Redirecting you to
Click if you are not redirected within 5 seconds
Search
USD
English
Contact Us
Free Trial
Podcast Feb 03, 2025

Root Causes 463: Cellular Networks Are Insecure

In this episode we explain that all cellular networks, contrary to popular belief, are fundamentally insecure.

  • Original Broadcast Date: February 3, 2025

Episode Transcript

Lightly edited for flow and brevity.

  • Tim Callan

    Jason, we are here in Toronto doing Toronto sessions 2.0. We're having a great session. And in prep for this, one of the topics you put on your list yesterday really got my attention, which was essentially - let's see if I'll do this justice. All cellular networks are fundamentally insecure.

  • Jason Soroko

    Let's talk a lot more about that. And some of the implications. There's a few stories blended into this.

    So you and I sometimes have episodes that are kind of pivotal, where we make big declarations. Deep fakes. You can't trust anything you see. That has implications for biometric authentication. Sometimes, some of these pronouncements may have big waves. And Tim, I think you're probably not much different than me in that you didn't trust Wi-Fi access points for hotels, coffee shops, airports, and we live in those things.

  • Tim Callan

    At no time in the last 20 years.

  • Jason Soroko

    You and I live in those places constantly throughout the year. In the back of our minds, maybe the front of our minds, our cellular data networks we thought of as being like it's kind of a different class of network. I'm declaring right here with you, Tim, that you now need to add your cellular data network, your 5G or 4G, your LTE, your whatever you're connected to - You need to think about it the same as being in a coffee shop or hotel or an airport.

  • Tim Callan

    So let me paraphrase this and make sure I'm getting you right. You're saying when I sit on my phone and I do data - -

  • Jason Soroko

    You’re not on Wi-Fi. You’re on the cellular data network.

  • Tim Callan

    I’m not Wi-Fi. I'm using the cellular network. I have to be every bit as cautious as I do when I'm connecting to an uncontrolled Wi-Fi point.

  • Jason Soroko

    Yes, because when you're in a coffee shop, you have to make the assumption everything's being recorded.

  • Tim Callan

    It’s anything all in the DMZ. It's all moving through utterly malicious territory.

  • Jason Soroko

    The way to really put language around it that's easy to understand is anything that's not encrypted, anything that's in the clear is 100% available to the adversary. Same now with cellular data networks. That's very important.

  • Tim Callan

    I think a lot of people unthinkingly assume that if it's inside of, for want of a better word, I'll say, this tunnel inside the cellular network, that they are maybe not immune, but at least considerably shielded from the threats that we get on the open internet.

  • Jason Soroko

    It’s a different class of network, isn't it? Well, Salt Typhoon, which I will let you all do the research on that, I'm not going to talk about nation state attribution, but what I will say is everybody's - you must assume every carrier, the people you get your ISP from at home, for your network, the people that you pay money to for your cellular network, they are hosed. They've been popped. All their boxes have implants that are being lit. You have to now assume that.

  • Tim Callan

    So we have to assume, you're saying, that very sophisticated, advanced persistent threats are entirely inside of all of these networks.

  • Jason Soroko

    It is now time to make that assumption. So Tim, you, probably not unlike me at all, you turn on your VPN, for example, when you're at the coffee shop. You connect to your Wi-Fi, you open up your VPN, and you proceed in your merry way, knowing that the VPN is protecting you across that network. Now, obviously there's a point, a demarcation point where the VPN is, where you have to trust that too, and maybe you should. Maybe you shouldn't. Different conversation.

  • Tim Callan

    Or at least you are radically mitigating your risk.

  • Jason Soroko

    At least you are encrypting across that absolutely un-trustable Wi-Fi access point. You're depending on them for Wi-Fi. You do not want to depend on them for anything trustable. Guess what? Same thing now on your cellular data network.

  • Tim Callan

    So I should be VPNing on my phone?

  • Jason Soroko

    My phone right now is on a cellular data network, and I have VPN running right now.

  • Tim Callan

    That was gonna be my next question. I was gonna say, so what do I do about this?

  • Jason Soroko

    What you do about it is this.

    Number one, I need you to think very hard about your messaging systems. Because there's a mix of messaging systems in the world. SMS -that was always hosed. That was always in the clear. But back in the day when a cellular data network, you could kind of consider it like a better than a Wi-Fi access point out at a coffee shop. Nobody thought about it too, too much. If you went to Black Hat and you went to DEF CON, and you got to see the big boards where people's SMS messages in the room were being captured by a femto cell, it was fun to text your friend and see it on the screen. It was just proof that everything was in the clear. Well, SMS is quickly becoming deprecated for not just authentication. I remember the Wild West days when there were actually security architects who should have known better, but were using SMS as a second form of authentication. Basically, a two FA.

  • Tim Callan

    They still are.

  • Jason Soroko

    Deprecated by NIST. That's another story. What I'm saying to people is this - if you're using Apple iMessage to another Apple iMessage person, that's end-to-end encrypted. If you are using RCS Google, from one Google user to the next.

  • Tim Callan

    One Android to another. That's end-to-end encrypted. Sure.

