Telecommunications Security Risks
Telecommunications Security Risks
What Is Telecommunication?
The simplest explanation of what telecommunication is, is the science of transmitting information or messages via electronic devices or electromagnetic signaling. (Wikipedia) Today, we use the term to describe telephone systems, radio, fiber optics, or satellites. But in recent years it almost always comes down to ‘the internet’.
However the history of telecommunications can be traced make into ancient civilizations, the middle Ages, and Native American cultures. Ancient Greeks used hydraulic semaphores to create optical telegraphs. Similar to the middle Ages using beacon chains on large hills. Or the famous smoke signaling of the Native Americans. Then the invention of the telegraph and later the telephone by Alexander Graham Bell. Next the radio and shortly thereafter television. Television was seen as a breakthrough piece of technology and has only been around for roughly 60 years. An amazing feat.
We’ve even invented entire languages (Morse code) to better communicate across these distances. We as the human race have always wanted to exchange information over great distances. Evolving into what we now have, as the Information Age. (Wikipedia) The Information Age, also known as the Digital Age has created a knowledge-based society, in which computers have unlocked vast amounts of data open and accessible to most everyone in the world. But none of this would be possible if not for the evolution of Telecommunication systems.
The Tug of War
There are countless laws and regulations that telecommunications must abide by, period. Any failure on their part risks immediate shut down. But the line is not always black and white. There are several situations that push telephone companies and internet providers into a limbo of having to decide between two evils or having to meet the needs of more than one regulation, law, or right.
One specific situation would be religious rights. This is an odd topic to discuss when talking about phone systems but it does come into play in certain regions of the United States. Per the Amish and Mennonite religion, they cannot associate with certain types of technology. Caller ID or video phones that display their image or name are against their religion. But by federal law they, as American citizens and communities, must be provided necessities such as phone service for their businesses and medical emergencies. This is a delicate contradiction that phone companies must abide by. They must provide phone service but they also must be sensitive to the religious needs of the community. Unfortunately, in order to fit both, they must use outdated technology and phone equipment to do so. Thereby putting said equipment and systems at risk, since older equipment has been well documented to have flaws that hackers and phone phreakers have exploited. (Wikipedia)
Another unknown law categorizes phone companies as an emergency organization. Regardless of weather or natural disaster they must provide phone service to everyone, restoring service within 24 hours (in normal circumstances.) So while you enjoy a snow day, phone company employees are required by law to risk life, no matter how treacherous road conditions are. Often times being stuck in flooded areas or blizzards. This high stress environment is often times overlooked and owners must put lives at risk due to laws and regulations requiring them to.
This is not an isolated case for phone companies. They often have to play by hopping through multiple hoops in order to please everyone telling them what they must do. Often times the telephone companies are accused of refusing to update their phone systems and equipment, while knowing what flaws and risks lie there. But often times, it’s not due to a lack of wanting to protect their systems, but red tape. Many times the phone companies pull out their hair at the slow, tedious process of requesting updated systems or process changes. Many times it takes months before documentation is approved and new regulations exist.
That’s not to say the blame is on the rule makers by any means. They are also held up by the red tape. The FCC is a non-biased entity held to protect all telecommunications providers across the United States, with several other non-biased organizations upholding separate divisions, all with the same goal in mind, to maintain equality throughout all the telecommunications companies. But with so many entities, the process can only move at a finite pace.
This slow moving process is both effective at maintaining equality, but detrimental to overall progress and innovation. The fastest growing tool that we have right now is technology, specifically surrounding the internet. But we cannot move any faster than we already are, and it’s a snail’s pace.
Common Security Risks
There are a few standard security risks in telecommunications. One would be hijacking the phone signal from someone else. This can range from physically connecting into the phone line to rerouting the signal to an unintended person. There are ways that people can ‘listen in’ to private conversations as well. These have been around since the dawn of telephones. The original phone phreakers were the telephone company phone operators, taking advantage of their positions.
Another large issue for modern telecommunications consists of people breaking into an individual phone line and making long distance calls. Many of these attacks are done automatically, making thousands of dollars’ worth of international calls within an hour or less.
