I've seen so many things announced that make me ask myself "But, why?".
Later such things are grandfathered in having never been properly designed or funded for security, etc.
Signalling System 7, or SS7, is a decades-old set of protocols that allows phone networks to communicate with one another, routing messages and calls across borders.
It was never designed with security in mind, and while operators have moved to more secure evolutions with 4G and 5G, they still need to maintain backwards compatibility with SS7. This is likely to remain the case for years if not decades to come.
Phone networks need to know where users are in order to route text messages and phone calls.
Operators exchange signalling messages to request, and respond with, user location information. The existence of these signalling messages is not in itself a vulnerability.
The issue is rather that networks process commands, such as location requests, from other networks, without being able to verify who is actually sending them and for what purpose.Yes. SS7 is a half-century old, designed for a world of state telecom monopolies and a handful of tightly-peered carriers. The threat model could safely assume that only vetted operators could connect. It's unlikely that anyone involved believed that SS7 would still exist in 2000, much less 2025.
https://www.eff.org/deeplinks/2024/07/eff-fcc-ss7-vulnerable...
SS7 dates from the early 1980s, as do SMTP (1981) and HTTP (1989). In all three cases people build the simplest thing that works and then hacked on it as new requirements arose. The main problem is that the telco world is very conservative and closed-source, so while we've had HTTPS and encrypted IMAP etc for a while now, SS7 hasn't gotten similar upgrades.
It's not the same protocol of course and doesn't do the same thing, but it's used in the same scenarios and has a similar level of security and importance.
And both are peer to peer - you can agree with one of your peers to secure your BGP session, but it won't have much impact on the global network, of which your BGP sessions are only a small part. There was a talk recently released from DEFCON33 about the phone system, where it was mentioned that to bypass authentication, spammers seek out carriers with old TDM systems which can't support authentication, and might even be their main customers. This is like that. All of your peerings may be secure, but if you start blocking calls you got relayed from 4 networks away with incorrect metadata, you can't tell if it's fake data or if one of those intermediary networks messed up the metadata on a legitimate call, and you will block legitimate calls and lose customers. Networks are weird systems where politics, not specifications, dominate.
Those systems were designed with security in mind for the environment and threat model of that time. It is why these types of things are grandfathered or improved upon to mitigate the latest scenarios and threat actors. The difference is that they probably couldn't foresee that it would remain the foundation for so long, and what todays world would look like.
Put #1 and #2 SIM cards in two WWAN modems in a device (laptop?) you always keep at home, or at work if you don't want your home location known. Cross-connect the two modems by software (Asterisk?) such that if a call comes in from #1, it's forwarded through #2 modem to #3 (your mobile phone) and if you dial #2 from your mobile phone, you get a dial tone on #1 modem.
Disadvantages:
- No call ID. You'll never know who calls you and can't immediately save their number without looking at the call logs at home.
- You must store all phone numbers with #2 as prefix, a pause, then the actual phone number as extension.
octagons•3mo ago