There is truth that CDR data is valuable. The problem with this article is the hyperbole the researchers use to describe the data.
1. Researcher says CDR contains all the raw data you send. False. It contains call detail records. Not your internet traffic. Not your Facebook calls. Not your icloud or WhatsApp messages.
2. The researchers here fail to share who was targeted and share almost no verifiable data to confirm what they found. Anyone could claim to have found a hack like they claim and get credit without providing any details to draw a big headline.
Does anyone remember the first year after the iPhone shipped on AT&T, and people (including myself) were getting detailed paper bills that included every single HTTP object we requested [1]? My guess is that the CDR data is much more granular than you think. This doesn't get exposed on customer bills anymore, but I'd bet it's available within the system.
I think you're being overly optimistic. HTTPS still reveals domain names in many cases, traffic type, probably down-to-the-minute details of app usage. And this is leaving aside a bunch of (still potentially) unencrypted HTTP nonsense like advertising traffic, which -- ugh -- may contain all sorts of identifiers jammed into HTTP GET requests.
The carriers are not executing well on the concepts you describe, despite the feasibility of what you are proposing. Https everywhere is breaking things for the carriers. Tracking flows and reversing them for all customers is a non-trivial state management and storage problem.
But it's a problem they're clearly working on. And as long as these compromise threats are not perfectly dealt with, customers should very much be concerned.
Most TLS (TLS up to 1.2) will tell anybody who is watching that you visited foo.example.com including the SNI foo.example.com your browser sent to tell the server which name it was looking for and the certificate the server provided to prove it is really foo.example.com. But it will encrypt bar and baz and quux isn't sent over the wire it's just used internally by the browser and any Javascript.
That's the difference between "dotancohen looked at webMD" and "dotancohen looked at this article about sexually transmitted infections in men who have sex with men".
In TLS 1.3 the certificate is encrypted, a snooper can still see you asked for foo.example.com but not whether this server in fact presented a certificate for that name.
eSNI (currently under active development as an addition to TLS 1.3) encrypts that part where your browser asks for foo.example.com, since your browser also did a DNS lookup for foo.example.com we need to encrypt that too for it is make any real difference which is being done under DPRIVE.
Note that the term "CDR" is used for many types of records collected in the telco network, not just for "call"(voice).
Collected in a mobile network, there's usually a record for each event of a mobile phone. Authenticating to the network, attaching to the network. Doing a location update, sending/receiving an SMS, switching routing/tracking area, handover between cells and so on.
CDR records are kept in every telco switch in every geo. Its required for it to work and to do billing. But the article is quite misleading in the data they contain. https://en.wikipedia.org/wiki/Call_detail_record
Which telcos don't, except for billing purposes. Yes, they have a legal obligation to collect and store that data for law enforcement, but they are still bound by the GDPR for everything else.
And why would not these be valid things for Telco's to store - though these are of course "Mobile" telcos not know for being as robust as proper old school ex PTT ones.
I wonder if EE got hit I could see some interesting interviews with BT security happening :-)
So much for half-sentences. Were you stating that telcos do have the legal authority to process, or were you implying telcos do the processing anyway, regardless of legal authority?
> Which telcos don't, except for billing purposes. Yes, they have a legal obligation to collect and store that data for law enforcement, but they are still bound by the GDPR for everything else.
They're bound by the GDPR no matter what... it's just that having a legal obligation to process data is a legal basis for processing (it'd be silly for it not to be).
If you're interested in why they process data, just ask your them. They have to tell you what legal basis they use to process your data.
While this could be true. We do have to be suspect that these security articles, unless very well detailed like what cloudfare publishes or many of the other great security services publish, could very well be fake news. Essentially this article gets 75% of its technical details wrong or embellishes on their details. We are then told, we can't disclose anything related to the hack beyond the fact that we saw a [insert] _____very well known type of hack performed___ on ___very large group of people___ and ____we've been investigating for awhile_____ and we know this because we saw the hackers get a password from ____one computer then hop to the next computer - then get the domain server!! jackpot______
Well, it's pretty much common practice in the business. In my own experience as an independent security researcher/bug hunter I've been in a few situations where I've been under NDAs for finding critical RCE vulnerabilities. Basically I got paid for finding them and to keep my mouth shut and I'm sure Cybereason in this case is in the same kind of situation but the scale is much bigger.
Cybereason doesn't need the marketing. Everyone in infosec knows who they are and if they say they found this I'd say it's legit.
If one is getting paid to find bugs for a company, they aren’t writing articles like this about that company. Also, I’ve been in infosec almost 20 years and have never heard of this company. Also, there is no such thing as a company that doesn’t need marketing.
