10 comments

[ 10.5 ms ] story [ 140 ms ] thread
At some point you have to wonder how privacy and security wasnt a factor at all in the minds of engineers designing these systems- it has to be intentional, right? Did no one stop to consider how the system theyre building could be abused against the general public? Did they just not care?
My perspective is that at some point you have to consider that security wasn't as great of a threat actor in the 1980's. Even only in the last decade have we seen us move from IT security to more cyber security measures for the average organization.

Those systems were designed with security in mind for the environment and threat model of that time. It is why these types of things are grandfathered or improved upon to mitigate the latest scenarios and threat actors. The difference is that they probably couldn't foresee that it would remain the foundation for so long, and what todays world would look like.

There are a huge amount of people that don't spend time thinking about ways thing can be misused.
Companies driver is money and PMF, not what’s right.
Is there anything a common person can do to help reduce the likelihood of their phone being tracked via SS7? (other than not carrying a phone or disabling the mobile network)
It's actually moderately easy: get 3 phone numbers. One you make public (#1), the one that everybody knows. The third one (#3) you never make public and it's the one you take with you in your mobile phone. It's preferable to get this number illicit - not in your name.

Put #1 and #2 SIM cards in two WWAN modems in a device (laptop?) you always keep at home, or at work if you don't want your home location known. Cross-connect the two modems by software (Asterisk?) such that if a call comes in from #1, it's forwarded through #2 modem to #3 (your mobile phone) and if you dial #2 from your mobile phone, you get a dial tone on #1 modem.

Disadvantages:

  - No call ID. You'll never know who calls you and can't immediately save their number without looking at the call logs at home.
  - You must store all phone numbers with #2 as prefix, a pause, then the actual phone number as extension.
PS: It's possibly even simpler than that. Forget #2. Use a VoIP app to connect to laptop's PBX from the mobile phone. That way you can even block all calls in/out from your mobile phone (PIN2 required) and only allow internet.