Nation-State Attacker of Telecommunications Networks

Someone has been hacking telecommunications networks around the world:

  • LightBasin (aka UNC1945) is an activity cluster that has been consistently targeting the telecommunications sector at a global scale since at least 2016, leveraging custom tools and an in-depth knowledge of telecommunications network architectures.
  • Recent findings highlight this cluster’s extensive knowledge of telecommunications protocols, including the emulation of these protocols to facilitate command and control (C2) and utilizing scanning/packet-capture tools to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata.
  • The nature of the data targeted by the actor aligns with information likely to be of significant interest to signals intelligence organizations.
  • CrowdStrike Intelligence assesses that LightBasin is a targeted intrusion actor that will continue to target the telecommunications sector. This assessment is made with high confidence and is based on tactics, techniques and procedures (TTPs), target scope, and objectives exhibited by this activity cluster. There is currently not enough available evidence to link the cluster’s activity to a specific country-nexus.

Some relation to China is reported, but this is not a definitive attribution.

Tags: , , , ,

Posted on October 22, 2021 at 6:13 AM38 Comments

Comments

Hedo October 22, 2021 7:32 AM

Attribution is hard. (I know, I know, I’ll be that parrot/broken record today).

Internet protocols/standards/layers need a serious remodeling from ground up.
It was built on a very insecure foundation and it’s time it got rebuilt with
NON-REPUDIATION built in everywhere. Every step of the way, non-repudiation
must be enforced, non-negotiable, not optional, mandatory.
This would take care of Authenticity, Accountability, Integrity, and
many other important things because the amount of negative consequences
(impact on human lives/safety), grows by the day, and we need to start
making these cyber crimes (ransomware, etc) an INTEGRAL part of our foreign policy.
I’m referring to the USA, but this can easily be applied to any other country/government.
In other words, there must be political/diplomatic, state level policies in place,
on the books, that provide for appropriate sanctions for those engaging and/or aiding
such activities. I may not live to see it, but some of these nasty hacks taking place
today, may actually lead to, or be perceived as acts of war in the near future.
But “Let’s go back to the rock and see it @440”
Attribution is hard.
PS:
Trying to act my age today.

Winter October 22, 2021 7:40 AM

All data goes over TCP/IP (including Voice). It should be possible to create a system that does all communication using e2e encryption (like Signal) with end-point obfuscation (a la Tor). Say, by hooking up a computer-like device to a mobile phone as a hotspot. That way I should be able to combine mobile phone level flexibility with the “best available security”.

That this is not already done tells me I have not seen all the obstacles.

My question is, what are the obstacles?

Freezing_in_Brazil October 22, 2021 7:58 AM

@ Hedo

it’s time it got rebuilt with
NON-REPUDIATION built in everywhere. Every step of the way, non-repudiation
must be enforced, non-negotiable, not optional, mandatory.

Isn`t it the promise of the Blockchain?

Peter October 22, 2021 8:00 AM

@Winter

Probably because there is no incentive for the ISPs/telecoms to work on it. It would not lead to any improvements for the average user (who doesn’t care about security at all), while having a small cost attached to it.

Winter October 22, 2021 8:23 AM

@Peter
“Probably because there is no incentive for the ISPs/telecoms to work on it.”

Actually, the police and TLAs of the home countries would work actively against any such adaptation.

But as a user, I can already use tor/vpns on my mobile phone, or simply hook up my laptop/tablet to my phone in “hotspot mode”, and do everything over the mobile network. I can do voice and video calls over Whatsap or Signal, using a second mobile as a hotspot. This all keeps the telco’s out of the loop. And if Signal is not private enough, you can set up your own Signal network (the code is FLOSS).

Still, people pay premium prices for crappy cryptophones that connect directly to the telco networks.

What obstacles do I miss here?

yet another Bruce October 22, 2021 9:16 AM

@Peter, @Winter

TOR might work pretty well for text messages.

Latency and especially tail latency would be a huge problem for voice calls.

TOR would collapse if everyone used it for all their mobile web browsing. You could throw resources at the problem but TOR multiplies network bandwidth by design and consumes non-trivial compute.

