At some point you have to wonder how privacy and security wasnt a factor at all in the minds of engineers designing these systems- it has to be intentional, right? Did no one stop to consider how the system theyre building could be abused against the general public? Did they just not care?
> At some point you have to wonder how privacy and security wasnt a factor at all in the minds of engineers designing these systems- it has to be intentional, right?
Yes. SS7 is a half-century old, designed for a world of state telecom monopolies and a handful of tightly-peered carriers. The threat model could safely assume that only vetted operators could connect. It's unlikely that anyone involved believed that SS7 would still exist in 2000, much less 2025.
Almost as crazy as email and HTTP being designed without encryption, amirite?
SS7 dates from the early 1980s, as do SMTP (1981) and HTTP (1989). In all three cases people build the simplest thing that works and then hacked on it as new requirements arose. The main problem is that the telco world is very conservative and closed-source, so while we've had HTTPS and encrypted IMAP etc for a while now, SS7 hasn't gotten similar upgrades.
As I understand, it's very roughly comparable to BGP.
It's not the same protocol of course and doesn't do the same thing, but it's used in the same scenarios and has a similar level of security and importance.
And both are peer to peer - you can agree with one of your peers to secure your BGP session, but it won't have much impact on the global network, of which your BGP sessions are only a small part. There was a talk recently released from DEFCON33 about the phone system, where it was mentioned that to bypass authentication, spammers seek out carriers with old TDM systems which can't support authentication, and might even be their main customers. This is like that. All of your peerings may be secure, but if you start blocking calls you got relayed from 4 networks away with incorrect metadata, you can't tell if it's fake data or if one of those intermediary networks messed up the metadata on a legitimate call, and you will block legitimate calls and lose customers. Networks are weird systems where politics, not specifications, dominate.
My perspective is that at some point you have to consider that security wasn't as great of a threat actor in the 1980's. Even only in the last decade have we seen us move from IT security to more cyber security measures for the average organization.
Those systems were designed with security in mind for the environment and threat model of that time. It is why these types of things are grandfathered or improved upon to mitigate the latest scenarios and threat actors. The difference is that they probably couldn't foresee that it would remain the foundation for so long, and what todays world would look like.
It starts as a shoehorn to solve a relatively (initially at least) uncommon bridging problem.
Later such things are grandfathered in having never been properly designed or funded for security, etc.
Signalling System 7, or SS7, is a decades-old set of protocols that allows phone networks to communicate with one another, routing messages and calls across borders.
It was never designed with security in mind, and while operators have moved to more secure evolutions with 4G and 5G, they still need to maintain backwards compatibility with SS7. This is likely to remain the case for years if not decades to come.
Phone networks need to know where users are in order to route text messages and phone calls.
Operators exchange signalling messages to request, and respond with, user location information. The existence of these signalling messages is not in itself a vulnerability.
The issue is rather that networks process commands, such as location requests, from other networks, without being able to verify who is actually sending them and for what purpose.
Most likely security was a factor, and they did care, but in all the wrong ways. See this post about 2G, but SS7 was (and is, hence it has not been upgraded) probably under the same pro-surveillance pressure:
Is there anything a common person can do to help reduce the likelihood of their phone being tracked via SS7? (other than not carrying a phone or disabling the mobile network)
It's actually moderately easy: get 3 phone numbers. One you make public (#1), the one that everybody knows. The third one (#3) you never make public and it's the one you take with you in your mobile phone. It's preferable to get this number illicit - not in your name.
Put #1 and #2 SIM cards in two WWAN modems in a device (laptop?) you always keep at home, or at work if you don't want your home location known. Cross-connect the two modems by software (Asterisk?) such that if a call comes in from #1, it's forwarded through #2 modem to #3 (your mobile phone) and if you dial #2 from your mobile phone, you get a dial tone on #1 modem.
Disadvantages:
- No call ID. You'll never know who calls you and can't immediately save their number without looking at the call logs at home.
- You must store all phone numbers with #2 as prefix, a pause, then the actual phone number as extension.
PS: It's possibly even simpler than that. Forget #2. Use a VoIP app to connect to laptop's PBX from the mobile phone. That way you can even block all calls in/out from your mobile phone (PIN2 required) and only allow internet.
