54 comments

[ 3.5 ms ] story [ 103 ms ] thread
(comment deleted)
Meanwhile, everyone else is tracking movements for Coronavirus, so if we get a response, I expect them to say the same thing.
It might be hard to sell the idea that you're tracking people in another country for that. The data is on a miniscule number of peope in the US and you're missing a lot of data you'd need for a reasonable analysis.

All of which is to say yeah, they're probably going to.

They could say they were tracking their citizens well-being
Is that not the point of the 5 eyes?

As long as other countries spy on our citizens, and share the data with our government, there is no problem!

how granular is ss7 psl data? if it's decades old i suspect it isn't gps coords or anything (not diminishing the seriousness of this; mostly curious about whether this is something the rest of us should be worrying about)
From the article: "users could probably have been tracked on a map to within hundreds of metres of accuracy in a city."
>within hundreds of metres of accuracy in a city

or basically a few city blocks.

"how granular is ss7 psl data?"

It's not based on physical distance or geography - it is based on the cell "tower".

Basically, SS7 will tell you which cellular base station the mobile handset is registered on.

There are easily accessible, public lookups of the location of all of those "cell towers".

I use a micro/femto cell at home because of poor reception from the big towers. If they had access to those records, they could locate me to the street address (needed for E-911 service) now that I'm under a stay-home order.
Doesn't WiFi calling render microcells irrelevant?
Most likely. But I don't have a phone with that service, so this is what I've got. ;)
Get in line Saudis, there are a lot of people doing phone spying campaigns in the US.
In addition to letting you read someone's location, SS7 lets you intercept their SMS messages. This is used by, for instance, criminal groups to intercept 2fa codes or go through SMS-based password reset flows and log into peoples' bank accounts:

https://www.vice.com/en_us/article/mbzvxv/criminals-hackers-...

Almost everyone have a smartphone. Bank app is much more secure than SMS, because HTTPS allows to encrypt information all the way from bank server to the end device. It's possible to create a much more pleasant UI with single touch rather than typing that OTP. And it's even possible to create more secure solution by requiring fingerprint.

And if Apple and Google would implement some kind of universal solution, every website could utilize this technology making 2FA more secure and usable.

It's kind of strange that we're still using SMS so widely.

Also SMS is not that cheap, while push is free.

Sure, SMS is fine as a fallback option, just like voice call is fine as a fallback option for SMS, but that's about it.

It's getting more ubiquitous with touch id. At least in the common case.
Sign In with Apple and Google’s equivalent are supposed to be the solution to both passwords and 2FA.
Are there any US consumer bank accounts that can be configured for 2FA other than SMS?

In the brokerage space, Robinhood accepts TOTP and Fidelity accepts Symantec VIP (proprietary TOTP-alike). But I don't know of any checking or savings accounts that can be protected this way.

USAA
Ugh, USAA's 2-factor solution is such a pain in the butt. You can get a login token from their mobile app, but it's not very easy to find.

I really wish they would just support U2F or FIDO.

Wells Fargo supports RSA tokens. The HW ones. TOTP or similar? Not so much, sadly.

https://twofactorauth.org/ is actually quite decent at tracking that sort of stuff

FYI, you can use this utility to get the Symantec TOTP code into a standard TOTP program like Authy or Google Authenticator:

https://github.com/dlenski/python-vipaccess

Woah, interesting! I thought TOTP used a shared secret rather than asymmetric encryption. The only thing I had to give Fidelity was the credential ID. Is that enough to generate or verify codes? It does that require key material that only Symantec has?
Schwabb gives you an rsa token for the asking.
Using SMS only as a fallback option is useless because the authentication chain is only as strong as the weakest link.

Bank apps need to be easy to reset if you lose your phone but if you can do that just by receiving an SMS, or by entering a password you can reset using SMS, the system is easily broken.

This isn't spying and the US would not be the only country involved.

Carriers track their own subscribers' locations no matter which network they are on. Inter-carrier roaming agreements require this ability. So it appears the Saudis has a new use for it.

The increased focus on SS7 security actually increases reliance on inter-carrier PSI. PSI is sent to the last known serving MSC to retrieve the number of minutes since last network contact. This info is used to enable a velocity check against a network attached request coming from a new country. It's this type of check that combats SMS interception.

>This isn't spying

Huh? Care to explain this odd take?

Obtaining information about someone's location w/o their permission, by agents of a foreign power, seems pretty textbook spying.

This is rather a "man bites dog" title ;)

Edit: It's also hardly worth reporting, or at least, with the sense of outrage that I get from it. I mean, anyone who cared would realize that the Saudis would track and snoop on cellphone users, no matter where they were. And so nobody who cared about that would use their Saudi phone. They'd just buy a phone at Walmart or wherever.

