At some point you have to wonder how privacy and security wasnt a factor at all in the minds of engineers designing these systems- it has to be intentional, right? Did no one stop to consider how the system theyre building could be abused against the general public? Did they just not care?
CharlesW 1 hours ago [-]
> At some point you have to wonder how privacy and security wasnt a factor at all in the minds of engineers designing these systems- it has to be intentional, right?
Yes. SS7 is a half-century old, designed for a world of state telecom monopolies and a handful of tightly-peered carriers. The threat model could safely assume that only vetted operators could connect. It's unlikely that anyone involved believed that SS7 would still exist in 2000, much less 2025.
Almost as crazy as email and HTTP being designed without encryption, amirite?
SS7 dates from the early 1980s, as do SMTP (1981) and HTTP (1989). In all three cases people build the simplest thing that works and then hacked on it as new requirements arose. The main problem is that the telco world is very conservative and closed-source, so while we've had HTTPS and encrypted IMAP etc for a while now, SS7 hasn't gotten similar upgrades.
1 hours ago [-]
defrost 2 hours ago [-]
It starts as a shoehorn to solve a relatively (initially at least) uncommon bridging problem.
Later such things are grandfathered in having never been properly designed or funded for security, etc.
Signalling System 7, or SS7, is a decades-old set of protocols that allows phone networks to communicate with one another, routing messages and calls across borders.
It was never designed with security in mind, and while operators have moved to more secure evolutions with 4G and 5G, they still need to maintain backwards compatibility with SS7. This is likely to remain the case for years if not decades to come.
Phone networks need to know where users are in order to route text messages and phone calls.
Operators exchange signalling messages to request, and respond with, user location information. The existence of these signalling messages is not in itself a vulnerability.
The issue is rather that networks process commands, such as location requests, from other networks, without being able to verify who is actually sending them and for what purpose.
hsbauauvhabzb 2 hours ago [-]
I doubt it’s the engineers. They just build what someone else has requested, they can provide suggestions and suggestions can be ignored.
ewuhic 2 hours ago [-]
They were and still are dumb and naive. This comment is going to be downvoted.
rangerelf 2 hours ago [-]
You're not wrong.
I've seen so many things announced that make me ask myself "But, why?".
bendouglas 54 minutes ago [-]
Is there anything a common person can do to help reduce the likelihood of their phone being tracked via SS7? (other than not carrying a phone or disabling the mobile network)
Yes. SS7 is a half-century old, designed for a world of state telecom monopolies and a handful of tightly-peered carriers. The threat model could safely assume that only vetted operators could connect. It's unlikely that anyone involved believed that SS7 would still exist in 2000, much less 2025.
https://www.eff.org/deeplinks/2024/07/eff-fcc-ss7-vulnerable...
SS7 dates from the early 1980s, as do SMTP (1981) and HTTP (1989). In all three cases people build the simplest thing that works and then hacked on it as new requirements arose. The main problem is that the telco world is very conservative and closed-source, so while we've had HTTPS and encrypted IMAP etc for a while now, SS7 hasn't gotten similar upgrades.
Later such things are grandfathered in having never been properly designed or funded for security, etc.
I've seen so many things announced that make me ask myself "But, why?".