Rendered at 23:21:07 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
kevin_nisbet 23 hours ago [-]
This was a fairly interesting read, but some of the claims struck me as fairly circumstantial. I ended up almost writing a novel of a comment, but will try and save everyone from that by summarizing.
I started my career in Wireless Telecom, and some of my work was directly on Diameter Routing and working with roaming partners on technical problems.
The SIM card stuff I have no expertise on, so I won't comment on that.
There are a couple of important things to note which I think the report misses.
The first is what a cellular network does for tracking a user. It's not returning a set of GPS coordinates. A cellular network has a problem to solve, which is on which radios do we transmit that the device should wake up from idle about an incoming call (or SMS or packet). We could not track this at all, and then the entire bandwidth is spent notifying the entire country about every call. On the other side we could track this down to every radio, but then you have the problem of your entire network is just signaling traffic about changes in the best radio to reach a device. A tree swaying in the wind causes constant updates type of idea.
So we break the network up into areas, and if the device moves and see's a beacon from a tower that it's in a new area, it tells the network to update it's location records. There is a slightly more precise record which is the Cell ID, but the device doesn't need to keep it up to date. So in the report when you see the references to the Cell ID/E-UTRAN Global Cell Identity, and LAC/TAI this is the concept those identifier tie to.
There are databases that can map the Cell identities to GPS locations, and you can think of that as the assignment to the tower, although there are some deviations that occur (remote locations for a radio, etc). So most often you're not getting the GPS location of the device, you're getting the tower. This is still a privacy implication, and get's more precise over time as the radio networks get more and more dense to support higher speeds. But still might be dozens of KMs away from the actual device location.
I ended up writing a novel, but need to cut it down. So a bunch of the evidence cited on the Diameter protocol and DNS behaviour on GPRs DNS I don't think is as strong as one might conclude when reading the report.
What particular struck me was the DNS NXDomain as an indicator of trade craft to conceal the source, that they refer to several times. To me this is an expected behaviour on roaming DNS if the source network used to make the query does not have a roaming agreement with the other provider. The DNS specifications by the GSMA are a bit awkward, and I've been bitten by them several times, but they don't carry the same DNS related expectations as you would expect on the internet. On the open internet, you expect to see a delegation from com to ycombinator, and to be able to follow that to ycombinator. This isn't the case on the roaming exchange networks, firewalls and answers are only opened up when there is an agreement. So if this provider is a small fry, there might not be many agreements in place, and it's not weird to get back an NXDomain or timeout. This does depend on whether it was the roots or the provider certs that provided the response that they don't go into detail.
Some of the Diameter related statements also struck me as not having a complete understanding of the technology, and suggesting a direct link to trade craft. Things like the Origin-Host and Route-Record 1 being the same, while perhaps a technical violation of the standard, have no impact, and can just as easily be explained by a network operator not wanting to advertise internal details to the rest of the world. Similar, with the IPX provider not detecting the mis-match between realm and host, I'm not even sure that's expected or how they would do it, although from an analysis perspective it is a clear screw up from the adversary that revealed it. But I don't remember sufficient information getting exchanged between providers that would actually allow an enforcement over those fields, but I could be wrong. Also keep in mind, it wasn't just the roaming exchange that didn't enforce it, all the networks also failed to enforce it. And now the adversary might just see this report and fix their bug, so it's not like that enforcement would've completely changed the situation. But they do have a point that if enforced, it might've been detectable earlier that there was a bad actor present.
There are also alternative and resonable explanations for some of the other claims, like was 019Mobile the one actually relaying the messages, or was the second hop tricked into accepting messages, and the adversary was just impersonating 019Mobile. That shifts things around a bit, they talk at length about 019Mobile being the source of these messages, but while likely, there are other plausible explanations for the origins of those messages.
There are also some technical details they got wrong, but probably not in material ways.
So it's an interesting report, it seems like there is a real operation going on, just that I take issue with much of the evidence cited that I think many readers may draw a strong conclusion from then they should.
dsl 13 hours ago [-]
> The first is what a cellular network does for tracking a user. It's not returning a set of GPS coordinates.
From the perspective of someone working on the RF side of cellular networks, you are absolutely correct.
