ANDYou know the drill. You’re signing in to your bank or another service (Gmail, to name just one) that you use regularly. You enter your username and password and then the service says it will send you an SMS message with a code you can use to confirm that you are the one logged in. It’s called “two-factor authentication” (2FA) and is said to be best practice in our networked world, since passwords and login details can be easily decrypted.
Unfortunately, our world is evil and networked, and that SMS message can be redirected to someone else’s phone (that of the criminal who logged in using your personal phishing details) and who is now busy emptying their current account.
This type of trickery has been possible for years. I just found an account of it. happening to bank customers in Germany in 2017, but security experts warned about it long before. The root of the problem is chronic security. vulnerabilities in SS7an arcane, decades-old technical protocol for routing telephone calls and messages, which is built into all telephone systems.
These vulnerabilities can be exploited by hackers to cause a variety of damage: track any mobile phone anywhere in the world; listen to calls; read and redirect SMS messages; intercept Internet traffic; and interfere with user connectivity or network availability, to name just a few. But SS7 is also what allows your phone to stay connected during a call while you’re on a train that passes many local cells. Therefore, it is an integral part of the mobile phone system: the glue that holds the entire system together.
You could say it’s too big to fail, which may explain why large telecoms companies have been reluctant to confront its glaring disadvantages. This indolence now triggered intervention by the US regulator, the Federal Communications Commission (FCC), possibly because Oregon Senator Ron Wyden has begun to describe the SS7 vulnerabilities as a “national security” issue.
As it happens, the senator is pushing on an open door, because there is panic in Washington about the scope and depth of foreign (aka Chinese) penetration of US communications and critical infrastructure, some of which without This doubt is facilitated by SS7 vulnerabilities. At an international security summit in Bahrain on December 7, Anne Neuberger of the White House National Security Council admitted that Chinese cyber spies had recorded “very senior” calls from American political figures, although he omitted to name the victims. It also confirmed that eight US telecommunications providers had been compromised by Chinese hackers.
Although North Korea and Russia are also seen as cybersecurity adversaries, Americans seem obsessed with the Chinese threat. Three hacker groups in particular seem to be keeping people in Washington awake at night. It is, as one wag remarked, “typhoon season” in the city, a reflection of the names assigned to the trio: Salt Typhoon, Volt Typhoon and Flax Typhoon. Flax ran a botnet of 260,000 devices until it was dismantled by the FBI. Salt’s cyber spies breached US telecommunications companies Verizon, AT&T and Lumen Technologies and also, in a neat touch, hacked into their wiretapping systems (the ones they have to deploy when FBI agents arrive with a warrant).
Volt, in some ways, is the most sinister of the trio. He specializes in America’s critical infrastructure: water systems, power grids, and the like. Runs botnets based on end-of-life Cisco and Netgear routers (models for which security updates are no longer issued). It has been active since mid-2021 with the aim, according to microsoftto develop the capability to disrupt critical communications infrastructure between the United States and the Asia region during future crises. (A Chinese invasion of Taiwan, perhaps?) The affected organizations “span the communications, manufacturing, utilities, transportation, construction, maritime, government, information technology, and education sectors.” The inference is that Volt “intends to conduct espionage and maintain access undetected for as long as possible.”
So, like technology companies queue to donate millions to Trump’s inauguration fund, two of the three Chinese hacking groups named after storms will continue to quietly wreak havoc on America’s digital backyard. The idea of Salt Typhoon hacking into the FBI’s own wiretapping systems is particularly delightful. Meanwhile, cell phones everywhere will remain tethered to an ancient protocol that is as safe as a two-person tent in a hurricane. And when Trump goes to Beijing to close the deal with his fellow emperor, Xi Jinping will be able to present his visitor with a leather-bound book containing all of his private telephone conversations since 2016.
Happy new year!
after newsletter promotion
what i have been reading
Blinded by the light
Optical delusions is an excellent blast on Tina Brown’s blog about the strange attraction that Trumpian glitz has for many Americans.
University challenge
How the Ivy League broke America – the title of a long and thoughtful essay by David Brooks in the Atlantic about the evils of “meritocracy.”
To sir, with love.
Recover the essay: two memories. A beautiful writing by Richard Farr about what it is like to have a great teacher.