
Everyone's Privacy is for sale but not this... What's that all about?
Elites from CEO's to Celebs to Politicians can pay AT&T extra to stay clear of ISP slurping, but this type of tracking is still toxic to them....
US Democrats have written to America's communications watchdog the FCC complaining the mobile industry needs a kick up the backside to fix serious flaws in its networks. Last week the FCC's Communications Security, Reliability and Interoperability Council (CSRIC) published its final report [PDF] into the Signaling System 7 …
..if the FCC will take any notice:
10 If ISP_Cost > 0 then goto Fail
20 If ISP_Profit_from_Action <= 0 then goto Fail
30 if ISP_Doesnt_Like_it then goto Fail
40 Print "We will implement when time is right"
45 Exit
50 Proc(Fail)
60 Print "We believe that the proposal will harm consumer choice and is Bad and Evil"
65 Delete $Proposal
70 Exit
"No one else seems to care, sniff politicians
Maybe the problem is that, unlike politicians, the telcos know enough about the subject to be aware that changing SS7 would need to be done through the ITU, be agreed upon and accepted by member states, be implemented by vendors and that the end result would still need to be backward compatible with what's deployed now.
There's a whole stack of players involved that really don't give a shit about what the DHS and FCC think, much less US politicians - in fact, there's probably a number of involved parties who would be likely to oppose any proposed changes for no better reason than the US wants them. Being a Muslim or Russian does not disbar a country from ITU membership.
Stingrays are for the air interface and have little to do with SS7. Stingrays usually downgrade security to A5/0 or A5/1. If you have SS7 access, the network you target is not having a SS7 firewall and know what you do, you don't need stingrays. There is the possibility of combined attacks, but that would go off topic.
Not even going to ITU or 3GPP would work. There was once a try called MAPSec (in 3GPP). The problem is a different one. You need PKI for this (or for NDS/IP security in diameter 4G/5G) and who would be trustworthy enough to host such a GLOBAL PKI with cert revocation, key generation etc... name one country and I name you another country that won't accept it and for good justified reasons.... Not to mention the triviality, who will pay for it? The third operator in an African country in a civil war will not have the money (or expertise for that matter) for getting a cert and setting up IPsec on their interconnect link (telco protocols are not exactly user-friendly). And they are also connected to the IPX network.
This is not a particular US problem......I'm afraid, telcos will have to need look into things like network security on their core network in defensive terms. In other countries this is already better understood. After all in a connected world, cellular networks are a critical infrastructure....