For the final panel of DLD15, Peter Hirshberg is joined by Tobias Engel (CCC) and Dan Kaufmann (DARPA).
Tobias gives us a rundown of the dramatic global cellular network vulnerabilities he recently revealed. You can intercept calls and track people through the SS7 network. The only thing you need is their telephone number.
SS7 has been designed in the 70s. When it was created, there were only a few telecom operators who trusted each other. So they didn't implement any security methods.
Today thousands of companies have access to SS7. Getting access is easier than ever, but the security level hasn't changed. The network needs to know your next base station to deliver calls and texts. So anyone who gets access to the SS7 network can track where you are.
They asked some network operators about it. They were surprised, but started monitoring activities on the network and actually saw a lot of tracking of people. One network operator from South Europe detected a lot of tracking of politicians specifically.
It's also possible to intercept calls by rerouting them: You redirect them to your own number and reroute them again to the original number, In the middle you record the call. This is actually happening: A Ukrainian operator said, he found calls that were intercepted by a Russian network. Billing fraud and implementing a denial of service are also very easily done.
What can users do to protect themselves? Unfortunately not a lot because it is a network vulnerability. For now, you can only switch off your phone if you are going to a 'secret' meeting. And don't give everybody your phone number.
Dan talks about DARPA and gives some examples of what they are doing. DARPA is small and tall at the same time. There are 100 people on the technical side and people are only commissioned for a period of 4 years. On the other hand, they are tall because of their budget of 3 billion dollars a year. One half is dedicated to Cyber Security and the other one to Big Data.
Cyber Security is completely broken, Dan says. You can't just put patches on everything. At DARPA, they don't believe in silver bullets. So they try different approaches:
Why can't we make a computer that is secure in the first place?
Why do the hackers always win? As users we live in a monoculture, be it in the Apple, Windows or Linux system. An attacker has to just find a vulnerability in one Windows computer and then he is able to attack every Windows PC. What if every single computer would be slightly different? Like immune systems.
They bring in a computer to compete at Defcons Capture the Flight contest where hackers have to keep there own computer up and running while finding vulnerabilities in the systems of the other contestants.
The panelists then go on to talk about the potentials of encryption as a method of protection and the demand for new policies.