A new report by mobile threat mitigation company iVerify claims to show how older and unencrypted network protocols used by some of the most dominant mobile traffic interconnect providers are allowing hacking groups to access mobile data as it flies from country to country. Maybe even yours.
To make it even worse, these providers are based in China. To Americans, anything related to China is often viewed as bad, but the fact that there are potentially billions of customers using these services is real. Knowing they’ve been compromised is terrifying to many network security professionals.
I take any reports from a company that profits from network security with a grain of salt, but after reading the report in full, the claims sound valid on most counts.
What is a mobile interconnect provider?
To understand why this matters, you need to know what is being affected. A mobile interconnect provider is exactly what it sounds like — a thing that allows two or more different mobile networks to communicate with each other.
Let’s say you have a Verizon account. You can send and receive anything from another phone using a Verizon account across Verizon’s network, as long as both parties are in Verizon’s service area.
If you’re talking to someone on AT&T, or Orange or are outside of a normal Verizon service area (maybe you’re vacationing) that traffic has to be routed across different networks so it can reach it’s destination.
These interconnect providers use complicated routing and control software to make it happen. Some, such as Chinese state-owned networks China Mobile, China Telecom, China Unicom, CITIC Telecom, and PCCW Global Hong Kong, play a dominant role in routing all this traffic and use software and protocols that are severely outdated and unsafe.
None of this is speculation. There are multiple real-world examples of how SS7 and Diameter, the unsafe network signaling protocols in question, have been exploited. A group with the ability to exploit this software can access authentication data, SMS messages, location updates, and internet traffic in either real-time for active threats or store it for passive threats.
You probably aren’t a high-value target, yet your data is potentially being stored so it can one day be used against you.
The report also states how this makes it trivial for Chinese government-sponsored hacking groups to operate, but there is no proof given; an attacker can be anywhere in the world and gain access. These companies may be controlled by the Chinese state, but they could also be victims in all this. Victims with the means to make a change, though.
Your data is potentially being stored so it can one day be used against you.
The United States stopped considering Chinese interconnect providers as trusted under the Secure Networks Act so US outbound traffic isn’t routed through any of the companies in question. But if you’re talking to someone in say, South Korea, or the Bahamas, or even Five-Eye intelligence member nation New Zealand anything they send to you might be.
What does all this mean for me?
That’s the easy part, which is great.
This means you should never be sending anything to anyone unless it is end-to-end encrypted. Doing so might mean anyone can take a look at it.
This means everything. Your messages, your bank data, and especially those SMS 2FA codes from companies that do not care about your security enough to use an alternative authentication method. Like my bank (and probably yours, too).
I know I’m not important enough, nor do I have enough money for any big hacking group to care about me. The fact is, you are probably the same. That doesn’t mean we shouldn’t care; one day, I may win Mega-Millions or be elected President.
We can only do what we can, when we can. The real enablers of this sort of mess will do whatever they please.