Winter October 22, 2021 9:25 AM

@yaBruce
“TOR would collapse if everyone used it for all their mobile web browsing. ”

That is obviously true as TOR is run by volunteers. The only alternative is paid VPN’s, which seem to be not particularly good. Dedicated users could set up their own TOR&Onion/VPN servers and tunnel into them. All suboptimal to functioning shared services.

But almost everything you can think off seems to me better, privacy and security wise, than using the mobile network itself.

Joel Halpern October 22, 2021 9:51 AM

Yes, seecurity is getting more attention than it was. But expecting to get to a system that has non-repudiation everywhere seems rather too optimistic even if one wwanted to start from scratch, and though one could get a replacement deployed.

When we did IPv6, we started out trying to mandate support (not even use, just support) for IPSec in every system. The mandate was simply ignored. Eventually, recognizing reality, it was removed.

The good news is that a lot of applications are using TLS by default. But that does not give you the system-wide coverage that is really needed for this sort of thing.

Clive Robinson October 22, 2021 10:33 AM

@ The usual suspects,

Note,

“There is currently not enough available evidence to link the cluster’s activity to a specific country-nexus.”

Nor if the cluster is doing it’s job[1] should there be, unless it is made to look like it’s coming from somewhere else.

I guess the US side of things is finally waking up to,

Attribution is hard, very hard.

I wonder if they are also waking up to,

False Flag Operations are not hard, not hard at all.

Likewise considering what the implications of those two combined is…

@ ALL,

But is this realy news?

We know Level III attackers such as the NSA have been intercepting certain academics and consultants Emails in Europe for years.

Would it realy be any surprise that they would be extending their scope, as technology reduces cost of action, and increased budget gives rather more ability to “reduce cost”…

A little bird has told me that over in Germany, Level III entity priorities have just been “reassessed”. No doubt simillar will follow in other places.

[1] On the loose assumption they are “working stiffs” / “Salary men” at a Level III adversary. Be it Corporate or State cutting the monthly checks.

Clive Robinson October 22, 2021 10:44 AM

@ Winter,

That this is not already done tells me I have not seen all the obstacles.

My question is, what are the obstacles?

1, Social,
2, Political,
3, Criminal,
4, Economic,
5, Technical,
6, Other.

Or some combination of the above?

There are after all so many reasons for each of the great many obsticles, you get an effective infinity from which to chose.

msb October 22, 2021 10:56 AM

TOR, VPN, etc don’t really solve the problem here. Your network, be it internet, TOR, or avian carrier, is only as secure as the software it is running on. It doesn’t matter how secure your data is in transit, if your device is compromised.

The ONLY way this problem will get fixed is if software “engineers” and the companies they work for are made liable for the damages caused by their shitty products, like EVERY other industry.

Your ketchup just poisoned a million people? The wheels fell off your truck? Your building collapsed, killing thousands? Pay a huge fine, class action and/or go to jail. Your shitty software allowed a hospital to be hacked, costing millions of dollars in damages and ending three lives? Oh, the hospital should have done better. This is victim blaming at it’s finest!

Winter October 22, 2021 11:01 AM

@Clive
“> My question is, what are the obstacles?”

“1, Social, 2, Political, 3, Criminal, 4, Economic, 5, Technical, 6, Other.”

1-3 are not interesting to me
4 I can think of a mobile phone + tablet setup that would be (well) under €1000.

To me, 5&6 are of interest. What would subvert a setup with Signal+Email+VPN/TOR?

JohnnyS October 22, 2021 11:48 AM

I think we need to be able to send someone with an axe to cut ALL Internet access from a specific region or country on short notice.

Specifically, when Some Country attacks Another Country in the near future, we need to be able to block all Some Country’s traffic immediately to at least have a chance of surviving their hacking into our infrastructure and critical systems.

We also need to make sure that the operators of all this infrastructure and critical systems have been motivated to check their systems for logic bombs and other planted problems like malware, back doors etc. that Some Country has implanted to bring us to our knees when they attack the other Country.

It’s going to be interesting.

Denton Scratch October 22, 2021 11:55 AM

@Winter

“My question is, what are the obstacles?”

