paint-brush
Is your 2 factor auth based on a “pinky swear”and late 90’s IT security?….by@renebrakus
519 reads
519 reads

Is your 2 factor auth based on a “pinky swear”and late 90’s IT security?….

by Rene BrakusMay 13th, 2017
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Two very different tech worlds affect our lives daily. The Telecom and the IP world (aka online, the web, IOT).

Company Mentioned

Mention Thumbnail
featured image - Is your 2 factor auth based on a “pinky swear”and late 90’s IT security?….
Rene Brakus HackerNoon profile picture

….because it turns out your neighbor Wi-Fi router is using a stronger encryption for its communication protocol then your trusted Telecom operator.

Two very different tech worlds affect our lives daily. The Telecom and the IP world (aka online, the web, IOT).

Your smartphone is a IP/Telco hybrid that you care and love

The IP/ IOT /Online world is filled with so much threat and danger that even the average end user knows the terms like phishing, brute force attack, crytolocker, malicious bots and is at least aware of the importance of having a good IT security system.

Top security experts at work

Without a doubt a average user is assured that the telecom world she/he relies on is not without top security, it is safe from the wild west of the web.

So…telecom is a place of top IT security.

Reality is quite the opposite. The truth is that the network operators have outsourced everything and are dependent on their equipment suppliers for all technical matters, including security.

But how come SS7 is so insecure..wasn’t it build by Telco professionals? Yes but as all legacy protocols it was made to be used in a closed network and hence very little security research has been done to assess the security of SS7.

Security researchers simply had no access to SS7 networks, and service providers had little interest into looking at the topic because there was simply no need — it wasn’t the wild west like the “the web”.

At one point in time while looking for more profit, network providers have opened up their SS7 networks for third parties as part of their commercial offerings.

This created an opportunity for many companies to make the Telco world more developer friendly by building different interfaces that are compatible with popular IT technologies and essential bringing the Telco world closer to the average software engineer.

Although opening up SS7 networks brought many benefits it has also changed this notion of trust and security dramatically, after several security researchers announced major vulnerabilities in the SS7 protocol that threatens the user’s privacy and can lead to user location tracking, fraud, denial of service, or even call and text message interception.

The telco community reacted and it would be unfair to say that there weren’t no attempts to encrypt the traffic using A5/1 or A5/3 protocols.

But for example the A5/1 suite has been broken and it is possible to decrypt the calls transferred over the air interface using cheap radio interceptors.

It’s actually harder to crack your average WIFI encryption (WPA 256 bit encryption) then air traffic between two mobile cells (A5/1 64 bit encryption)

For the past couple of decades, the security of one of the fundamental protocols in telecommunications networks, Signaling System №7 (SS7), has been solely based on the mutual trust between the interconnecting operators. Operators (network providers) relied on their trust in other operators to play by the rules — but the game has changed and if mobile operators want to be relevant in the next couple of decades they need to up their game and not only think about the profit but investing in security — one of 21st century top commodity.