At some point you have to wonder how privacy and security wasnt a factor at all in the minds of engineers designing these systems- it has to be intentional, right? Did no one stop to consider how the system theyre building could be abused against the general public? Did they just not care?
Most likely security was a factor, and they did care, but in all the wrong ways. See this post about 2G, but SS7 was (and is, hence it has not been upgraded) probably under the same pro-surveillance pressure:
My perspective is that at some point you have to consider that security wasn't as great of a threat actor in the 1980's. Even only in the last decade have we seen us move from IT security to more cyber security measures for the average organization.
Those systems were designed with security in mind for the environment and threat model of that time. It is why these types of things are grandfathered or improved upon to mitigate the latest scenarios and threat actors. The difference is that they probably couldn't foresee that it would remain the foundation for so long, and what todays world would look like.
Is there anything a common person can do to help reduce the likelihood of their phone being tracked via SS7? (other than not carrying a phone or disabling the mobile network)
It's actually moderately easy: get 3 phone numbers. One you make public (#1), the one that everybody knows. The third one (#3) you never make public and it's the one you take with you in your mobile phone. It's preferable to get this number illicit - not in your name.
Put #1 and #2 SIM cards in two WWAN modems in a device (laptop?) you always keep at home, or at work if you don't want your home location known. Cross-connect the two modems by software (Asterisk?) such that if a call comes in from #1, it's forwarded through #2 modem to #3 (your mobile phone) and if you dial #2 from your mobile phone, you get a dial tone on #1 modem.
Disadvantages:
- No call ID. You'll never know who calls you and can't immediately save their number without looking at the call logs at home.
- You must store all phone numbers with #2 as prefix, a pause, then the actual phone number as extension.
PS: It's possibly even simpler than that. Forget #2. Use a VoIP app to connect to laptop's PBX from the mobile phone. That way you can even block all calls in/out from your mobile phone (PIN2 required) and only allow internet.
10 comments
[ 10.5 ms ] story [ 140 ms ] threadhttps://news.ycombinator.com/item?id=25284892
Those systems were designed with security in mind for the environment and threat model of that time. It is why these types of things are grandfathered or improved upon to mitigate the latest scenarios and threat actors. The difference is that they probably couldn't foresee that it would remain the foundation for so long, and what todays world would look like.
Put #1 and #2 SIM cards in two WWAN modems in a device (laptop?) you always keep at home, or at work if you don't want your home location known. Cross-connect the two modems by software (Asterisk?) such that if a call comes in from #1, it's forwarded through #2 modem to #3 (your mobile phone) and if you dial #2 from your mobile phone, you get a dial tone on #1 modem.
Disadvantages:
PS: It's possibly even simpler than that. Forget #2. Use a VoIP app to connect to laptop's PBX from the mobile phone. That way you can even block all calls in/out from your mobile phone (PIN2 required) and only allow internet.