Category: View All

It’s not often that global telcos could be described as a ‘David’ in a ‘David and Goliath’ analogy, but that is exactly what we are looking at in the latest hacking scandal.

In a story that broke this week in El Reg https://www.theregister.co.uk/2019/06/25/global_telcos_hacked/ and CNBC https://www.cnbc.com/2019/06/25/hackers-hit-telecommunications-firms-cybereason.html, a long running espionage campaign has been waged by (it is alleged) the Chinese government against at least ten cellular telcos around the world.  While a telco might have a security team of 50 people, huge by comparison to most organisations, this is miniscule when compared to the resources of a nation state, hence the David and Goliath reference. The campaign, which has apparently been running for several years, has even involved VPNs being set up within the telcos’ own infrastructure so that the perpetrators could snoop more quickly and easily on their targets.  So the story goes, the campaign was aimed at 20 to 30 high value targets, and the snoopers were able to access hundreds of gigabytes of phone records, text messages, device and user metadata and location data for hundreds of millions of subscribers.

This is another reminder that you can’t necessarily rely on your telco or ISP to protect your data and metadata. This is not because they are particularly negligent or complicit, but simply that flaws in the old technology, that underpins most networks around the world, can be exploited by nation states with almost limitless resources.

If you don’t want to be tracked, if you want to keep your communications private, if you discuss company intellectual property or trade secrets that you don’t want your competitors to learn about, if you are a journalist, aid worker, or special/covert services operating in an unfriendly regime, you need to take steps to ensure that your mobile data is protected.

Watch this space for more on this story in the coming weeks.

And we are not talking about design or style…

Keen fans of TV police dramas may be aware of the term ‘metadata’ which is frequently mentioned in the tense investigation scenes as the police narrow their focus on the perpetrator.  However how many of us actually know what metadata is?

Metadata is all the information relating to your phone call except the content of the call itself. It is the information we are used to seeing on itemised mobile phone bills; the when, how, from where and with whom we communicate. However, in the age of the smartphone, metadata collected from our daily activities actually reveals more about us than we realise. Most of us use our smartphone for more than just calls. It is our convenient go-to device for email, messaging, social media, banking, electronic wallet, GPS and camera, in addition to making calls. For many of us, losing our smartphones would impact our day-to-day lives far more than if we lost our credit card.

Digital footprint

A smartphone passively generates a vast amount of metadata, leaving behind a digital trace of the activity of its user. Each action and interaction provides a snapshot of our daily activities. Email addresses, websites visited, photos taken and files downloaded all present many new opportunities to gather metadata. Pieced together this information provides a comprehensive record of our associations and public movements, revealing a wealth of detail about our interactions, points of view and personal and professional associations. The reason metadata is so valuable is that it doesn’t lie, it is a digital footprint of our activities.

Stealing metadata

There are many ways that hackers can obtain metadata illegally. The SS7 vulnerability is well documented, and was one of the first topics that we wrote about in this blog (What’s up with WhatsApp). SS7 was designed over 40 years ago, long before phone hacking was considered a serious threat. SS7 stands for Signalling System No 7, also called the Common Channel Signalling System 7 in the US or Channel Interoffice Signalling 7 in the UK, and is the system that connects mobile phone and landline networks to each other. SS7 protocols enable phone networks to exchange information needed to process calls and text messages across disparate networks, including roaming on foreign networks, and to ensure correct billing. It also enables local number portability, prepaid payments, SMS and number translation.

Limitations in the SS7 protocols enable an attacker to mimic a victim’s device, steal personal data and to snoop on a users’ network communications. While this technique is used by nation states, there is equipment available on the dark web for a few hundred dollars that brings this type of attack into the domain of almost any tech-savvy criminal!

Fake base station

Exploiting the SS7 vulnerability isn’t the only means to access metadata. IMSI (international mobile subscriber identity) catchers, also known as fake base stations, are well established pieces of surveillance technology used by law enforcement all over the world. This portable device is used to intercept digital communications by essentially impersonating a legitimate mobile phone mast. The device can capture the IMSI of every phone in the area and intercept messages, calls and metadata, and even block phones from operating.

