It might be hard to sell the idea that you're tracking people in another country for that. The data is on a miniscule number of peope in the US and you're missing a lot of data you'd need for a reasonable analysis.
All of which is to say yeah, they're probably going to.
how granular is ss7 psl data? if it's decades old i suspect it isn't gps coords or anything (not diminishing the seriousness of this; mostly curious about whether this is something the rest of us should be worrying about)
I use a micro/femto cell at home because of poor reception from the big towers. If they had access to those records, they could locate me to the street address (needed for E-911 service) now that I'm under a stay-home order.
In addition to letting you read someone's location, SS7 lets you intercept their SMS messages. This is used by, for instance, criminal groups to intercept 2fa codes or go through SMS-based password reset flows and log into peoples' bank accounts:
Almost everyone have a smartphone. Bank app is much more secure than SMS, because HTTPS allows to encrypt information all the way from bank server to the end device. It's possible to create a much more pleasant UI with single touch rather than typing that OTP. And it's even possible to create more secure solution by requiring fingerprint.
And if Apple and Google would implement some kind of universal solution, every website could utilize this technology making 2FA more secure and usable.
It's kind of strange that we're still using SMS so widely.
Also SMS is not that cheap, while push is free.
Sure, SMS is fine as a fallback option, just like voice call is fine as a fallback option for SMS, but that's about it.
Are there any US consumer bank accounts that can be configured for 2FA other than SMS?
In the brokerage space, Robinhood accepts TOTP and Fidelity accepts Symantec VIP (proprietary TOTP-alike). But I don't know of any checking or savings accounts that can be protected this way.
Woah, interesting! I thought TOTP used a shared secret rather than asymmetric encryption. The only thing I had to give Fidelity was the credential ID. Is that enough to generate or verify codes? It does that require key material that only Symantec has?
Using SMS only as a fallback option is useless because the authentication chain is only as strong as the weakest link.
Bank apps need to be easy to reset if you lose your phone but if you can do that just by receiving an SMS, or by entering a password you can reset using SMS, the system is easily broken.
This isn't spying and the US would not be the only country involved.
Carriers track their own subscribers' locations no matter which network they are on. Inter-carrier roaming agreements require this ability. So it appears the Saudis has a new use for it.
The increased focus on SS7 security actually increases reliance on inter-carrier PSI. PSI is sent to the last known serving MSC to retrieve the number of minutes since last network contact. This info is used to enable a velocity check against a network attached request coming from a new country. It's this type of check that combats SMS interception.
Edit: It's also hardly worth reporting, or at least, with the sense of outrage that I get from it. I mean, anyone who cared would realize that the Saudis would track and snoop on cellphone users, no matter where they were. And so nobody who cared about that would use their Saudi phone. They'd just buy a phone at Walmart or wherever.
>anyone who cared would realize that the Saudis would track and snoop on cellphone users, no matter where they were. And so nobody who cared about that would use their Saudi phone. They'd just buy a phone at Walmart or wherever.
That's a very victim blame-y take.
Most people are not HN readers and have no idea what SS7 is.
Even if they know about cell tower tracking they'd probably expect that info would not be handed over by the USA to KSA.
OK, so I'm not Saudi, and perhaps I'm way off base here. But I find it hard to imagine that Saudis -- or at least Saudis who'd be traveling in the US -- wouldn't assume that their government is tracking and monitoring them. Indeed, I'd expect that awareness to be more common in Saudi Arabia than in the US, because the US at least pretends to honor human rights.
Also, an expectation of surveillance doesn't depend on understanding the technology.
>OK, so I'm not Saudi, and perhaps I'm way off base here. But I find it hard to imagine that Saudis -- or at least Saudis who'd be traveling in the US -- wouldn't assume that their government is tracking and monitoring them.
Yes, "they should expect they will have their human rights violated on US soil and it's on them to buy a burner" is off base.
Anyone legally in the United States (including tourists) gets constitutional protections.
You can expect whatever you want but illegal spying on US soil by an authoritarian regime is absolutely a news story.
Every embassy is a spy outpost, but they usually leave people who aren't at least semi-public figures alone.
Then again, maybe everyone is abusing SS7 and KSA is just who got caught with their hand in the cookie jar.
The home carrier does need some information in order to charge the customer the correct amount (and apply any promotions for roaming rates when roaming in certain places).
Also, location data makes it easier to handle disputes in case customers see unexpected charges on their bill and dispute a charge. A place like "Kettleman City" might seem unfamiliar, but if your carrier could also show you that you made calls from Los Angeles the day before, you could reasonably conclude it was a call made while driving in California and not an erroneous charge.
So there is a balance to strike here.
The difference is the level of government access to the location data though. The legal standard in the US is that the government must obtain a warrant to access cell site location information[1].
In Saudi, telecoms are pretty much controlled by the government and can see everything.
Perhaps the best option for those who live in authoritarian countries is to remove your SIM card while roaming and have a voicemail message asking people to email you.
> The legal standard in the US is that the government must obtain a warrant to access cell site location information[1].
Sure. But it's pretty clear that the NSA ignores laws.
> Perhaps the best option for those who live in authoritarian countries is to remove your SIM card while roaming and have a voicemail message asking people to email you.
Or just leave the phone at home. If for no other reason, because it'll likely get inspected when you enter the US.
Leaving the phone at home is harder than it sounds for people who fly long distances. It means you're 24+ hours, 3 planes and two layovers, plus taxi rides or rental cars, without a phone.
And you have to then communicate your temporary local phone number to your existing contacts, including your boss/coworkers and your family, but somehow do that without your phone. Not impossible, but very annoying. And you might need your phone for 2FA login to your work email.