But don’t think the attacks are limited to outsiders, phone companies constantly communicate with each other, passing phone calls between themselves. But this call passing isn’t free; each carrier charges the next when they request to pass a call. These call charges are decided on by a rating table and many of which want the lowest cost possible when sending phone calls on to the next carrier. After all, if they are charging their end user a lower rate to make the call, they lose money themselves when actually placing the call. And some carriers charge a much lower rate to send the same call, so many phone companies explore the tables, looking for the cheapest route. And unfortunately many have found a way to pass these calls without revealing themselves, which enables the other carriers to send the charges to the correct company. Therefore, getting free calls. This may not constitute a security risk, but it’s a huge flaw in the system that still happens. The best way to prevent from this sort of sneaky maneuver is to simply reject the calls that you can’t identify the carrier from, but that risks complaints from those end users who expected a phone call. Most customers don’t understand why they can receive a phone call on their cell phone but not their land line and even less care it’s because the other carrier is trying to get away with a free call. So it’s a tricky topic to mitigate.
But the issues don’t stop there, keep in mind that telecom also includes internet services now. An issue that internet service providers constantly face is the type of content people view on the internet. As an ISP, the phone company has the responsibility to release information when requested to (formally) by Law Enforcement. The phone company also tends to receive DMCA (Digital Millennium Copyright Act) notices when copyrighted web content is routed on their network. All of these regulations are held by law and must be honored. It’s a daily struggle to manage the laws without violating privacy rights of the customers.
Direction and Future of Telecommunications
The direction of telecommunications has been steady over the past several years. We want to lose the wires and be free to go where we want to go, literally. Mobile services allow for a wireless experience and it’s what society is demanding of their internet and telecommunications providers. IP Networks are the way of the future and telecom has to overhaul their business model to appease. (The Future of Telecommunications)
Users are incorporating the term ‘cloud’ into their everyday language. They recognize that the majority of what they do online is a part of cloud computing and opening up their arms to the idea. They understand that their information is being held by several service providers, website owners, and companies. They are in hundreds of databases, spelling out their lives across the platforms. And they are fine with this now. There are people who have always lived in a world with computers, the latest generation of college students grew up with a cell phone and personal computer. Completely forgetting that their parents didn’t see either until well into their adult lives. As a society we are changing how we view technology and take the instant communication aspect of it, for granted. It’s not as scary and it’s changing how we interact with each other. (Forbes.com)
Cell phones are a part of the future of telecommunications. As society seeks to be mobile and wants their devices to be smaller and smarter. But these two demands are not easy to fulfill and remain secure. Throughout the cellular history, there have been many bumps in the security realm.
The first of which was the use of analog cell phones or Advanced Mobile Phone Systems. These were common in the first set of cell phones and surprisingly are still used in some devices today. The analog signal was sent on an unencrypted signal, broadcasting the information to anyone who would listen.
The next generation of devices used GSM or Global Systems for Mobile Communications. This is still widely used, as it addressed the security concerns users had. An easy way to determine if you have a GSM device is to find out whether you have a chip or SIM card that stores your account data. AT&T and T-Mobile are the most recognizable carriers to utilize SIM cards. This way it separates the physical device from your cell phone information, somewhat. The encryption for GSM can be hacked but it’s not as easy as analog. Prior to GSM, AT&T attempted to use TDMA, or Time Division Multiple Access, a digital signaling type but have since weeded out these devices from their systems.
CDMA, or Code Division Multiple Access, is Sprint and Verizon’s version of TDMA, but is still in effect today. This also uses a digital signal with encryption. iDEN, or Integrated Digital Enhanced Network, is a Nextel technology that utilizes radio systems. They were responsible for the ‘push-to-talk’ craze that happened several years ago in which users could use their cell phones as walkie-talkies on a larger range of signal. (Kinds of Cell Phones)
Although there are several options for cell carrier services, there is very little done about overall protection of the user’s information or security over these services. Eavesdropping and call interception is a big security risk that the majority of users do not think about. Users should assume that their phone conversations are being listened to or recorded, especially in public places where wireless intercepts can be easily overlooked.
There are a number of other vulnerabilities that cell phone users need to be aware of. For instance they are not immune to spam now, since our email is connected to our smart phones. Although SMS texting allowed for the same vulnerabilities years ago. As evident in the 2010 ‘SMS of Death’ scenario in which many GSM networks were flooded with malicious text messages that delivered payloads that forced any devices that opened the message, to disconnect from the networks and disable the device completely.