The main one is that the International Telecommunications Union is a union of governments, not of people. Effectively, the ITU’s a diplomatic body, and it acts (VERY SLOWLY) in the interests of the member governments. It has no brief to act in the interests of ordinary people. It is almost completely unlike the IETF.

Denton Scratch October 22, 2021 12:11 PM

@msb

“The ONLY way this problem will get fixed is if software “engineers” and the companies they work for are made liable for the damages caused by their shitty products, like EVERY other industry.”

Yeah. Ain’t going to happen.

Loads of the comments up-thread are going on about TOR, VPNs and TCP. This is an attack on telecoms infrastructure, not on IP networks. That is often not private organisations. The protocols they share are agreed by diplomats, who are only advised by engineers, not instructed by them.

No government really wants secure communications infrastructure. Their intel agencies wouldn’t stand for it. How would the CIA feel about their diplomats agreeing to more secure infrastructure in Iran, Israel, Russia, China? But telecom is now fully international, you can’t have secure infrastructure in the USA unless everyone gets it, everywhere.

Secure communication isn’t that hard; find a field, stand in the middle, and whisper.

Encryption is groovy, and all that; but most people don’t know if it’s been done right, or whether it works at all, or whether it’s been broken. If you want to keep secrets, use telecom as a channel for establishing security. “Which field do you want to meet in, specifically?”

lurker October 22, 2021 12:43 PM

LightBasin’s focus on Linux and Solaris systems is likely due […..] to the comparatively lax security measures and monitoring solutions on Linux/Solaris systems that are typically in place on Windows operating systems within an organization.

Somebody had to say it sooner or later. Is it because Windows is assumed to be cheap commodity crud and needs to be securely bolted down, while Linux/Solaris is just assumed to be OK? Surely the telecomms industry must have grown out of the mindset that you can see and/or hear a wiretap on a physical line. Do they then assume that “free” “open source” means you don’t have to pay the right price for quality security?

My personal banking and medical data are unlikely to be of interest to LightBasin, but it still confounds my bank and doctor when I refuse to use their “app”.

echo October 22, 2021 1:12 PM

Personally I believe the propogation of human rights abuse over telecoms systems is the bigger worry. Speaking of which according to usually reliable sources one known bad actor who has effectively been banned by the highest levels of the United Nations was unmasked online this week hiding behind a false identity. There was also a slip up by the office of the Prime Minister of the United Kingdom as a very suspect communication by Downing Street surfaced. A few high profile politicians and one member of the privvy council were caught red handed being wrapped up in or co-opted into the broader problem.

Social media especially US social media is a very big problem. Currently management shout about privacy while the legal environment in the US is the company owns your data. While it is not directly said you can see from what is withheld and what is said there is a bias in favour of commerical interest and deflecting regulatory or legal action, and hiding behind known weak or flawed oversight mechanisms.

There are a lot of technical and sociological and neuro-psychological feedback loops in this.

It’s possible to take Bruce’s post as a model and rewrite everything I have said to fit the clipped formality.

I wouldn’t say attribution is necssarily difficult even with layers of reactive proxies. It can be more of a messy thing. None of these intelligence reports properly dwell on this in their conclusions which creates more questions…

John October 22, 2021 1:13 PM

Hmmm….

I am seeing ping times of 341ms more or less. Often source is obscured [made to appear local].

Suggests Japan and China to me.

Does computer security exist?

A simple, easy to audit, AES SIP 2 way p2p client in assembly code on a simple micro would be a good beginning.

In the earlier days if ping time was >150ms connection was refused.

Lots of fun :).

John

Mao Tsu Shi October 22, 2021 3:24 PM

Frankly, the NSA/GCHQ et al all know who this is – it’s been going on a while…

Huawei was leveraged by the CCP a long time ago to get this job done… I guess it comes as no surprise to most people here. This isn’t really news.

Clive Robinson October 22, 2021 3:38 PM

@ Winter,

I note you now have two comments (7:40 & 8:23) that end in a

what are the obstacles?

Question, my original reply was to the first.

Which states,

That way I should be able to combine mobile phone level flexibility with the “best available security”.

Well in the “technical” asspect your above indicates you are assuning a computer is the “best available security” it is not, not by a very very long way.

