Just When You Thought It Was Safe . . .

Yet one more of our older technologies is now a big target for hackers. Recently hackers have been able to use the SS7 (Signaling System 7) network to intercept text messages from banks using two-factor authentication and then cleaning out bank accounts.

This is not the first time that SS7 has been used for nefarious purposes. Industry experts started to warn about the dangers of SS7 back in 2008. In more recent years there have been numerous reports that the SS7 network has been used by governments and others to keep tabs on the locations of some cellphones. But the use of the SS7 network to intercept text messages creates a big danger for anybody using online banking that requires text-massage authentication. Once a hacker intercepts a text verification code they can be inside your bank account.

Once a hacker is inside the SS7 network they can use the protocol to redirect traffic. This was recently demonstrated on 60 Minutes when German hackers intercepted phone calls made to congressman Ted Lieu, with his permission. SS7 can be used to direct, block or perform numerous functions on any telephone number, making it a great tool for spying.

Telephone techs are familiar with SS7 and it’s been with us since 1975. It was developed by Bell Labs and was the technology that allowed the creation of what we’ve come to call telephone features. SS7 technology allowed for the telephone system to snag pieces of called or calling numbers and other network information and led to the creation of such features as caller ID, call blocking, call forwarding and numerous other features.

In the telecom world SS7 is carried on a separate network from the paths used to route telephone calls. Every telephone carrier on the network has separate SS7 trunks that all connect regionally to SS7 hubs, known as STPs. It is the ubiquitous nature of SS7 that makes it vulnerable. There is an SS7 connection to every telephone switch, but also to private switches like PBXs. If the SS7 network was a private network that only connected telco central offices it would be relatively safe. But the proliferation of other SS7 nodes makes it relatively easy for a hacker to gain access to the SS7 network, or even to buy a connection into the SS7 network.

It has now become dangerous to use two-factor authentication for anything. While access to bank accounts is an obvious target, this kind of hacking could also gain access to social networks, entry into corporate WANs or any software platform using two-factor authentication. Some banks have already announced that they are going to abandon this kind of customer authentication, but many of the larger ones have yet to act. You have to think most of them are looking into alternatives, but it’s not particularly easy for a giant bank to change their customer interfaces.

There is a replacement for SS7 on the way. It’s an IP-based protocol called Diameter. This protocol can replace SS7 but also has a much wider goal of being the protocol to authenticate connections to the Internet of Things as well as VoIP communications from cell phones using WiFi.

Banks and others could change to the Diameter protocol and send encrypted authentication messages through email or a messaging system. But this would not be an easy change for the telephone industry to implement. The SS7 network is used today to support major switching functions like the routing of 800 calls and the many telephone features like caller ID. Changing the way those functions are done would be a major change for the industry. It’s one of the many items being looked at by the industry as part of the digital transition of the telephone network. But if it was decided tomorrow to start implementing this change it would require years to make sure that all existing switches keep working and that all of the SS7-enabled functions keep working as they should.

SS7 was implemented long before there was anything resembling a hacker. For the most part the SS7 network has been working quietly behind the scenes to do routing and other functions that have increased the efficiency of the telephone network. But like with most older electronic technologies the SS7 network has numerous flaws that can be exploited by malicious hacking. So it probably won’t be too many years until the SS7 networks are turned off.

Barriers to Home IoT

HouseThe early IoT industry has been busy making smart thermostats and monitors of all kinds for homes, but the industry so far has not done as well as some industry analysts predicted. I think there are a number of barriers that have to be overcome for this to become a widespread technology.

Ease of Installation. Ideally you could buy an IoT device, take it out of the box, push a button, and it would work. But there are almost no devices yet like that, and many devices will never work like that. Hooking up a thermostat and many other smart devices means electrical wiring work and most people aren’t comfortable doing this on their own and are not always ready to pay an electrician to do this for an IoT device. Putting in smart door lock means changing out the old one, and anybody who ever changed a door lock knows that it is never as easy as it ought to be.

Ease of Connection. Even after you install most current IoT devices you aren’t done; you next have to connect them to your home network. We are not yet at a time when a device can self-configure, and perhaps we never want it to be that easy since a device that can do that can also be easily hacked to reconfigure. But if you think people are uncomfortable wiring a thermostat, there are just as many people who are uncomfortable messing with the settings on their home WiFi networks.

Fear of Hacking. It doesn’t take very much web research about home IoT devices to run into articles about the lack of security in these devices today. People don’t want an outsider to be able to hack into their surveillance cameras to watch them or to be able to maliciously tinker with the settings on any of their devices. Until the industry gets serious about security this fear factor is very rightfully going to a barrier to entry for a lot of people.