>anyone who cared would realize that the Saudis would track and snoop on cellphone users, no matter where they were. And so nobody who cared about that would use their Saudi phone. They'd just buy a phone at Walmart or wherever.

That's a very victim blame-y take.

Most people are not HN readers and have no idea what SS7 is.

Even if they know about cell tower tracking they'd probably expect that info would not be handed over by the USA to KSA.

OK, so I'm not Saudi, and perhaps I'm way off base here. But I find it hard to imagine that Saudis -- or at least Saudis who'd be traveling in the US -- wouldn't assume that their government is tracking and monitoring them. Indeed, I'd expect that awareness to be more common in Saudi Arabia than in the US, because the US at least pretends to honor human rights.

Also, an expectation of surveillance doesn't depend on understanding the technology.

>OK, so I'm not Saudi, and perhaps I'm way off base here. But I find it hard to imagine that Saudis -- or at least Saudis who'd be traveling in the US -- wouldn't assume that their government is tracking and monitoring them.

Yes, "they should expect they will have their human rights violated on US soil and it's on them to buy a burner" is off base.

Anyone legally in the United States (including tourists) gets constitutional protections.

You can expect whatever you want but illegal spying on US soil by an authoritarian regime is absolutely a news story.

Every embassy is a spy outpost, but they usually leave people who aren't at least semi-public figures alone.

Then again, maybe everyone is abusing SS7 and KSA is just who got caught with their hand in the cookie jar.

> Yes, "they should expect they will have their human rights violated on US soil and it's on them to buy a burner" is off base.

If that's the case, Saudi censorship is more effective than I'd imagined.

> Anyone legally in the United States (including tourists) gets constitutional protections.

In theory, yes. In practice, it's prudent to assume that the NSA sees everything.

> Then again, maybe everyone is abusing SS7 and KSA is just who got caught with their hand in the cookie jar.

That's my default assumption.

It'd be cool to know what Saudis generally believe about their government's surveillance policies. Anyone have any links?
The home carrier does need some information in order to charge the customer the correct amount (and apply any promotions for roaming rates when roaming in certain places).

Also, location data makes it easier to handle disputes in case customers see unexpected charges on their bill and dispute a charge. A place like "Kettleman City" might seem unfamiliar, but if your carrier could also show you that you made calls from Los Angeles the day before, you could reasonably conclude it was a call made while driving in California and not an erroneous charge.

So there is a balance to strike here.

The difference is the level of government access to the location data though. The legal standard in the US is that the government must obtain a warrant to access cell site location information[1].

In Saudi, telecoms are pretty much controlled by the government and can see everything.

Perhaps the best option for those who live in authoritarian countries is to remove your SIM card while roaming and have a voicemail message asking people to email you.

1. https://en.wikipedia.org/wiki/Carpenter_v._United_States

> The legal standard in the US is that the government must obtain a warrant to access cell site location information[1].

Sure. But it's pretty clear that the NSA ignores laws.

> Perhaps the best option for those who live in authoritarian countries is to remove your SIM card while roaming and have a voicemail message asking people to email you.

Or just leave the phone at home. If for no other reason, because it'll likely get inspected when you enter the US.

Leaving the phone at home is harder than it sounds for people who fly long distances. It means you're 24+ hours, 3 planes and two layovers, plus taxi rides or rental cars, without a phone.

And you have to then communicate your temporary local phone number to your existing contacts, including your boss/coworkers and your family, but somehow do that without your phone. Not impossible, but very annoying. And you might need your phone for 2FA login to your work email.

Why the heck are the Saudi's still considered 'allies' of the US. Besides the long-running terrorism concerns, there's the murder of Khashoggi, them spying not just on their own citizens but also on US ones, and they are currently waging a war against our domestic oil producers. With 'friends' like that who needs enemies?
Everybody spies on each other. That isn't particularly notable.
Because a) oil and b) Trump properties making his kids (and himself of course) billions.
Wow I didn’t realize Trump was the first President to snuggle up with the Saudis. Oh wait he wasn’t. Unless Trump was alive and President in 1945.

https://en.wikipedia.org/wiki/Saudi_Arabia%E2%80%93United_St...

Hmm. Snuggle getting benefits for the US - kinda ok. Snuggle getting personal profits for Trump and his kids - nope.

You don't differentiate?

The relationship with Saudi's didn't start with Trump's presidency.
What is the issue here? Does the US not spy on pretty much every other country and its people?
They probably don't like that very much either.
Looks like as long as the victims stop using their Saudi Sim cards, they won't be able to be tracked because this relies on roaming.

Saudi carriers might mysteriously offer "special exclusive roaming deals" so they can keep tracking

Oddly specific use-case. This only tracks the location of folks with Saudi sim-cards using roaming in the US. Even then, only down to the tower. Now that the guardian has blown the lid off, I expect this is largely worthless for them now.