Nearly all commercial applications and OS’s these days, the main stream one’s in particular are

1, Not even remotely secure by design, in fact the opposite.
2, Have “ET phone home” spyware as standard called “Telemetry”.

But also in some cases the company that supplies your computer load on their own “Spyware / tracking” for “security”. Oh and we know the SigInt agencies also get at “packages in transit” so “online acquisition” is best avoided

One the phone side the same applies but you need to also throw in the service supplier… Anyone else remember CarrierIQ in the US, phoning home with your every action and key stroke?

The reason for all this surveillance crap is neo-con and MBA mantras that lead to “money on the table” thinking by these corporations. They believe and argue to legislators in the US why they have the “right” to do this, so far the EU has not brought the hammer down under the GDPR which isca shame.

So the top level thinking in the production side of hardware and software is “security is in the way of profit” and the US legislators in particular for two reasons see it as good,

1, Because they get taken care of by the corporations.
2, Because the government entities tell them such things are desirable to fight XXX.

So none of the software nor hardware it runs on is in any way secure.

But as I’ve explained and our host @Bruce has explained you have to look at “the weakest link” not the strongest in any system.

Currently everyone talks about “secure messaging apps” like signal that yes does have some strong crypto in it, but it has no security by design. It keeps the crypto to it’s communications, not anything else it does or the rest of the system does.

Users hear what they want to hear which is “secure messaging” not the reality that the system has no security thus “secure messaging” is altogether pointless. It’s like tying a Gordian Knot in a steel hauser and tying a bit of string across it and using the string with a massive dead weight in the middle to lift things…

Yes you are actually less secure with a secure messaging app than you are without one…

If you want real securiry then you need to “Get off the consumer technology” and go back to basics.

And that “go back to basics” is another issue of significant failure that of “Operational Security”(OpSec) it’s the human side of security and it is no easy task to get right few can, most do not want to bother, they are lazy and just do not care. But worse technology like CCTV works against you, things are “totaly recorded” they are nolonger ephemeral. Those recordings can be analysed over and over from now untill long after you are dead, and it won’t be long before the likes of

1, Identity recognition systems
2, Location systems
3, Health / biomedic systems
4, AI / ML sysyems

Get linked together as a coherant whole, to notice paterns, link them together and form inteligence sources to LEO’s, IC / Mil entitiesit’s and other commercial entities. It’s what is going on at Palantir Technologies set up by Internet Billionair Peter Thiel, and chums Nathan Gettings, Joe Lonsdale, Stephen Cohen, Alex Karp in Colorado back in 2003.

Basically “total surveillance no questions asked, guilt served on a screen”.

The thing is you can quite innocently be in the wrong place at the wrong time. You don’t know it in most if not all cases as nobody remembers seeing you there and you do not get to hear about what went “wrong”. Even if you do see what went wrong, most don’t consciously remember they look away and they dont stop and tell because “It ain’y my business”. In some peoples eyes that is “running away from the scene of a crime” and “innocent people don’t run”. To be “guilty” all that has to be done is find you have some circumstantial connection with what went wrong… The bad news is everyone has circumstantial connection to their local in more ways than they can appriciate. We’ve all heard about the “six steps of connectedness” that says you are six or less human connections from someone famous, well the same applies to places and events such as things that went “wrong”. The closer they are the less steps the more guilty you look.

Now imagine a computer algorithm that simply follows links and establishes those steps for a group of people whos mobile phone or other location information puts them in the geo-temporal local. It then sorts the list by least steps, and those are “the suspects”… Now what about electronic traffic, it’s another dimension, you send an encrypted data packet into a route hiding network around the time a wrong event happens, what are the circumstantial steps there?