Modern cellphone baseband chips however are required to implement MT-LR, which allows the network to request that the device respond with its latitude and longitude. In the US this is legally required to be accurate to within 300 meters, so it comes from GPS or AGPS. By sending LAWFUL_INTERCEPT_SERVICES as the client type in the request, the phone is required to not notify the user in any way or log the request.
There is a reason China has been caught with their hand in the US "lawful intercept" cookie jar at least three times.
leonidasrup 12 hours ago [-]
The good old lawful interception capabilities, like in the Greek wiretapping case of 2004–05, also referred to as Greek Watergate.
"involved the illegal tapping of more than 100 mobile phones on the Vodafone Greece network belonging mostly to members of the Greek government and top-ranking civil servants."
"In September 2011, new evidence emerged indicated the US Embassy in Athens was behind the telephone interceptions."
bondarchuk 9 hours ago [-]
>In the US this is legally required to be accurate to within 300 meters, so it comes from GPS or AGPS.
Does that mean GPS is used by the baseband chip even when I disable location services in the OS?
dsl 7 hours ago [-]
Yes. At this layer the OS has no say in the matter.
albixa 6 hours ago [-]
That doesn’t make much sense and seems quite nonsensical. Are you really sure about that?
And if so, wouldn’t this or how it’s possible differ greatly between phones were the GNSS and cellular radio are separate isolated components in contrast to ones where they are the same component running a unified firmware?
For example, on the most recent Google Pixels, gnss is provided by the Qualcomm baseband, with it and for example cellular implemented by separate separate sandboxed process on their rtos.
Could someone confirm if they do any non consensual data sharing?
But on the ones with Exynos modem, GNSS is a separate chip from a different company (Broadcom iirc).
All the kernel drivers are open source. And the userspace gal blobs are sandboxed with selinux and other.
And the modem and GNSS chip are isolated unprivileged components, like on most modern phones similar components are.
Surely if this what you said was the case that wouldn’t stand up to scrutiny, and it would be documented by all the major aosp based alternate os.
The Qualcomm modem pixels are sometimes stated as having security advantages, as Qualcomm does a better job hardening their firmware than Samsung, use a nice micro kernel.
But it is difficult to find discussions of the potential for the different functionalities provided all in one chip as sandboxed processes to share data (like WiFi bt on these pixels also on same chip iirc) without consent of OS.
If the threat model is you trust the soc, and want to rely on the Linux kernel and os to maintain separation instead of Qualcomm, don’t trust the baseband to not act maliciously, couldn’t this be considered potential downgrade ?
kevin_nisbet 5 hours ago [-]
I'm not an expert on the baseband implementations, but I have the same impression as the parent, that in the 3GPP protocols the devices location can be requested and it's processed without any OS level interaction.
How that maps into the hardware I don't know.
kevin_nisbet 9 hours ago [-]
Yup, sorry I didn't bring this side up because the article was mainly talking from the perspective of pulling the LAC/TAI from generating messages in the SS7/Diameter networks. If we want to include what a carrier can do or what lawful intercept can do it's a different story.
macintux 23 hours ago [-]
If that’s the short version, you should really write up a blog post.
leonidasrup 17 hours ago [-]
There are more precise methods than GSM Cell ID
"Multilateration: More advanced systems use the signal strength and timing from multiple adjacent cell towers to triangulate the phone's position. This is more accurate in urban areas where cell tower density is high."
Absolutely, I just don't know that this can be achieved over the Diameter/SS7 network between carriers, which the report was alleging access to the RAC/TAI and Cell ID's. So if the threat actor has different level of access to an individual network, we're talking a completely different analysis.
Sorry if I was unclear about that.
fmajid 1 days ago [-]
You can’t really call it an exploit when SS7 and its layered protocols like MAP have basically zero security measures whatsoever.
fulafel 17 hours ago [-]
You can call it exploitation, as the article does, which means something different.
> 019Mobile is a privately owned Israeli-based mobile operator under the brand “Telzar 019.” The GSMA website shows they began providing mobile services in 2013, and are the “sole supplier of outbound and inbound roaming services in Israel’s International airport.”
