
Saudis suspected of phone spying campaign in US - pulisse
https://www.theguardian.com/world/2020/mar/29/revealed-saudis-suspected-of-phone-spying-campaign-in-us
======
arkadiyt
In addition to letting you read someone's location, SS7 lets you intercept
their SMS messages. This is used by, for instance, criminal groups to
intercept 2fa codes or go through SMS-based password reset flows and log into
peoples' bank accounts:

[https://www.vice.com/en_us/article/mbzvxv/criminals-
hackers-...](https://www.vice.com/en_us/article/mbzvxv/criminals-hackers-
ss7-uk-banks-metro-bank)

~~~
vbezhenar
Almost everyone have a smartphone. Bank app is much more secure than SMS,
because HTTPS allows to encrypt information all the way from bank server to
the end device. It's possible to create a much more pleasant UI with single
touch rather than typing that OTP. And it's even possible to create more
secure solution by requiring fingerprint.

And if Apple and Google would implement some kind of universal solution, every
website could utilize this technology making 2FA more secure and usable.

It's kind of strange that we're still using SMS so widely.

Also SMS is not that cheap, while push is free.

Sure, SMS is fine as a fallback option, just like voice call is fine as a
fallback option for SMS, but that's about it.

~~~
closeparen
Are there any US consumer bank accounts that can be configured for 2FA other
than SMS?

In the brokerage space, Robinhood accepts TOTP and Fidelity accepts Symantec
VIP (proprietary TOTP-alike). But I don't know of any checking or savings
accounts that can be protected this way.

~~~
js2
FYI, you can use this utility to get the Symantec TOTP code into a standard
TOTP program like Authy or Google Authenticator:

[https://github.com/dlenski/python-
vipaccess](https://github.com/dlenski/python-vipaccess)

~~~
closeparen
Woah, interesting! I thought TOTP used a shared secret rather than asymmetric
encryption. The only thing I had to give Fidelity was the credential ID. Is
that enough to generate or verify codes? It does that require key material
that only Symantec has?

~~~
js2
This blog post explains how it works:

[https://www.cyrozap.com/2014/09/29/reversing-the-symantec-
vi...](https://www.cyrozap.com/2014/09/29/reversing-the-symantec-vip-access-
provisioning-protocol/)

But yes, the original author extracted a pair of shared secrets from the
Symantec executable.

------
brenden2
Get in line Saudis, there are a lot of people doing phone spying campaigns in
the US.

------
aussieguy1234
Looks like as long as the victims stop using their Saudi Sim cards, they won't
be able to be tracked because this relies on roaming.

Saudi carriers might mysteriously offer "special exclusive roaming deals" so
they can keep tracking

------
nyolfen
how granular is ss7 psl data? if it's decades old i suspect it isn't gps
coords or anything (not diminishing the seriousness of this; mostly curious
about whether this is something the rest of us should be worrying about)

~~~
rsync
"how granular is ss7 psl data?"

It's not based on physical distance or geography - it is based on the cell
"tower".

Basically, SS7 will tell you which cellular base station the mobile handset is
registered on.

There are easily accessible, public lookups of the location of all of those
"cell towers".

~~~
chiph
I use a micro/femto cell at home because of poor reception from the big
towers. If they had access to those records, they could locate me to the
street address (needed for E-911 service) now that I'm under a stay-home
order.

~~~
SpikeDad
Doesn't WiFi calling render microcells irrelevant?

~~~
chiph
Most likely. But I don't have a phone with that service, so this is what I've
got. ;)

------
flerchin
Oddly specific use-case. This only tracks the location of folks with Saudi
sim-cards using roaming in the US. Even then, only down to the tower. Now that
the guardian has blown the lid off, I expect this is largely worthless for
them now.

------
chirau
What is the issue here? Does the US not spy on pretty much every other country
and its people?

~~~
DangitBobby
They probably don't like that very much either.

------
dontbenebby
_Only_ the Saudis?