Why the heck are the Saudi's still considered 'allies' of the US. Besides the long-running terrorism concerns, there's the murder of Khashoggi, them spying not just on their own citizens but also on US ones, and they are currently waging a war against our domestic oil producers. With 'friends' like that who needs enemies?
True, but how many countries behead people for sorcery and witchcraft? [0]
It's mindboggling how easily people will let such things slide from our allies while mindlessly droning on about the far lesser actions of those who are perceived to be enemies.
Oddly specific use-case. This only tracks the location of folks with Saudi sim-cards using roaming in the US. Even then, only down to the tower. Now that the guardian has blown the lid off, I expect this is largely worthless for them now.
54 comments
[ 3.5 ms ] story [ 103 ms ] threadAll of which is to say yeah, they're probably going to.
As long as other countries spy on our citizens, and share the data with our government, there is no problem!
or basically a few city blocks.
It's not based on physical distance or geography - it is based on the cell "tower".
Basically, SS7 will tell you which cellular base station the mobile handset is registered on.
There are easily accessible, public lookups of the location of all of those "cell towers".
https://www.vice.com/en_us/article/mbzvxv/criminals-hackers-...
And if Apple and Google would implement some kind of universal solution, every website could utilize this technology making 2FA more secure and usable.
It's kind of strange that we're still using SMS so widely.
Also SMS is not that cheap, while push is free.
Sure, SMS is fine as a fallback option, just like voice call is fine as a fallback option for SMS, but that's about it.
In the brokerage space, Robinhood accepts TOTP and Fidelity accepts Symantec VIP (proprietary TOTP-alike). But I don't know of any checking or savings accounts that can be protected this way.
I really wish they would just support U2F or FIDO.
https://twofactorauth.org/ is actually quite decent at tracking that sort of stuff
https://github.com/dlenski/python-vipaccess
https://www.cyrozap.com/2014/09/29/reversing-the-symantec-vi...
But yes, the original author extracted a pair of shared secrets from the Symantec executable.
Bank apps need to be easy to reset if you lose your phone but if you can do that just by receiving an SMS, or by entering a password you can reset using SMS, the system is easily broken.
https://news.ycombinator.com/item?id=12163046
Carriers track their own subscribers' locations no matter which network they are on. Inter-carrier roaming agreements require this ability. So it appears the Saudis has a new use for it.
The increased focus on SS7 security actually increases reliance on inter-carrier PSI. PSI is sent to the last known serving MSC to retrieve the number of minutes since last network contact. This info is used to enable a velocity check against a network attached request coming from a new country. It's this type of check that combats SMS interception.
What is PSI? Edit: thanks!
Huh? Care to explain this odd take?
Obtaining information about someone's location w/o their permission, by agents of a foreign power, seems pretty textbook spying.
Edit: It's also hardly worth reporting, or at least, with the sense of outrage that I get from it. I mean, anyone who cared would realize that the Saudis would track and snoop on cellphone users, no matter where they were. And so nobody who cared about that would use their Saudi phone. They'd just buy a phone at Walmart or wherever.
That's a very victim blame-y take.
Most people are not HN readers and have no idea what SS7 is.
Even if they know about cell tower tracking they'd probably expect that info would not be handed over by the USA to KSA.
Also, an expectation of surveillance doesn't depend on understanding the technology.
Yes, "they should expect they will have their human rights violated on US soil and it's on them to buy a burner" is off base.
Anyone legally in the United States (including tourists) gets constitutional protections.
You can expect whatever you want but illegal spying on US soil by an authoritarian regime is absolutely a news story.
Every embassy is a spy outpost, but they usually leave people who aren't at least semi-public figures alone.
Then again, maybe everyone is abusing SS7 and KSA is just who got caught with their hand in the cookie jar.
If that's the case, Saudi censorship is more effective than I'd imagined.
> Anyone legally in the United States (including tourists) gets constitutional protections.
In theory, yes. In practice, it's prudent to assume that the NSA sees everything.
> Then again, maybe everyone is abusing SS7 and KSA is just who got caught with their hand in the cookie jar.
That's my default assumption.
Also, location data makes it easier to handle disputes in case customers see unexpected charges on their bill and dispute a charge. A place like "Kettleman City" might seem unfamiliar, but if your carrier could also show you that you made calls from Los Angeles the day before, you could reasonably conclude it was a call made while driving in California and not an erroneous charge.
So there is a balance to strike here.
The difference is the level of government access to the location data though. The legal standard in the US is that the government must obtain a warrant to access cell site location information[1].
In Saudi, telecoms are pretty much controlled by the government and can see everything.
Perhaps the best option for those who live in authoritarian countries is to remove your SIM card while roaming and have a voicemail message asking people to email you.
1. https://en.wikipedia.org/wiki/Carpenter_v._United_States
Sure. But it's pretty clear that the NSA ignores laws.
> Perhaps the best option for those who live in authoritarian countries is to remove your SIM card while roaming and have a voicemail message asking people to email you.
Or just leave the phone at home. If for no other reason, because it'll likely get inspected when you enter the US.
And you have to then communicate your temporary local phone number to your existing contacts, including your boss/coworkers and your family, but somehow do that without your phone. Not impossible, but very annoying. And you might need your phone for 2FA login to your work email.
It's mindboggling how easily people will let such things slide from our allies while mindlessly droning on about the far lesser actions of those who are perceived to be enemies.
[0] https://en.wikipedia.org/wiki/Capital_punishment_in_Saudi_Ar...
https://en.wikipedia.org/wiki/Saudi_Arabia%E2%80%93United_St...
0) https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2F...
You don't differentiate?
Saudi carriers might mysteriously offer "special exclusive roaming deals" so they can keep tracking