back to article How insecure is America's FirstNet emergency response system? Seriously, anyone know?

AT&T is "concealing vital cybersecurity reporting" about its FirstNet phone network for first responders and the US military, according to US Senator Ron Wyden (D-OR), who said the network had been dubbed unsafe by CISA. In a letter [PDF] sent to the US government's Cybersecurity and Infrastructure Security Agency (CISA) and …

  1. Ghostman
    Mushroom

    They trusted who?

    AT&T. Oh My God!! At least they didn't give the contract to somebody that's been hacked 5 times in 6 years. Yes, T-Mobile, I think it's time to change my phone number again. What with somebody calling me every 4 minutes with offers of free Covid tests, calling from the "Medicare Help Center" and all the numbers come back as not in service.

  2. DS999 Silver badge

    Where else

    Do we use a protocol that's 50 years old and known to have major security shortcomings? I guess once AT&T lost its monopoly the updates to the Switching System protocol were over.

    I mean even protocols that are nearly as old and nearly as important like SMTP have had layers upon layers of other stuff to support encryption and key exchange which while not universally used at least CAN be used. SS7 has had very little of that, and is basically the same as it was in the 70s when the worst someone could do with intimate knowledge of the phone network was make free international calls. Now that most people in the world carry a personal tracker that's linked via radio to that network everywhere they go the security consequences are a wee bit more significant!

    1. Michael Wojcik Silver badge

      Re: Where else

      Yeah! Flag Day was only 40 years ago!

  3. Pascal Monett Silver badge

    "CISA does not comment on congressional correspondence"

    As much as that may be justified, it still feels like a cop-out for legitimate journalistic inquiry.

    With that kind of excuse, actualy journalists might as well just follow Twitter for the news (and I don't think that that is a good thing).

  4. Ideasource Bronze badge

    Security is an application level concern

    Networks are never to be trusted.

    If you need secure communications then you don't use standard telephone calls, after all there's no telling which underpaid disgruntled network employee has been compromised today.

    If you're looking for a location anonymity, then you better maintain radio silence and not carry the cell phone technology in the first place.

    Physics says that if you're a transmitting a signal then you are trackable.

    Enough compromise .pick a direction for the sake of competency.

    1. Anonymous Coward
      Anonymous Coward

      That's only one layer of the problems

      Overlay encryption as you describe only covers privacy, which often isn't even a critical function for this system.

      There are bigger threats that the underlying network issues create, and things like flaws in SS7 enable. Spoofing access to the supposedly reserved network, denial of service attacks, call and message hijacking. None of these are things you want happening during a critical emergency.

  5. Toe Knee
    FAIL

    FirstNet Customer

    As a FirstNet “customer”, I’m not shocked that it’s held together with string and duct tape. Its only selling point is prioritization and the use of exclusive, otherwise unused LTE band.

    NIST says it won’t fall over under load, and even that’s questionable.

    The main effort by AT&T seems to be identity verification and billing. Must be nice to have a monopoly contract.

    1. Anonymous Coward
      Anonymous Coward

      FirstNet was always a scam.

      Loved only by lobbyists, and serving only the interest of the vendors.

      This great publication has cataloged the failures of it and the TETRA radios over the years, and the efforts of Motorla and the phone carriers to sabotage any proposed system not based on their network.

      As to it falling over under load, it always has, but it is in good company with every other emergency communications system we have ever designed. The reality is that disasters have the capability to scale well beyond our communications networks. And human nature is that the first thing we do when the shit hits the fan is to grab our phone and start trying to figure out what happened.

      That isn't to say the plan is totally without merit, just that like most other things it needs a backup system, and AT&T needs to either be replaced or held to much closer account. But that reserved network capacity is still brittle, and while it is more resilient than the main network, there are still too many places where the networks cross each other, and shared infrastructure.

      Right now plan B is still an army of old people with HAM radios. If you ever see them, thank them for their service, but we should really consider making them plan C and go back to making an open source emergency radio network. Just this time don't hand the project to a company that sells more cell phones than radios. Let the hardware hackers at Def Con prototype it for you this time, just like we do for a new hashing algorithm. I'm sure they can build one on Kali Linux that also has gsm/LTE support. :)

    2. ecofeco Silver badge

      Re: FirstNet Customer

      I’m not shocked that it’s held together with string and duct tape.

      Having worked for att for a very short time doing I.T. support to the field techs, if you only knew HOW bad it was, you would run screaming for the hills and then drink yourself to death.

      It's a goddamn miracle it works at all.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like