IMSI catchers are illegal to operate by parties other than law enforcement agencies and, even then, there are strict codes of conduct. However, for an attacker motivated by financial or commercial gain, remaining on the correct side of the law is rarely of concern! Videos freely available on YouTube show how a DIY IMSI catcher is relatively trivial to setup for a tech savvy criminal. The technology is available to anyone with a cheap laptop, $20 of readily available hardware and the ability to essentially copy and paste some commands into a computer terminal.

The power to control your own metadata

The fact that metadata is collated and sold by telecom carriers and internet companies shows how valuable it can be. Social media companies in particular are regularly sharing our metadata to third parties as a way of targeting advertising and this is typically the key value creator for such companies. Applying this capability across a population, it is possible to compile a very detailed, even invasive, picture of the population including behaviours and interactions which governments, organisations and cyber criminals can act upon.

Whilst it’s not possible to stop metadata from being generated, steps can be taken to control access to it. Armour Comms securely manages communications in the cloud ensuring metadata is minimised and protected. We also offer an on-premises solution for those who want complete control, allowing customers to store metadata on their own servers. Our solutions not only protect the content of communications, but also consider the broader aspects of securing your data and privacy

The weakest link

As the cyber security threat landscape evolves, it’s clear that securing modern methods of communication requires a new approach. Without secure practices, smartphones can effectively be viewed as surveillance devices, exposing confidential business dealings, intellectual property, state secrets, or commercially valuable information to risk. As the saying goes, you’re only as strong as your weakest link. If you fear that your mobile comms could be vulnerable to eavesdroppers, competitors or criminals then it’s time to act. Contact us today to discuss a solution.

Phone numbers – not that unique and not that secure!

A spate of recent disclosures calls into question once again the wisdom of using phone numbers for authentication. As we’ve discussed elsewhere on this blog, mobile phones are relatively easy to spoof, hijacking of phone accounts is becoming worryingly commonplace, and what happens if you lose your phone or have to change your mobile phone number? This hair raising account from Allison Nixon, director of security research at New York City-based cyber intelligence firm Flashpoint https://krebsonsecurity.com/2019/03/why-phone-numbers-stink-as-identity-proof/, highlights many of the issues, for example, when phone numbers are used for authentication within apps, or when banks send out sensitive updates via SMS.

Another issue regarding the use of personal numbers is where employees use their own mobile phones for business. If numbers are published in a corporate directory, that means anyone who works for the organisation has access to those personal numbers. Industry contacts related an incident where this led to female employees receiving unwanted calls at weekends, which as well as being a nuisance and potentially intimidating for the victim, also raises concerns as to their employer’s management of their personal data!

So while using our mobile numbers for authentication is very convenient, it is now becoming frighteningly insecure.

What else is at risk if your social media account is hacked?

If that isn’t enough horror to contemplate for one day, we have recently heard how ‘9 million data items containing passwords in plain text’ have been exposed at our perennial favourite, Facebook… for years!  And their response?  “We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data”. We’re guessing that any malfeasance is unlikely to be admitted! More details here:

https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/

How many websites now invite us to login using our Facebook credentials? If your Facebook identity is hacked, what else does the hacker gain access to?

Security by design – or just an after-thought?

This brings us to the salient point that when large companies talk about security and encryption, it often doesn’t seem to apply to their own staff.  Indeed, one of the points made by Allison Nixon, is that banks often don’t know how to remove a mobile phone number associated with an account once the account holder has lost the phone number.

When it comes to keeping your private data secure, this all makes the case for using apps that are designed specifically with security in mind, not consumer-grade apps where security is an after-thought and a begrudging add-on at that!

Armour Mobile can be used with abstract numbers or random strings as identifiers, you don’t need to expose your own mobile number. These identifiers are then tied back to real-world identities within the Armour system, which is controlled in our secure cloud, or by your own, on-premises administrators.  Providing the users are known in some manner, and the identities are centrally controlled, this approach provides better security than relying on phone numbers to prove someone’s identity.