We already know that a student used Tor around the time a bomb threat arived on campus, he became suspect number one just on circumstance…

The student then under interogation apparently admitted it… But with the US plea system and FBI history, lets just say they have driven people to suicide and false confession way to often.

https://www.forbes.com/sites/runasandvik/2013/12/18/harvard-student-receives-f-for-tor-failure-while-sending-anonymous-bomb-threat/

That event was more than seven years ago, think how much more can be dug out these days. Then add in there are now new tor services such as time shifting remailers etc. So just accessing tor some time before makes you look guilty. As for visiting a “Coffee Shop” with CCTV coverage these days you can be linked by your cloths you left home in, facial recognition is not required…

Maybe if they do not already exist somebody should start a “Pocket Burqa in a bag” product line much like “Pac A Mac” and more recently “Pac A Mask”…

Clive Robinson October 22, 2021 4:03 PM

@ JohnnyS,

Specifically, when Some Country attacks Another Country in the near future, we need to be able to block all Some Country’s traffic immediately to at least have a chance of surviving their hacking into our infrastructure and critical systems.

It won’t work.

I could list some of the very many reasons but consider this,

I set up a computer in a closset somewhere in “another country” on which I’ve installed a zero day worm waiting to be released at some future point unknown.

To it I add an HF Radio Modem which is receive only. I send it an encrypted and encoded plaintext message every so often[1]. One message type is a “stay alive” that acts as a “deadmans switch”, that is as long as the message is sent the worm is not released. The other message type is a “release now”.

It matters not what external network connections from “some country” you cut HF Radio “skips over” that.

Look on it as a variation on a “trusted insider” attack. The only way you stop that zero day worm is by shutting down all internal networks in “another country” where that computer in a closet is located.

For various reasons, the more technically sophisticated a country is the more reliant it is on insecure networks.

Think about what would happen if the Internet and phone networks went out entirely in the US, then some third world country with little or no communications infrastructure. Remember,

Technology is the Achilles heel of the modern world.

Not the third world.

[1] I’ve discussed these innocuous looking messages that carry payload that can not be deduced or demonstrated by a third party before.

Clive Robinson October 22, 2021 4:18 PM

@ lurker, ALL,

Somebody had to say it sooner or later.

*nix, got the telco gig long before Linux made it out of University.

The reasons “Hardware” and “Up Time” not security. In fact C2 did not come to any commercial *nix till long after *nix was entrenched in telcos.

And *nix is still holding the “Up Time” advantage on other widely used commercial OS’s to this day.

Microsoft OS’s based on NT are never realy going to be able to compeate on “Up Time” for a number of very fundemental reasons. I won’t go into them but only say they were pushed onto NT’s design by “Marketing” and so fundemental was the issue it critically effected the whole design architecture and inflicted the equivalent of a genetic hereditary disease on NT…

JonKnowsNothing October 22, 2021 4:26 PM

@Denton Scratch, @msb @All

re: The ONLY way this problem will get fixed is if software “engineers” and the companies they work for are made liable for the damages …

From a recent MSM article:

Boeing 737 Max chief technical pilot charged with deceiving US aviation regulators over MCAS

  He hasn’t got $2.5bn to hand to the DoJ, unlike his bosses

A Boeing 737 Max test pilot has been charged with obstructing US aviation safety regulators … prosecutor claimed that [redacted] had supplied the FAA with “materially false, inaccurate, and incomplete information” about MCAS, the Manoeuvering Characteristics Augmentation System.

That section of the software keeps the nose of the plane level. The 737 had a tendency to tilt, so they fixed it in the software instead of having the pilots do a constant leveling maneuver to hold the nose level.

Unfortunately and catastrophically, the system went TSUP and the pilots got into a fight with the computer over “What Level? is Level”. Level ending up at Augered In.

There’s a lot of bad software, there’s a lot of software that’s bad because people didn’t know how to do better or because their bosses told them to do it THISWAYorTHEHIGHWAY.

In many systems it’s the directing mind that gets the blame. Convicting and fining a computer hasn’t been too successful and computers have no problems sitting in SHU for 24×7. So they go up one or two or a dozen levels.

There are other items with equally devastating results, where going up two or a dozen levels is prohibited (USA). For these you can only go up one level at most and many times even that is prohibited (USA).

===

Partial search terms:
* Boeing 737 Max / US aviation regulators / MCAS

msb October 22, 2021 5:18 PM

@Denton Scratch

I wouldn’t say never, but I’m also not going to hold my breath. Within the next couple hundred years we might have finally developed a good library of standard algorithms and codes of industry best practices much like engineering tables, if we can ever get past the giant steaming pile that is IP rights.