  • Jason Soroko

    Here’s the big problem is that I think the way that it was, I'm not going to accuse Google of anything, because I'll let other people do that. Google had a really good intention, which is, hey, let's get RCS across everyone because there was a kind of a joke amongst people, and a lot of you might have heard about it, which is if you're an Apple iPhone user, your SMS friends showed up as a green bubble. It was kind of like less functionality. I can't do anything with that person, and the one person in the group chat who had the green bubble was the problem child. That's that. Well, if you're going RCS Google to RCS iPhone, you are not end-to-end encrypted. I'll tell you exactly why. I’ll tell exactly what it is. It's because RCS is carrier-based. Therefore, Google doesn't own the ecosystem. Apple doesn't own the ecosystem. The carriers do. The carriers did not set up E to EE between those two people on disparate mobile operating systems.

  • Tim Callan

    So if I go across carriers, but I'm still Android to Android I am end-to-end encrypted. But as soon as I jump OSs, that's when I lose it?

  • Jason Soroko

    Because you are now crossing a telco demarcation point. So rich communication services, RCS, is really only end-to-end encrypted if you're only talking to Google customers.

  • Tim Callan

    That’s problematic because, like very few of the people that I communicate with on the phone, do I know what mobile operating system they have. Like I know for some of my close friends and family, and other than that, I don't know.

  • Jason Soroko

    In fact, I even happen to know some of the people personally who were responsible for getting the carriers to all kind of have everything really well integrated. So you didn't have to care with SMS back in the day, but now we're dealing with, oh God, we have to care again. Nobody knows about these things.

  • Tim Callan

    Nobody knows this.

  • Jason Soroko

    So let's back up. Jay, you're scare mongering. I can't believe the carriers would do this to us. Maybe you believe the FBI.

  • Tim Callan

    Let me rephrase this and then you respond. Jay, aren't you talking about a very esoteric corner case? Do we really need to be concerned about this? Go ahead.

  • Jason Soroko

    Not just the FBI, the FBI along with the Five Eyes. In other words, the five western nations who collaborate on intelligence, wrote an extremely detailed - - Jason Soroko gets into the weeds a lot. I am guilty. Trust me, the FBI got into extreme weeds for very good reason, because what I'm talking about is incredibly real, and for the first time I think I've ever seen in my career, Tim, the FBI called for us to go to end-to-end encrypted communication platforms and avoid RCS.

  • Tim Callan

    So this, I mean, let us not understate the significance of this. The fact that the FBI, instead of licking their lips and saying, oh, goody - -

  • Jason Soroko

    Everything's in the clear now.

  • Tim Callan

    Lots of intel. I'm going to go collect it all and stay as quiet about this as I conceivably can, decided that the threat to the United States and its citizens and its allies was sufficiently large that they were prepared to forego that opportunity for the sake of preventing foreign attackers from doing the same thing. That's a big statement, because these guys love their secret intel.

  • Jason Soroko

    I remember once hearing an FBI officer speak at a conference. I guess he was allowed to say certain things. He said, hey, one of our operational procedures is once a bad guy has rented a car, we always double check to see whether or not he's that person has paired their Bluetooth and made the mistake of allowing their contacts to be loaded into the car. We just go into the car with a stick and download all that person’s the contacts. We just get all the contacts and the FBI is like you make it so easy for us. Of course, imagine if the FBI never would have said anything about it. If Five Eyes would have just been quiet, they would have had unlimited ability to have in the clear data for so many people who are just simply doing Android to Apple communication.

  • Tim Callan

    So this is where I was going with this. This shows you how bad it must be.

  • Jason Soroko

    Yes. It is that bad. So for those of you who are on iMessage, and you heard Tim Cook's explanation about privacy and he gave these great messages about, if you're on an Apple System, you're secure. You're an Android user, and you listen to Google, we are absolutely behind end-to-end encryption, and we're going to push RCS across into Apple. You heard all these things, and you're like, thank God. I don’t gotta think about this anymore, because I don't have to listen to that guy, Jason Soroko, all he doesn't scare me. I'm not here to scare you. I'm here to tell you, treat your daily data cellular network like a coffee shop.

  • Tim Callan

    So the VPN thing I got. The other thing is there are end-to-end communication platforms that are multiplatform.

  • Jason Soroko

    There are.

  • Tim Callan

    Telegram.

  • Jason Soroko

    This is precisely what FBI was telling people to do. Which was go to WhatsApp, which is essentially using Signal, is my understanding. The Signal app itself is available, and they were saying, go use that. Is this the death of RCS is the question.

  • Tim Callan

    Interesting. I mean, one wonders if that bridge problem can be fixed.

  • Jason Soroko

    No less smart people than the people at Google are probably thinking about it. I'm sure there's some heartburn over there, but if anybody could figure it out, it would be them. Stay tuned.

Root Causes - A PKI & Security Podcast

About Root Causes

Tim Callan and Jason Soroko explore the issues surrounding digital identity, PKI, and cryptographic connections in today's dynamic and evolving computing world.

View All