

So telcos literally place trusted infrastructure in your home.

(Just like in-band signaling [blue box etc.])
I worry about targeted intercepts, it’s an actual problem.

What keeps me up at night is that SS7 had an access model for its security that is now wrong. That was (largely) its security model.
Ease of access for SMS intercept at scale, by SS7, on a moments notice, cheaply, and already has a ready and willing industry in place (‘business friendly’ media gateways):

“Give us ~1000 numbers and get OTPs for the next 5mins”.

Yikes!

I’m scared for e-mail recovery accounts.
Familiar with Internet (packetswitch TCP/IP) but not familiar with telco (circuitswitch SS7)?

Think of it like this:

BGP, DNS, and TCP transport rolled into one: SS7.

Protection = allowed to talk to it.

(And “VoIP” talks to it...)

Good night :)

EOL

/HT MCP
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Mudge
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!