Yes, they are attacks on telecom infrastructure, but the attack vector is primarily Linux/Solaris systems on IP networks. From inside, the telecom infrastructure is relatively secure, so China can’t actually use their telecom connections to exploit US carriers, which is why they need to come in out of band via IP networks.

I would disagree that secure communication is simple. Communication requires two (or more) people. So you want to meet in a big empty field and whisper? How are you going to tell me what field to meet at what time? If you tell me that over the phone, now that information is compromised so someone knows what field to monitor and when to look there.

Meta-data can be as valuable as the data itself, especially if you can gather enough of it. without being able to see a single spot of ink, you can tell what a word says on a page by the shape of the white space around it.

People have been trying to secure communications for thousands of years, and nobody has perfected it yet. At some point in time every single communication must exist in a state that can be understood and intercepted without exception, so security will always be a balance of usability and security.

SpaceLifeForm October 22, 2021 6:43 PM

One may want to look into the REvil takedown

hxtps://www.theverge.com/2021/10/22/22740239/revil-ransomware-hacking-fbi-cyber-command-secret-service-down

[Homework: Figure out which DOD op was involved. It may not be your first guess]

Clive Robinson October 22, 2021 9:39 PM

@ SpaceLifeForm,

From the end of the article,

“, one of the group’s members restored a backup and unwittingly included systems compromised by law enforcement. A Russian security expert tells Reuters that infecting backups is a tactic commonly used by REvil itself.”

Confirms three things,

1, REvil lost their “Root of Trust”.
2, It was to a US LEO unlawful act.
3, Backups need to be checked.

For years I’ve been making the point on this blog and other places that “unchecked backups are a liability” especially with “Ransomware”.

You would think it was obvious that for ransomware to be effective those perpetrating it would need to get at the backups for months before they actually brought the encryption gate crashing down and demanding payment.

I’ve previously outlined one or two ways as to how the perpetrators could not just get at the backups so they are fully encrypted, but in a way where it remains hidden, as long as you only check the backups on the systems you made them on or the attackers have had access to.

I also gave a stratagy for detecting this…

Still… even large organisations with much to loose who should know better are not doing it… And so they have ended up having to pay in ransom many hundreds of times the cost of properly checking their backups…

As many in the US are wont to say “Go figure…”

P.S. To add to your AI issue that started with capitalisation. You could try,

Wont -v- Won’t

They kind of mean the opposit of each other with “Wont” meaning “are accustomed to do” and being the root of “wonton”. And oddly “Won’t” meaning “Will Not” with the apostrophe replacong the “O” in “not”, but why “ill” has been replaced with “O” pronounced as the “OE” is just one of those things that confuse the heck out of people. So the question is, Will it confuse the heck out of the AI or not?…

echo October 23, 2021 12:23 AM

Still… even large organisations with much to loose who should know better are not doing it… And so they have ended up having to pay in ransom many hundreds of times the cost of properly checking their backups…

The organisations creating infrastructure critical software are the problem. Microsoft with its pseudo security initiatives, the lack of fully featured OS available to consumers and/or business because they want to monitize effort and society to peddle cloud services, and lack of bog standard turnkey systems.

Corporate culture is a lot to blame as organisations and personnel are brainwashed. The habits and compromised decisions they make create the outcome.

Client journalism of all flavours doesn’t challenge this.

I read a comic years ago with a short story which,I now gather, was ripped off froma books someone wrote. It was the story of a man who visited a manufacturer or somesuch. Things rambled on as he tried to sell his robot but alas nobody was buying. The story ends with the man, lamenting the early death of his inventor, returning to the cave where he had been hiding and going into “doze mode” as he waited for the world to be ready for a humanoid AI…

Dave October 23, 2021 12:30 AM

NON-REPUDIATION built in everywhere.

Problem is that whatever geeks imagine non-repudiation might be it’s nothing like what lawyers know it actually is. So you either need to come up with a new term to describe whatever it is you’re hoping for or accept the fact that if you’re really referring to legal nonrepudiation then you’ll never get it.