At some point you have to wonder how privacy and security wasnt a factor at all in the minds of engineers designing these systems- it has to be intentional, right? Did no one stop to consider how the system theyre building could be abused against the general public? Did they just not care?
> At some point you have to wonder how privacy and security wasnt a factor at all in the minds of engineers designing these systems- it has to be intentional, right?
Yes. SS7 is a half-century old, designed for a world of state telecom monopolies and a handful of tightly-peered carriers. The threat model could safely assume that only vetted operators could connect. It's unlikely that anyone involved believed that SS7 would still exist in 2000, much less 2025.
https://www.eff.org/deeplinks/2024/07/eff-fcc-ss7-vulnerable...
Almost as crazy as email and HTTP being designed without encryption, amirite?
SS7 dates from the early 1980s, as do SMTP (1981) and HTTP (1989). In all three cases people build the simplest thing that works and then hacked on it as new requirements arose. The main problem is that the telco world is very conservative and closed-source, so while we've had HTTPS and encrypted IMAP etc for a while now, SS7 hasn't gotten similar upgrades.
As I understand, it's very roughly comparable to BGP.
It's not the same protocol of course and doesn't do the same thing, but it's used in the same scenarios and has a similar level of security and importance.
And both are peer to peer - you can agree with one of your peers to secure your BGP session, but it won't have much impact on the global network, of which your BGP sessions are only a small part. There was a talk recently released from DEFCON33 about the phone system, where it was mentioned that to bypass authentication, spammers seek out carriers with old TDM systems which can't support authentication, and might even be their main customers. This is like that. All of your peerings may be secure, but if you start blocking calls you got relayed from 4 networks away with incorrect metadata, you can't tell if it's fake data or if one of those intermediary networks messed up the metadata on a legitimate call, and you will block legitimate calls and lose customers. Networks are weird systems where politics, not specifications, dominate.
My perspective is that at some point you have to consider that security wasn't as great of a threat actor in the 1980's. Even only in the last decade have we seen us move from IT security to more cyber security measures for the average organization.
Those systems were designed with security in mind for the environment and threat model of that time. It is why these types of things are grandfathered or improved upon to mitigate the latest scenarios and threat actors. The difference is that they probably couldn't foresee that it would remain the foundation for so long, and what todays world would look like.
Companies driver is money and PMF, not what’s right.
It starts as a shoehorn to solve a relatively (initially at least) uncommon bridging problem.
Later such things are grandfathered in having never been properly designed or funded for security, etc.
There are a huge amount of people that don't spend time thinking about ways thing can be misused.
Most likely security was a factor, and they did care, but in all the wrong ways. See this post about 2G, but SS7 was (and is, hence it has not been upgraded) probably under the same pro-surveillance pressure:
https://news.ycombinator.com/item?id=25284892
I doubt it’s the engineers. They just build what someone else has requested, they can provide suggestions and suggestions can be ignored.
They were and still are dumb and naive. This comment is going to be downvoted.
You're not wrong.
I've seen so many things announced that make me ask myself "But, why?".
Here, have a downvote for playing victim.
Is there anything a common person can do to help reduce the likelihood of their phone being tracked via SS7? (other than not carrying a phone or disabling the mobile network)
It's actually moderately easy: get 3 phone numbers. One you make public (#1), the one that everybody knows. The third one (#3) you never make public and it's the one you take with you in your mobile phone. It's preferable to get this number illicit - not in your name.
Put #1 and #2 SIM cards in two WWAN modems in a device (laptop?) you always keep at home, or at work if you don't want your home location known. Cross-connect the two modems by software (Asterisk?) such that if a call comes in from #1, it's forwarded through #2 modem to #3 (your mobile phone) and if you dial #2 from your mobile phone, you get a dial tone on #1 modem.
Disadvantages:
PS: It's possibly even simpler than that. Forget #2. Use a VoIP app to connect to laptop's PBX from the mobile phone. That way you can even block all calls in/out from your mobile phone (PIN2 required) and only allow internet.dupe: https://news.ycombinator.com/item?id=45584498
related, not dupe
Duplicate discussion. The post is part of the same report and the discussion is over there.
SS7 strikes again!
[dupe] https://news.ycombinator.com/item?id=45584498
no u
https://news.ycombinator.com/item?id=45599695
SS7 will never die