Matt BlazeOct 5, 2024
We’ve been warning about this for literally three decades, ever since CALEA mandated wiretap-ready telecom infrastructure. And this is merely the latest example of how these dangerous interfaces can be turned against us by our adversaries.
https://mastodon.social/@fj/113253726161428151
Show threadMatt BlazeOct 5, 2024
Tl;dr: creating one-stop shopping for attackers is a bad idea.
Show threadMatt BlazeOct 5, 2024

Exploits of "lawful access" interfaces, such as the Chinese attack reported today by the WSJ, appeared almost immediately after they became standardized in the 90's. The most famous example is the case known as "the Athens Affair" https://spectrum.ieee.org/the-athens-affair .

It was a bad idea then, and still a bad idea now.

The Athens Affair

How some extremely smart hackers pulled off the most audacious cell-network break-in ever

IEEE Spectrum
Show threadMatt BlazeOct 5, 2024
The Athens Affair is interesting for a number of reasons, but it's particularly notable that the switch that was compromised didn't actually have the CALEA option installed from the factory (since it wasn't then required in Greece). But it was added through a software update (induced by the attacker), and then exploited.
Show threadMatt BlazeOct 5, 2024
Anyway, my "told you so" muscles are pretty weary at this point.
Show threadMatt BlazeOct 5, 2024
Also, I'd be remiss if I didn't note that all the reasons that "lawful access" features in telecom infrastructure are risky apply at least equally to the periodically revived proposals for "key escrow" backdoors in cryptographic systems. Fortunately, we've mostly held back the tide on those, but they come up every few years. It would be a security disaster if they're ever mandated.
Show threadMatt BlazeOct 5, 2024

Mandated wiretap interfaces and cryptographic backdoors are *expensive*, both in terms of money and, more importantly, exposure to risk. Worse, those burdens are borne inequitably.

Overall, almost no one is the subject of a lawful wiretap, even in places where wiretapping is an important investigative tool. Most people aren't suspects. But these mandates degrade security (and impose other costs) for *everyone*, the vast majority of whom will never be wiretapped.

Show threadMatt BlazeOct 5, 2024
A far more equitable, more secure, and less expensive approach is to devote law enforcement resources to targeting actual suspects, e.g., by the traditional methods such as informants and technical approaches such as "lawful hacking". While these aren't particularly pleasant for those targeted by warrants, they have the great virtue of allowing law enforcement to do its work without degrading security or privacy for the rest of us.
Show threadMatt BlazeOct 5, 2024
Every now and then the police execute search warrants on physical places. It would certainly be *easier* if we mandated that everyone keep their doors unlocked. But that would be crazy; in the name of solving crimes, we'd be vastly increasing the burglary rate. A much better approach - the one we use - is to buy the police lockpicks and battering rams for use in the relatively small number of cases where they're needed.
Show threadMatt BlazeOct 6, 2024
Another problem with these "lawful intercept" and "lawful access" mandates: they've suffered from automation creep. When CALEA was envisioned and passed, wiretaps would be at least partly manually provisioned, requiring someone at the central office to complete a work order or physically connect something. Over time, much of that work has been automated, controlled entirely by software. The effect has been an amplification of the risks. Compromises that were once retail are now wholesale.
Show threadMatt Blaze
And that seems to be exactly what we saw with the breach reported by the WSJ. In the "Athens Affair" two decades earlier, a hundred or so subscribers were intercepted, in a major offensive intelligence operation. But today, the Chinese government managed to compromise two major US telecom carriers, likely with similar levels of effort.
Oct 6, 2024 at 10:22pmWeb
Show threadMatt BlazeOct 6, 2024

Also, these wiretapping systems have become so bloated and complicated (a security risk in and of itself) that there are now intermediate service providers that act as a buffer between carriers and law enforcement. Compromise one of them, and you've hit the interception jackpot.

I wouldn't be surprised if that's what happened here.

Show threadMatt BlazeOct 6, 2024
In a different context, the compromise of intermediary service providers was the primary vector by which Russian intelligence was able to breach many states' election system backends in 2016. It's a very powerful attack surface.
Show threadCoach Pāṇini ®Oct 6, 2024

@mattblaze

“The purpose of a system is what it does.” 🤷🏻‍♂️

Show threadRyan SingelOct 7, 2024

@mattblaze
Also no one ever remembers when post 9/11 AT&T, Sprint and Verizon had employees in the FBI anti-terror office with terminals to do quicker lookups. Pretty quickly the minimal paperwork was dispensed with and FBI agents would just write down phone numbers on post-it notes and hand it to them to get chains

Before the office of inspector general report came out, Obama's DoJ retroactively legalized it.

Backdoors don't just get hacked, they get abused.