Denton Scratch October 23, 2021 1:46 AM

that information is compromised so someone knows what field to monitor and when to look there

Thing is, it doesn’t really matter if snoopers know which field you’ve chosen; it’s really difficult to intercept words whispered in a field. At worst, you have a good chance of knowing if you’re being observed, and if you were followed. To spy on a “field-whisperer” without being detected, you’d need unreasonably-sensitive mike, probably with parabolic dishes. You can’t do it from a chopper, spyplane or satellite.

You could physically bug one of the participants, perhaps. And no mobile devices in my field! “Field” is a cipher, lof course – substitute rowing-boat on a boating lake, bench in the park, fairground ferris-wheel.

There’s a good movie called The Conversation, about snooping on people in the open, using ultra-sensitive directional microphones and wired “passers-by”. It’s fiction, of course, but it shows that it’s not easy to snoop on people talking in the open, moving around.

Winter October 23, 2021 7:16 AM

@Clive
” like signal that yes does have some strong crypto in it, but it has no security by design. It keeps the crypto to it’s communications, not anything else it does or the rest of the system does.”

To be safe, you should not communicate. And also, do not leave your house and avoid people.

But if you have to communicate electronically, you yourself seem to advocate to separate the system that does the encryption and the system that does the communication.

A tablet/notebook that runs your own OS image that connect’s only to burner phones used as a hotspot would be a poor man’s system. The tablet can be kept separate from the phone.

Signal and Tor are often criticized, but only a few state actors are able to crack them, at high costs. And they enable you to keep your identity obscured for much longer than any alternative I know of.

Clive Robinson October 23, 2021 7:38 AM

@ Denton Scratch,

You can’t do it from a chopper, spyplane or satellite.

May not be true…

Think about “laser mics” and even “high reseloution high frame rate video”.

One of the hardest things for people to get to grips with are “natural transducers” that convert one form of energy into another.

Whilst it is easy to explain a “Mirror galvanometer” in a science class and show how sensitive it is. The teachers do not mention that one of it’s limitations is mechanical vibration caused by loud sounds.

It’s been shown experimentaly that many many usually “hard” surfaces will move or resonate in sympathy with incident sound waves. To be mirror reflective all surfaces need to be “hard” at some level even if they look flexible at our level (think aluminized plastics etc).

One crude experiment has shown that a crumpled up crisp/chip bag will vibrate in response to sound waves and that it can be seen on video and some of the sound recovered from the video recording.

So in the case of say a “chopper” then yes it might within the limits of physics be possible to pick up a “whisper in a field” off of someones glasses etc.

However I’m not holding my breath on it happening any time soon, because of MEMS microphones and nanodrones are getting much more funding.

Clive Robinson October 23, 2021 8:29 AM

@ Winter,

To be safe, you should not communicate. And also, do not leave your house and avoid people.

Funny just 5mins befor you posted this, I posted,

https://www.schneier.com/blog/archives/2021/10/problems-with-multifactor-authentication.html/#comment-390777

Which kind of covers this.

As for,

But if you have to communicate electronically, you yourself seem to advocate to separate the system that does the encryption and the system that does the communication.

Yes I do and a bit more besides some of which comes under OpSec.

The problem with both mobile phones and tablets, is by design and in some cases regulation, they are not fully under your control, and they have side channels that can be exploited by third parties.

Which brings us to,

but only a few state actors are able to crack them, at high costs.

In the more general case not just for “Signal and Tor”. Our host @Bruce has pointed out in the past not only do attacks get better with time, but also the skill level required likewise drops with time. I and many others have pointed out that likewise technology gets better with time and also the cost drops with time. Which means in effect,

What required a state level SigInt agency with billion dollar budgets yesterday, can be done by a law enforcment agency or corporate with a spare million bucks today and a scriptkiddy tommorow with their pocket money.

Which is what we have seen over and over again.

So now with that in mind looking back at,

A tablet/notebook that runs your own OS image that connect’s only to burner phones used as a hotspot would be a poor man’s system. The tablet can be kept separate from the phone.

The question is “Can it?”

The hotspot brings the “communications end-point” off of the phone and onto the tablet/notebook where the app that has the “security end-point” in it runs.

How sure are you that the OS, drivers or other apps will not alow an attacker to “end run” the app with the security end-point in it and just access the apps plain text user interface?

