
Hackers are stealing years of call records from hacked cell networks - saravana85
https://techcrunch.com/2019/06/24/hackers-cell-networks-call-records-theft/
======
patrickhogan1
There is truth that CDR data is valuable. The problem with this article is the
hyperbole the researchers use to describe the data.

1\. Researcher says CDR contains all the raw data you send. False. It contains
call detail records. Not your internet traffic. Not your Facebook calls. Not
your icloud or WhatsApp messages.

2\. The researchers here fail to share who was targeted and share almost no
verifiable data to confirm what they found. Anyone could claim to have found a
hack like they claim and get credit without providing any details to draw a
big headline.

Seems like marketing not research.

~~~
matthewdgreen
Does anyone remember the first year after the iPhone shipped on AT&T, and
people (including myself) were getting detailed paper bills that included
every single HTTP object we requested [1]? My guess is that the CDR data is
much more granular than you think. This doesn't get exposed on customer bills
anymore, but I'd bet it's available within the system.

[1]
[https://en.wikipedia.org/wiki/300-page_iPhone_bill](https://en.wikipedia.org/wiki/300-page_iPhone_bill)

~~~
ronsor
Not anymore because of HTTPS

~~~
matthewdgreen
I think you're being overly optimistic. HTTPS still reveals domain names in
many cases, traffic type, probably down-to-the-minute details of app usage.
And this is leaving aside a bunch of (still potentially) unencrypted HTTP
nonsense like advertising traffic, which -- ugh -- may contain all sorts of
identifiers jammed into HTTP GET requests.

~~~
DaniloDias
He is not being overly optimistic.

The carriers are not executing well on the concepts you describe, despite the
feasibility of what you are proposing. Https everywhere is breaking things for
the carriers. Tracking flows and reversing them for all customers is a non-
trivial state management and storage problem.

~~~
matthewdgreen
But it's a problem they're clearly working on. And as long as these compromise
threats are not perfectly dealt with, customers should very much be concerned.

~~~
DaniloDias
Google is by far the bigger threat.

------
maze-le
If the data hadn't been collected in the first place, it wouldn't be used
against us. Data austerity is the best form of data protection. In this case
the state mandates the data hoarding of telco providers, which makes it even
worse.

~~~
wil421
They are legally required to if they fall under FCC jurisdiction.

For entities that fall under the jurisdiction of the Federal Communications
Commission (the “FCC”), “[e]ach carrier that offers or bills toll telephone
service shall retain for a period of 18 months such records as are necessary
to provide . . . billing information . . ..” (47 C.F.R. § 42.6).

[https://morningconsult.com/2017/04/25/tech-groups-push-
fcc-u...](https://morningconsult.com/2017/04/25/tech-groups-push-fcc-undo-
phone-call-record-retention-regulation/)

~~~
PeterisP
The possibility to steal _years_ of call records doesn't arise because of a
legal requirement to retain such records for 18 months.

You can meet those legal requirements while (a) deleting all records after 18
months have passed and (b) storing all 'archive' records (e.g. between 30 days
and 18 months) on a separate system that's only used for these specific
requirements and has all access (which should be rare and narrowly specific,
unlike daily business) logged.

------
Jonnax
It's easy to say that "oh, phone calls have no security at all, what do you
expect?"

It's true that we can talk to friends and family with internet services.

But for businesses we use our phones. Personally I don't think I would
affected if my call records were given to anyone or leaked.

But I can think of scenarios where it could be really damaging to someone.

Like imagine a celebrity was having cancer treatment they didn't want people
to know. Their call.records get leaked to a tabloid who infer their calls to a
clinic mean that they have cancer and run an article.

I can imagine that would be a painful experience.

~~~
Iv
I remember reading an article about a developer who started replacing Android
on his phones because his office was located in the same building as a
psychiatrist and the Google hivemind had identified him as a patient.

The fact that this is legal is really troubling.

~~~
sokoloff
Wouldn’t it be more likely they’d infer he was a doctor? I wouldn’t expect
patients to go every day for 8 hours. (Not saying either is “ok”, but guessing
patient from those facts is particularly poor I think)

~~~
ebeip90
There are likely more patients than doctors, so the inference is statistically
correct.

~~~
sokoloff
That depends on what population selection data you choose to consider/admit.

As an example, suppose a cell phone appears at the local supermarket/grocery
store every weekday from 9 AM to 5 PM. If you conclude that phone is owned by
an extremely avid supermarket shopper rather than a store manager, you're
ignoring the persistence over time dimension.

If you claim that it's more likely a cashier rather than a store manager
(because there are more cashiers than managers), you're on much firmer ground
than if you claim it's more likely a shopper than a store manager just because
there are wildly more shoppers than managers.

------
ryeguy_24
Is this why we receive spammer phone calls that come from numbers that we have
a history of dialing? I assume this is still happening because I visited
Nashville for the first time this year and must have called a restaurant or
two for reservations there. Now, I get a ton of Nashville spammer calls among
the usual area codes that they always hit me with. Pretty curious.

~~~
onemoresoop
That's not my experience. I receive daily spammer calls from numbers similar
to mine, the last 4 digits are different. It never occurred to me to get a
spam call from a number I knew.

Did you receive spam from your contacts or recently dialed numbers? Maybe it's
something new..

------
ga-vu
Some IOCs would have been nice. At this point, all of this seems like a
fairytale from a cybersecurity firm looking for press coverage.

------
DigitalTerminal
Why are they even keeping years of call records? This strikes me as something
that should be deleted after the current billing cycle (plus a delay for
complaints, say 12 months). This kind of just-in-case or I-don't-want-to-push-
the-button retention of data should hopefully be given some disincentives by
GDPR but there is still a hell of a lot too much of it going on. Storage is
cheap doesn't mean keep everything forever, especially potentially sensitive
personal data.

~~~
jay_kyburz
In Australia we have mandatory metadata retention for 2 years.

------
ryeguy_24
I bet at least someone is using this data for trading as it is likely an
indicator of revenue/profit for quarterly earnings.

------
exabrial
Shenote: sms auth is not even remotely secure. Let's move on.

------
bawana
so that's why I'm getting a crapton of robocalls now?!

------
julienreszka
We all knew this was going to happen/is happening.

'I have nothing to hide from the government' yeah what about the mafia,
criminals and such that could/will access the data?

[https://techcrunch.com/2018/06/25/nsa-att-intercept-
surveill...](https://techcrunch.com/2018/06/25/nsa-att-intercept-
surveillance/)

~~~
ackbar03
I usually just preassume I have zero privacy online these days

~~~
01100011
I usually just assume zero privacy anywhere these days. Your face is scanned,
your image recorded, your license plate logged. Quite the world we have now.

------
lawnchair_larry
Something seems off about this story and the way it’s presented. And
techcrunch is an odd choice, unless everyone else passed on it.

~~~
adventured
> And techcrunch is an odd choice, unless everyone else passed on it.

What do you mean passed on it? It's being covered broadly. TechCrunch is only
one publisher carrying the story.

[https://www.wsj.com/articles/global-telecom-carriers-
attacke...](https://www.wsj.com/articles/global-telecom-carriers-attacked-by-
suspected-chinese-hackers-11561428003)

[https://www.cnbc.com/2019/06/25/hackers-hit-
telecommunicatio...](https://www.cnbc.com/2019/06/25/hackers-hit-
telecommunications-firms-cybereason.html)

[https://www.wired.com/story/chinese-hackers-carrier-
metadata...](https://www.wired.com/story/chinese-hackers-carrier-metadata/)