If the data hadn't been collected in the first place, it wouldn't be used against us. Data austerity is the best form of data protection. In this case the state mandates the data hoarding of telco providers, which makes it even worse.
They are legally required to if they fall under FCC jurisdiction.
For entities that fall under the jurisdiction of the Federal Communications Commission (the “FCC”), “[e]ach carrier that offers or bills toll telephone service shall retain for a period of 18 months such records as are necessary to provide . . . billing information . . ..” (47 C.F.R. § 42.6).
The possibility to steal years of call records doesn't arise because of a legal requirement to retain such records for 18 months.
You can meet those legal requirements while (a) deleting all records after 18 months have passed and (b) storing all 'archive' records (e.g. between 30 days and 18 months) on a separate system that's only used for these specific requirements and has all access (which should be rare and narrowly specific, unlike daily business) logged.
Any opinions on whether this practice continues to serve the general good of the society? The comment above about austerity has a ring of truthiness to it that is very difficult to ignore.
It's easy to say that "oh, phone calls have no security at all, what do you expect?"
It's true that we can talk to friends and family with internet services.
But for businesses we use our phones. Personally I don't think I would affected if my call records were given to anyone or leaked.
But I can think of scenarios where it could be really damaging to someone.
Like imagine a celebrity was having cancer treatment they didn't want people to know. Their call.records get leaked to a tabloid who infer their calls to a clinic mean that they have cancer and run an article.
"Personally I don't think I would affected if my call records were given to anyone or leaked."
You may be personally affected by your elected representatives or people in positions of power in industry being blackmailed into making certain decisions.
So you may not be directly "personally affected", but you can certainly be indirectly "personally affected".
I remember reading an article about a developer who started replacing Android on his phones because his office was located in the same building as a psychiatrist and the Google hivemind had identified him as a patient.
I can believe it, Google pestered me to review a bubble tea place I drive by every day. I've never stopped there and never will but I continued to get the popup until I finally gave the place a 1-star rating just to shut Google up. Not really fair to the business but I was sick of seeing that notification.
Wouldn’t it be more likely they’d infer he was a doctor? I wouldn’t expect patients to go every day for 8 hours. (Not saying either is “ok”, but guessing patient from those facts is particularly poor I think)
That depends on what population selection data you choose to consider/admit.
As an example, suppose a cell phone appears at the local supermarket/grocery store every weekday from 9 AM to 5 PM. If you conclude that phone is owned by an extremely avid supermarket shopper rather than a store manager, you're ignoring the persistence over time dimension.
If you claim that it's more likely a cashier rather than a store manager (because there are more cashiers than managers), you're on much firmer ground than if you claim it's more likely a shopper than a store manager just because there are wildly more shoppers than managers.
It should also absolutely know that there is a dev company in the building too - and it could tell that they were there based upon the same evidence as the psychiatrists office.
Is this why we receive spammer phone calls that come from numbers that we have a history of dialing? I assume this is still happening because I visited Nashville for the first time this year and must have called a restaurant or two for reservations there. Now, I get a ton of Nashville spammer calls among the usual area codes that they always hit me with. Pretty curious.
That's not my experience. I receive daily spammer calls from numbers similar to mine, the last 4 digits are different. It never occurred to me to get a spam call from a number I knew.
Did you receive spam from your contacts or recently dialed numbers? Maybe it's something new..
Why are they even keeping years of call records? This strikes me as something that should be deleted after the current billing cycle (plus a delay for complaints, say 12 months). This kind of just-in-case or I-don't-want-to-push-the-button retention of data should hopefully be given some disincentives by GDPR but there is still a hell of a lot too much of it going on. Storage is cheap doesn't mean keep everything forever, especially potentially sensitive personal data.
I usually just assume zero privacy anywhere these days. Your face is scanned, your image recorded, your license plate logged. Quite the world we have now.
Your sense of being 'online' might be off when you are calling someone on your cell phone through the provider, this is very sensitive information for many reasons. It allows the attackers to do network analysis and to figure out stuff that even LE hasn't caught on to yet. This is problematic because people doing bad stuff that have third parties aware of this are vulnerable to blackmail, think local politician that is on the take on some public works project.
1. Researcher says CDR contains all the raw data you send. False. It contains call detail records. Not your internet traffic. Not your Facebook calls. Not your icloud or WhatsApp messages.
2. The researchers here fail to share who was targeted and share almost no verifiable data to confirm what they found. Anyone could claim to have found a hack like they claim and get credit without providing any details to draw a big headline.
Seems like marketing not research.