GPS hijacking is also a huge risk, as all devices now have built in GPS; it becomes extremely easy for someone to track your whereabouts. To help with this endeavor, social networking apps such as Facebook, automatically log your location to your user wall so your friends or anyone (depending on your privacy settings) can view where you are and at what time. Like many apps, this is a feature you have to know about and disable on your own. Many apps come installed with a default of ‘on’, regardless of the risks it may have for the user. (ZoneAlarm)
As of January 2013, the United States made it illegal to unlock any new Mobile phone device, as against the Digital Millennium Copyright Act (DMCA). (Slashdot.org) But let’s examine what the DMCA was originally intended for. This Act is meant to control and limit any manipulation to a copyrighted item (normally through DRM); in this case it’s a piece of equipment but it can easily be valid for most anything as long as the item is copyrighted. This does clearly fall into that category, as the act of unlocking means to separate the device from the manufacturers intended use. Either by deleting apps that are required by the manufacturer or stripping the original Operating System on the device and adding your own. Users feel that this is very limiting, since they do not have the right to customize something that they paid for and find certain aspects of the device useless as is. This new definition now puts customers at legal risk if they change any aspect of the device they paid for. To maximize their user experience, they feel they have a right to remove pieces of the software they do not want and should be able to add software they do. Since the ‘out of box’ devices often times have over half of the devices internal storage used by pre-programmed software and apps, some of which the customer may not want to use. This limits the actual usability of the device, forcing the customer to purchase a higher cost device with a larger storage option, just so they can add items they specifically want. The customers’ argument is that they want to be able to remove the things they do not intend to use and be able to add the things they do want. But manufacturers do not agree, and the copyright laws agree with the manufacturers.
This DMCA reaction has been long expected, as cell phones have been hacked and unlocked as long as they have been around. And with the evolution of smart phones, the risks have become even greater. Since many people treat a smart phone as a mini computer. Unfortunately, very few people recognize this and go about their digital lives completely unprotected from viruses, spyware, and the various other common malicious software potentially lurking on their device.
Let’s examine the differences between a Personal Computer and a smart phone. The difference between functionality is actually very similar. But the problem is that people treat them very differently and let their guard down far too often. A smart phone is small enough to be with a person constantly. And even though laptops, netbooks, or tablets are becoming much more mobile, they still have that personal computer stigma that many of us grew up with. A computer is treated like a computer, something tethered to a desk that needs constant protection. But we seem to forget this when we think of our smart phones, even though we do virtually the same tasks on both. We play games, we do online banking, we talk to other people, and we check our Facebook and twitter. We browse websites non-stop, without even considering what browser we are using or the security it has or doesn’t have. More often than not, these mobile browsers do nothing against infection. These are tiny; easy to steal devices that hold our very personal data, work data, banking information, and all our social networking information. Deleted information is just as at risk of recovery on a smart phone as it is on our computers, but we seem to think they are gone once we hit ‘delete’. Another flaw is that cell phone providers do not regularly update the devices operating system or are very slow to do so. So we walk around with very outdated devices with well-known vulnerabilities.
So what is the major difference? It’s how we paid for the personal computer verses the smart phone. A computer is a onetime purchase; it can be used as a standalone from any internet services. Although we assume they will be connected, it’s not a requirement for use. We pay a monthly fee to our ISP for internet access. But the ISP has no jurisdiction on what type of computer we have, how much memory it has, or what operating system it has. They do require us to use certain routers or modems to connect to their service but often times they provide these. Or they do allow us to purchase our own to maximize how well their services come across. But they are limited to the actual service we purchase.
Smart Phone manufacturers are integrated with the cell phone providers now, melding the two into one ‘easy’ to use package. You purchase the cell phone device and pay a monthly fee to use whatever services you request, within your contract plan. There is no way to use the device without a service plan, unlike a personal computer. These contract plans mean you lease your device and service plan over the course of typically two years. And with these new definitions, you cannot change your device or risk legal action.
But this doesn’t mean that you cannot add anything to your phone, you are allowed to add approved apps, your personal information, and games. But there is yet to be a clear definition of what stays within these limits. Can you use anti-virus software to protect yourself? How does Tor work, or does that count as unlocking? We already know we can’t update the OS, even if it’s outdated and leaves our personal information at risk. This only further limits our ability to protect ourselves. These question need to be answered, since they risk the users identity and how they use their devices to protect themselves without breaking the law.
What is a Meshnet? Well, it’s a decentralized alternative for those who do not wish to use an Internet Service Provider or who do not have the option for it. All computers on the network work together to capture and pass along data across the rest of the network, via routing. (Mesh Networking) In essence, creating their own internet.
Project Meshnet is a project in which individuals have started creating a network of wireless and wired physical connections through their own equipment. Similar to a Peer-to-Peer connection, they link several computers and servers across a large network. (Project Meshnet) Thus creating their own version of the internet, on a wide scale.