Ease of Using the Information Generated. When I read the literature on a home energy system it goes into great length to describe the great graphs and charts it will generate for me about my energy usage. But I don’t think most people want data – they want solutions. They don’t want to have to interpret data on hourly usage and then decide how to tinker with the settings to get the results they want. People want solutions and they are going to want IoT devices that understands what they want and takes care of the details. If you have to constantly monitor the data out of your IoT devices and then fiddle to achieve your goals, then what you’ve really gained is a new chore – and none of us want that. I think what we are waiting for is the smart house that can take care of all of the IoT devices for us.

Solving One Problem and Creating Another. I took a look at getting smart door locks. But as I thought through how they work I could see they were not for me. They work by interfacing with your cellphone and also have a manual override. But I am the prototypical absent-minded professor-type and I rarely have my phone with me when I leave the house, even when I should. I picture myself locked out of my house and not able to remember the manual code. And who the heck do you call – a locksmith or an IT guy? And oh crap, my phone is locked inside the house.

Value Proposition. In many cases I just don’t see the value proposition that some of the early IoT devices deliver. For instance, do smart locks really make my home any safer from a guy with a crowbar? Do I really need to pay extra for a smart refrigerator or dryer? It might be that the value propositions are there, but the manufacturers need to do a better job of convincing me why any device is indispensable in my life.

Only for Do-it-Yourselfers. All of these issues to me tell me that everybody who is not a do-it-yourselfer is going to want and need help with IoT, either in setting it up, configuring it or deciding how to use it. Today one a certain rather small percentage of the population is willing to tackle all of those tasks, and that is probably the limiting factor for most people.

But there is an upside to any business that can devise a business plan to help people with IoT devices. Cable companies, telcos and ISPs are certainly in an ideal spot to be that vendor for many homes. All that is really needed is that your customers like you and trust you. And trust is the key word. When you want to have a home security system installed you must trust the company and the people doing the work. I remember back when I lived in Maryland that Comcast once sent a tech to my house who was driving a dilapidated 25-year old pickup and dressed poorly. This guy was clearly a contractor and I would not have let this guy install a Comcast burglar alarm in my house. But the Comcast technician in Florida showed up in a Comcast truck and seemed very knowledgeable and professional and is somebody I would be more likely to trust.

There are a large percentage of people who are never going to want to fiddle with IoT devices, no matter how easy this becomes. I can’t ever foresee the day until maybe when we all have smart robots that a smart home is going to be easy enough for the average person. There are too many components of a smart house that are going to be beyond the comfort level of most people. And that sounds like a permanent new service business to me.

A Backdoor into Your Network

MINOLTA DIGITAL CAMERAA friend of mine just got hacked. He operates a CPA firm and somebody broke into his server. They deleted a bunch of records and made a mess of things. He has no idea of who did this or why. Maybe it was somebody who is mad at him or somebody who was hoping to destroy their own records to avoid an IRS audit. Or perhaps it was somebody hoping to grab matching social security numbers and addresses.

But he knows how they did it. He has an old telephone key system at his office, and that key system has a phone connected into his old data server. This always provided him a path to call into the server remotely to get access to files. But he hasn’t used that connection for years and forgot all about it. And of course, his password on the old server connection was something very easy to crack.

And this prompts me to warn all of my clients to think about what sort of old equipment and networks you are operating. It’s very likely that some of you still have connections into servers in your central office or headend that can be accessed by telephone. And certainly you have customers who have this situation.

It’s mandatory these days to build firewalls and other protections around our servers. These sorts of protections will keep out most hackers from your network. But I know that many of you still have backdoors that bypass such protection. These are backdoors that you use from time to time, or maybe, like my friend, they are something you have completely forgotten about.

And while we are talking about old connections, telephone back doors are not the only thing to worry about. In the telecom industry we installed a lot of gear over the years that was connected via serial ports. You probably remember those ‘ancient’ 9-pin plugs that was used to provide access to routers and various pieces of telecom gear, mostly on customer CPE. Just as there are still plenty of older phone connections into routers, there are still plenty of these serial port connections still running.

A security professional at Rapid7 ran a scan last year on the Internet and within a few days had found over 100,000 devices that were still connected to a network using serial ports. And these networks are connected to the world. The devices he found were on all sort of devices like traffic lights, fuel pumps, telecom gear, heating and cooling systems – the kind of systems that a hacker could wreak serious havoc with. And he thinks the 100,000 devices he found are just the tip of the iceberg.

Hacking serial ports is really easy to do. Just like my friend’s phone line connection, it is likely that devices connected by serial ports are not protected behind firewalls and are open to easy access.

So it is time to take a look around your network, including at your customers’ sites and take a critical look at how things are connected. It might be time to finally get rid of back door phone lines, serial ports or any other older technology that is not secure enough. We all have the philosophy in this industry that if it ain’t broke don’t fix it. But as my friend found out, that is really not good enough reason to not take a look at your network from time to time. It was very lucky for my friend that he had a backup of his data and didn’t lose a lot of tax records. But he did expose his client’s information to somebody unknown and so there is no telling what that might mean.