------
hn_throwaway_99
Why the heck are the Saudi's still considered 'allies' of the US. Besides the
long-running terrorism concerns, there's the murder of Khashoggi, them spying
not just on their own citizens but also on US ones, and they are currently
waging a war against our domestic oil producers. With 'friends' like that who
needs enemies?

~~~
SpikeDad
Because a) oil and b) Trump properties making his kids (and himself of course)
billions.

~~~
sakopov
The relationship with Saudi's didn't start with Trump's presidency.

------
Natsu
Meanwhile, everyone else is tracking movements for Coronavirus, so if we get a
response, I expect them to say the same thing.

~~~
nieve
It might be hard to sell the idea that you're tracking people in another
country for that. The data is on a miniscule number of peope in the US and
you're missing a lot of data you'd need for a reasonable analysis.

All of which is to say yeah, they're probably going to.

~~~
dillonmckay
Is that not the point of the 5 eyes?

As long as other countries spy on our citizens, and share the data with our
government, there is no problem!

------
mirimir
This is rather a "man bites dog" title ;)

Edit: It's also hardly worth reporting, or at least, with the sense of outrage
that I get from it. I mean, anyone who cared would realize that the Saudis
would track and snoop on cellphone users, no matter where they were. And so
nobody who cared about that would use their Saudi phone. They'd just buy a
phone at Walmart or wherever.

~~~
dontbenebby
> _anyone who cared would realize that the Saudis would track and snoop on
> cellphone users, no matter where they were. And so nobody who cared about
> that would use their Saudi phone. They 'd just buy a phone at Walmart or
> wherever._

That's a very victim blame-y take.

Most people are not HN readers and have no idea what SS7 is.

Even if they know about cell tower tracking they'd probably expect that info
would not be handed over by the USA to KSA.

~~~
mirimir
OK, so I'm not Saudi, and perhaps I'm way off base here. But I find it hard to
imagine that Saudis -- or at least Saudis who'd be traveling in the US --
wouldn't assume that their government is tracking and monitoring them. Indeed,
I'd expect that awareness to be _more_ common in Saudi Arabia than in the US,
because the US at least pretends to honor human rights.

Also, an expectation of surveillance doesn't depend on understanding the
technology.

~~~
dontbenebby
>OK, so I'm not Saudi, and perhaps I'm way off base here. But I find it hard
to imagine that Saudis -- or at least Saudis who'd be traveling in the US --
wouldn't assume that their government is tracking and monitoring them.

Yes, "they should expect they will have their human rights violated on US soil
and it's on them to buy a burner" is off base.

Anyone legally in the United States (including tourists) gets constitutional
protections.

You can expect whatever you want but illegal spying on US soil by an
authoritarian regime is absolutely a news story.

Every embassy is a spy outpost, but they usually leave people who aren't at
least semi-public figures alone.

Then again, maybe everyone is abusing SS7 and KSA is just who got caught with
their hand in the cookie jar.

~~~
mirimir
> Yes, "they should expect they will have their human rights violated on US
> soil and it's on them to buy a burner" is off base.

If that's the case, Saudi censorship is more effective than I'd imagined.

> Anyone legally in the United States (including tourists) gets constitutional
> protections.

In theory, yes. In practice, it's prudent to assume that the NSA sees
everything.

> Then again, maybe everyone is abusing SS7 and KSA is just who got caught
> with their hand in the cookie jar.

That's my default assumption.

~~~
mirimir
It'd be cool to know what Saudis generally believe about their government's
surveillance policies. Anyone have any links?

------
ssssss777
This isn't spying and the US would not be the only country involved.

Carriers track their own subscribers' locations no matter which network they
are on. Inter-carrier roaming agreements require this ability. So it appears
the Saudis has a new use for it.

The increased focus on SS7 security actually increases reliance on inter-
carrier PSI. PSI is sent to the last known serving MSC to retrieve the number
of minutes since last network contact. This info is used to enable a velocity
check against a network attached request coming from a new country. It's this
type of check that combats SMS interception.

~~~
neonate
I assume MSC is this:
[https://en.wikipedia.org/wiki/Mobile_switching_centre_server](https://en.wikipedia.org/wiki/Mobile_switching_centre_server).

What is PSI? Edit: thanks!

~~~
lmz
From the article: "Provide Subscriber Information SS7 message"