The Server Drone project is a project where one widely known Bit Torrent website attempted to test its ability by creating unmanned drones that house servers. Thereby, in theory, bypassing local and international laws due to technicality, since the drones were being kept in international air space, they were out of any local jurisdiction. This theory has not been officially tested, and little more has been heard about the idea. However, the project may have sabotaged itself by being public about its intent too soon. Allowing for countries to prepare and demand Sweden (where the server owners would be) take action on the individuals working on the drones. (UsNews.com)
Google Voice & CLEC
Traditionally, telephone services are provided by the underlying telephone companies or LECs. So what does that mean? The LEC’s are the ones who laid down the copper or fiber lines. They are the ones who control and own the lines. But they aren’t entirely greedy; they will rent out the ability to use those same lines to other LECs. One such LEC is the CLEC, which rides on top. CLECs have also focused their attention on fiber optics instead of the traditional copper. For one because so much more data can be held in the fiber optic cables and there’s less chance of people trying to steal the lines, unlike copper. (Copper metal can be traded in at junk yards for a nice sum.) Fiber is glass and light. So copper is being done away with.
One such CLEC is Google Voice. Google has expanded their reach from a simple search engine to a true competitor in the technology and telecommunication field. Google has been testing out small service areas by providing internet and phone service on top of other carriers. Adding another layer to the dynamic.
Ninja Tel & Homemade Phone Networks
Cell phone and radio phreaking have become popular over the past few years, as users have found ways of manipulating cell phone services. One such way is by intercepting phone calls via homemade radio stations and an Asterisk setup. This is actually not as difficult as it sounds but is limited to GSM devices. (Cell Phone Spying) Or by rerouting how customers are billed via roaming charges and their local cell carrier. (Cell Phone Phreaking) In fact, as mentioned above under homemade internet, homemade phone networks have shown up.
Ninja Tel specifically showed up during a Hacker convention in 2012, sponsored by various organizations such as Facebook, Qualcomm, and Lookout. The project was a van that held a mobile network using OpenBTS, Asterisk, and a radio peripheral that connected SNS services to specific devices that participants handed out earlier in the event. You had to have a special phone to connect to this secret network. (Wikipedia)
In conclusion, there are many risks for telecommunications that will never go away. As long as telecommunications is the gate keeper for the voice and internet, it will always be the first target. But as often as telecommunications has to constantly fight off threats and attacks, the technology continues to expand and find new avenues to grow. It’s never let the hurdles stop it, just sometimes it throws a hiccup in the mix. Telecom is here to stay and as long as companies strengthen themselves, the companies and technology will just continue to grow stronger.
Wikipedia. “Telecommunications.” Web. 18 Feb. 2013.
Wikipedia. “Ninja Tel Van” Web. 17 Jul. 2013.
Wikipedia. “Digital Millennium Copyright Act.” Web. Jul. 16 2013.
Wikipedia. “Information Age.” Web. 18 Feb. 2013.
USNews.com. “The Pirate Bay To Flu Server Drones.” Web. 1 Apr. 2013.
< http://www.usnews.com/news/articles/2012/03/19/the-pirate-bay-to-fly-server-drones-to-avoid-law-enforcement >
Slashdot.org. “Unlocking New Mobile Phones Becomes Illegal in United States.” Web. 1 Apr. 2013.
The Jolly Roger. “Cellular Phone Phreaking.” Web. 1 Apr. 2013.
ZoneAlarm. “What Are the Risks of Mobile Security?” Web. 1 Apr. 2013.
Youtube. Practical Cell Phone Spying. Web. 1 Apr. 2013.
Reddit. “Dark Net Plan.” Web. 1 Apr. 2013.
Project Meshnet. “Project Meshnet.” Web. 1 Apr. 2013.
Simson.net. “Kinds of Cell Phones.” Web. 1 Apr. 2013.
Insight-corp.com. “The Future of Telecommunication 2008- 2013.” Web. 1 Apr. 2013.
Forbes.com. “Mobile, Social, and Cloud Changing Future of Telecom.” Web. 1 Apr. 2013.
Wikipedia. “Mesh Networking.” Web. 1 Apr. 2013.
Wikipedia. “Amish.” Web. 1 Apr. 2013.
© Kana Kennedy, Kennedy Info Sec, and Kennedyinfosec.com , 2011 – 2014. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Kana Kennedy and Kennedy Info Sec with appropriate and specific direction to the original content.