So, basically, almost everyone entering and leaving Israel (the only other border crossings possible are through Jordan and Egypt) will be forced to pass through an area where there is exactly one phone network operator reachable. Even assuming this provider is not a sketchy Mossad front, it by its presence alone is amongst the juiciest targets possible for any kind of surveillance apparatus.
Mossad fronts don't tell you they're Mossad fronts.
megous 11 hours ago [-]
So you can send a binary SMS to a phone that will pass it to SIM and SIM will interpret it via bytecode, to execute whatever, incl. making the phone to send an outgoing SMS, with requested data, silently, wtf? :D And this is a normal documented thing.
I gather that paranoid people did not exist/have power back then, when this was designed.
ale42 10 hours ago [-]
Most people outside the field don't know much about all the internals of phones, SIMs, etc., unfortunately...
Reminds me two articles about SIM cards autonomously sending SMS messages (found here on HN long time ago, probably)
I understand why a network would like to be able to do this. I suppose that is why it was written into the standard, and I suppose since it's an obscure feature, networks didn't implement firewalls blocking such messages coming from other networks.
trashb 8 hours ago [-]
SIM cards are Oracle Java Card.
There are companies offering services and SIM (java card) applets for card management and other functions. Also, there are opensource applets.
I started my career in Wireless Telecom, and some of my work was directly on Diameter Routing and working with roaming partners on technical problems.
The SIM card stuff I have no expertise on, so I won't comment on that.
There are a couple of important things to note which I think the report misses.
The first is what a cellular network does for tracking a user. It's not returning a set of GPS coordinates. A cellular network has a problem to solve, which is on which radios do we transmit that the device should wake up from idle about an incoming call (or SMS or packet). We could not track this at all, and then the entire bandwidth is spent notifying the entire country about every call. On the other side we could track this down to every radio, but then you have the problem of your entire network is just signaling traffic about changes in the best radio to reach a device. A tree swaying in the wind causes constant updates type of idea.
So we break the network up into areas, and if the device moves and see's a beacon from a tower that it's in a new area, it tells the network to update it's location records. There is a slightly more precise record which is the Cell ID, but the device doesn't need to keep it up to date. So in the report when you see the references to the Cell ID/E-UTRAN Global Cell Identity, and LAC/TAI this is the concept those identifier tie to.
There are databases that can map the Cell identities to GPS locations, and you can think of that as the assignment to the tower, although there are some deviations that occur (remote locations for a radio, etc). So most often you're not getting the GPS location of the device, you're getting the tower. This is still a privacy implication, and get's more precise over time as the radio networks get more and more dense to support higher speeds. But still might be dozens of KMs away from the actual device location.
I ended up writing a novel, but need to cut it down. So a bunch of the evidence cited on the Diameter protocol and DNS behaviour on GPRs DNS I don't think is as strong as one might conclude when reading the report.
What particular struck me was the DNS NXDomain as an indicator of trade craft to conceal the source, that they refer to several times. To me this is an expected behaviour on roaming DNS if the source network used to make the query does not have a roaming agreement with the other provider. The DNS specifications by the GSMA are a bit awkward, and I've been bitten by them several times, but they don't carry the same DNS related expectations as you would expect on the internet. On the open internet, you expect to see a delegation from com to ycombinator, and to be able to follow that to ycombinator. This isn't the case on the roaming exchange networks, firewalls and answers are only opened up when there is an agreement. So if this provider is a small fry, there might not be many agreements in place, and it's not weird to get back an NXDomain or timeout. This does depend on whether it was the roots or the provider certs that provided the response that they don't go into detail.
Some of the Diameter related statements also struck me as not having a complete understanding of the technology, and suggesting a direct link to trade craft. Things like the Origin-Host and Route-Record 1 being the same, while perhaps a technical violation of the standard, have no impact, and can just as easily be explained by a network operator not wanting to advertise internal details to the rest of the world. Similar, with the IPX provider not detecting the mis-match between realm and host, I'm not even sure that's expected or how they would do it, although from an analysis perspective it is a clear screw up from the adversary that revealed it. But I don't remember sufficient information getting exchanged between providers that would actually allow an enforcement over those fields, but I could be wrong. Also keep in mind, it wasn't just the roaming exchange that didn't enforce it, all the networks also failed to enforce it. And now the adversary might just see this report and fix their bug, so it's not like that enforcement would've completely changed the situation. But they do have a point that if enforced, it might've been detectable earlier that there was a bad actor present.
