23 comments

[ 3.5 ms ] story [ 67.5 ms ] thread
What a non-story. I hate it when news outlets do this.

TL;DR: there's security issues with mobile networks that are being exploited and there's technically difficult solutions no one wants to implement.

No detail or analysis or anything interesting.

404 Media had much better story recently: https://m.youtube.com/watch?v=qY7gXm1YhSE
That's more like it thanks, new podcast subscribed.
This is fun to watch. I was in a project which did some SS7 integration and feel for the podcasters trying to get anywhere looking at some incomprehensible ITU reference spec. SS7 is the original out of band management and runs through the telecom system like Cobalt runs through the banking system. Saying it is an attack vector though is like saying the Swift network is an attack vector because anyone in the network is a trusted end point and can issue instructions. Most of the abuse points are from state level actors who already have other tools if this one went away and as for a darkweb hosted SS7 traffic injection as a service offering ok but it's probably not scalable or stable when its around at all. BGP has just about all the same problems for just about all the same reasons.
We don't say "state level actors" anymore, the new endorsed terminology is 'mercenary attacks'.
> BGP has just about all the same problems for just about all the same reasons.

It took a long time, but ROA is getting some traction (at least around the RIPE region, can’t say anything around ARIN). There is also a large complement of publicly accessible looking glasses that ensures BGP shenanigans don’t stay invisible for long. As far as I know, neither of those applies to SS7.

That's exactly what I expected from the combination of publisher & title upon scrolling.
Sounds like the author was just overwhelmed with complexity of the system and instantly exhausted resources allotted for research. It's kind of unfortunate.
Then they should have at least tried to read/interview a couple of experts.
The Economist does.

I've been in convos with their writers a couple times. Usually for an article like this they'll chat with 10-15 people.

For more expansive articles usually 40-50 dedicated conversations.

Why are HNers so overly dismissive about non-SWEs (even though plenty were former SWEs), especially the types who tend to give unsubstantiated comments.

They didn't cite any sources and it's a short article that doesn't answer its own question that it poses ("Why isn't this getting fixed?") I don't buy that it's about costs. Look how radically and how quickly the world financial system was changed in response to 9/11.

> Why are HNers so overly dismissive about non-SWEs

I don't even understand what that comment is supposed to mean, is it directed at me, or who? I was not dismissive and I never said they must only cite SWEs. Don't put words in my mouth please. I merely said experts. If you assumed that meant "SWEs", that's your incorrect assumption. Ask questions instead of making assumptions.

> They didn't cite any sources

They are a news source, not a published journal. The NYT does not publish sources or citations either.

Also, I absolutely would NOT want to be cited when I chat with journalists from a competitive standpoint (I've given a signal to my portfolio's competitors who I'm targeting), conflict of interest standpoint (the owner of the publication I'm talking to might have a financial interest in a competitor or my products), and a journalistic standpoint (anonymity of sources allows us to speak honestly).

> it's a short article that doesn't answer its own question that it poses ("Why isn't this getting fixed?")

It literally did - "Few want to make it harder or costlier for data to flow from their network into others."

Margins are low in the telecom industry (11.4%) [0] versus Software's 80-90% margins due to the massive capital expenditures needed to build out a 5G backbone and deprecate older 2/3G infrastructure.

Adding traffic filtering (basically a SSE style Deep Packet Inspection functionality) is legitimately expensive because building this functionality in house is a multi-million venture which is difficult to justify with such low margins, and the vendors like ZScaler, Fortinet, Cato, Cisco, etc in this space all know they can arm-twist telcos while keep the price below that to build in-house.

> is it directed at me, or who

Yes, but a lot of other HN commenters like you. I used to be a SWE as well before I went into product/sales and later finance, and I hate it how a subset of SWEs like you assume us "non-techies" don't know jack.

Journalism is built on top of sources and experts who want to remain anonymous. Trust it or don't.

And writers at The Economist absolutely do interact with experts in the fields they write articles about. A lot of us just don't want to be named for the reasons I mentioned above.

[0] - https://www.mtn-c.com/product/telcos-pay-5g-price-higher-deb...

I'm sure they did judging by mentions of SS7 and Diameter. The phone system has became way too distributed to be done in an article.
Yep. SS7, Diameter, and the whole telco stack has really become the cyberphysical equivalent of tech debt.

Everyone knows that and wants to migrate towards a virtualized stack, and has been in the process of doing this for at least 15 years now, but you are faced with some very hard accounting questions around how to eat the financial cost of deprecating legacy (physical) infrastructure without incurring a massive financial penalty.

It's a hard problem, and countries like SK, China, and India weren't hit by it because they are greenfield deployments.

It's similar to how Germany and Finland lags in fiber because they went gung-ho very early in copper broadband back in the 90s.

It's a ridiculously complex system. (And that complex system is increasingly being replaced by equally complex K8s, but it makes sense given the dynamic scaling that comes with telecom)

I don't think it's a non-story at all, and it may well have huge consequences.

If it's this easy to hack phones, then the Russians are going to be able to hack them. So we Europeans may have to ban cellphones as they currently exist in order to have security, if things escalate.

This would be extremely interesting.

Good luck trying to do that. Your average mobile phone is running heaps of undocumented proprietary firmware in parts of the hardware/SoC that typically have full access to the whole device - there are no meaningful security boundaries whatsoever in most of those devices. If you are minimally security-conscious or your security model involves possible exposure to even mildly sophisticated attacks, you should treat your mobile phone as a toy. The attack surface is just too large for making them even minimally reliable to be a serious possibility. Even if you fix one part of the problem (such as the SS7 network the article mentions) that doesn't address everything else that's still raising serious issues.
This is why I just use Grandma's rotary phone when ever I need a phone. She even takes messages, when I am not around so works out quite well.
I think you solved the aging population crisis. Enlist armies of grandmas for your Grandma-as-a-Service business.

The only chink in your armor would be that grandmas are also considered to be easily hackable over the phone.

That's the good half of the non-profit world in a nutshell.
Don't smartphones employ IOMMUs to isolate those things now? I thought baseband processor having full access was a thing of the past.