My confidence in this with modern OS’s is zero, likewise we have seen “shim attacks” in device drivers being used for financial fraud, oh and just how many apps in the walled Gardens of Google and Apple have been found to be stealing everything they can?

You have to apply strong segregation between the tablet/netbook and the phone, and realistically that is just not possible these days and still have easy of use inter-operation.

So at the very least you need to take the security end-point off of the tablet/netbook and beyond the reach of the communications end-point.

To emphasize this requirment I talk of using pencil and paper “hand ciphers” that have strong security proofs like the One Time Pad.

But that is not the only reason I talk about OTP’s much much less known is they have other significant advantages over even the best of determanistic ciphers and codes. One of which is the “proof of debiability” by the first party in cases of betrayal by the second party that comes with the OTP proof of security of “All messages are equiprobable”.

Winter October 23, 2021 10:55 AM

@Clive
“To emphasize this requirment I talk of using pencil and paper “hand ciphers” that have strong security proofs like the One Time Pad.”

That is a close as “not communicating” as you can get: that cannot even supply 19th century level paper mail correspondence. If you want to be a political activist, say, unionized, Climate change or squatter, you need to share documents and photographs. Pencil and paper won’t cut it. No activism for you. But I do not see the MOSSAD or NSA putting up all guns against some local activists.

@Clive
“My confidence in this with modern OS’s is zero, likewise we have seen “shim attacks” in device drivers being used for financial fraud, oh and just how many apps in the walled Gardens of Google and Apple have been found to be stealing everything they can?”

Use lineageOS on a tablet without GPS and GSM (but I believe you need a GSM chip for Signal). Strip all apps you do not need. The burner phone is not registered with Google and is only used as WiFi hotspot. It is replaced regularly.

I am pretty sure there are people who can infect a LineageOS installation over wifi from a low spec mobile phone that has been anonymously online for a few hours over its life time, but I would scale that risk as low for a mere nuisance like some Climate Change or Union activist.

If there is anything I learned from Bruce et al is that security and privacy are not all or nothing (because it would always be nothing).

ResearcherZero November 1, 2021 1:22 PM

@Winter

If you use a VPN in China, or other circumvention tools, according to a leaked document from police you may be using “terrorist software”.

…the document specifically says that the circumvention tool has been classified by the public security bureau as a type of “second class violent and terrorist software”

hxxps://hongkongfp.com/2016/10/29/leaked-xinjiang-police-report-describes-circumvention-tools-terrorist-software/

The Communist Party has directed one of the country’s largest state-run defense contractors, China Electronics Technology Group, to develop software to collate data on jobs, hobbies, consumption habits, and other behavior of ordinary citizens to predict terrorist acts before they occur.

By using circumvention tools you would therefore be avoiding pre-crime terrorist prediction, hence behaving like a terrorist.

hxxps://news.slashdot.org/story/16/03/04/2111250/china-tries-its-hand-at-pre-crime

The program is unprecedented because there are no safeguards from privacy protection laws and minimal push-back from civil liberty advocates and companies.

(paywalled)

hxxps://www.bloomberg.com/news/articles/2016-03-03/china-tries-its-hand-at-pre-crime

So obviously China needs to install backdoors in ZTE and Huawei equipment, then bulk intercept communications around the world, to prevent and track terrorist activities.

“Once you get into the tens of thousands, the attacks qualify as mass surveillance, which is primarily for intelligence collection and not necessarily targeting high-profile targets. It might be that there are locations of interest, and these occur primarily while people are abroad,”

hxxps://www.theguardian.com/us-news/2020/dec/15/revealed-china-suspected-of-spying-on-americans-via-caribbean-phone-networks

“the goal of the attackers behind these intrusions was to gain and maintain continuous access to telecommunication providers and to facilitate cyber espionage by collecting sensitive information, compromising high-profile business assets such as the billing servers that contain Call Detail Record (CDR) data, as well as key network components such as the Domain Controllers, Web Servers and Microsoft Exchange servers.”

hxxps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos

I think I’ve heard of this happening somewhere before, but I can’t remember where it happened, or what the precedent was to establish this kind of global surveillance system, but I do remember experts voicing some concerns over it.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.