There are also alternative and resonable explanations for some of the other claims, like was 019Mobile the one actually relaying the messages, or was the second hop tricked into accepting messages, and the adversary was just impersonating 019Mobile. That shifts things around a bit, they talk at length about 019Mobile being the source of these messages, but while likely, there are other plausible explanations for the origins of those messages.
There are also some technical details they got wrong, but probably not in material ways.
So it's an interesting report, it seems like there is a real operation going on, just that I take issue with much of the evidence cited that I think many readers may draw a strong conclusion from then they should.
From the perspective of someone working on the RF side of cellular networks, you are absolutely correct.
Modern cellphone baseband chips however are required to implement MT-LR, which allows the network to request that the device respond with its latitude and longitude. In the US this is legally required to be accurate to within 300 meters, so it comes from GPS or AGPS. By sending LAWFUL_INTERCEPT_SERVICES as the client type in the request, the phone is required to not notify the user in any way or log the request.
There is a reason China has been caught with their hand in the US "lawful intercept" cookie jar at least three times.
https://en.wikipedia.org/wiki/Greek_wiretapping_case_2004%E2...
"involved the illegal tapping of more than 100 mobile phones on the Vodafone Greece network belonging mostly to members of the Greek government and top-ranking civil servants."
"In September 2011, new evidence emerged indicated the US Embassy in Athens was behind the telephone interceptions."
Does that mean GPS is used by the baseband chip even when I disable location services in the OS?
And if so, wouldn’t this or how it’s possible differ greatly between phones were the GNSS and cellular radio are separate isolated components in contrast to ones where they are the same component running a unified firmware?
For example, on the most recent Google Pixels, gnss is provided by the Qualcomm baseband, with it and for example cellular implemented by separate separate sandboxed process on their rtos.
Could someone confirm if they do any non consensual data sharing?
But on the ones with Exynos modem, GNSS is a separate chip from a different company (Broadcom iirc). All the kernel drivers are open source. And the userspace gal blobs are sandboxed with selinux and other. And the modem and GNSS chip are isolated unprivileged components, like on most modern phones similar components are.
Surely if this what you said was the case that wouldn’t stand up to scrutiny, and it would be documented by all the major aosp based alternate os.
The Qualcomm modem pixels are sometimes stated as having security advantages, as Qualcomm does a better job hardening their firmware than Samsung, use a nice micro kernel. But it is difficult to find discussions of the potential for the different functionalities provided all in one chip as sandboxed processes to share data (like WiFi bt on these pixels also on same chip iirc) without consent of OS. If the threat model is you trust the soc, and want to rely on the Linux kernel and os to maintain separation instead of Qualcomm, don’t trust the baseband to not act maliciously, couldn’t this be considered potential downgrade ?
How that maps into the hardware I don't know.
"Multilateration: More advanced systems use the signal strength and timing from multiple adjacent cell towers to triangulate the phone's position. This is more accurate in urban areas where cell tower density is high."
https://en.wikipedia.org/wiki/Mobile_phone_tracking#Network-...
In many cases accuracy better than 200 meters can be reached.
"Database correlation method for GSM location". IEEE VTS 53rd Vehicular Technology Conference, Spring 2001 https://doi.org/10.1109%2FVETECS.2001.944052
https://3gpp-explorer.com/glossary/mta/
Sorry if I was unclear about that.
So, basically, almost everyone entering and leaving Israel (the only other border crossings possible are through Jordan and Egypt) will be forced to pass through an area where there is exactly one phone network operator reachable. Even assuming this provider is not a sketchy Mossad front, it by its presence alone is amongst the juiciest targets possible for any kind of surveillance apparatus.
I gather that paranoid people did not exist/have power back then, when this was designed.
Reminds me two articles about SIM cards autonomously sending SMS messages (found here on HN long time ago, probably)
https://medium.com/telecom-expert/what-is-at-t-doing-at-1111... https://medium.com/telecom-expert/more-proactive-sims-f8da2e...
There are companies offering services and SIM (java card) applets for card management and other functions. Also, there are opensource applets.
https://github.com/crocs-muni/javacard-curated-list#mobile-t...