u/ruddy-at-cape

RCS issue for GrapheneOS

FYI, we are aware of an issue with RCS messaging currently not working on GrapheneOS. This is due to a recent change made by Google. GrapheneOS has already prepared a fix, but it has not been released and will be a part of their next OS update, which we typically see about once a week.

reddit.com
u/ruddy-at-cape — 13 days ago

Verizon vulnerability finding

This month Carnegie Mellon’s CERT/CC published a vulnerability disclosure: Verizon’s VoLTE calls lack required integrity protection and encryption, which leaves users vulnerable to call hijacking, caller ID spoofing, denial of service, and manipulation of emergency calls. See the full disclosure here: https://kb.cert.org/vuls/id/615987

When you make a call over LTE, there’s supposed to be a protected tunnel for any call signaling (aka SIP signaling), which is the behind-the-scenes negotiation between your phone and the Verizon network that registers, sets up your call, routes your voice (or messaging), and tears down the call. The encrypted tunnel is called IPsec, and it’s explicitly required by the telecom standards body 3GPP and GSMA's network interoperability guidelines. 

Researchers found that all SIP signaling was going across the network in the clear. This was tested across multiple devices, operating systems, and various network conditions. 

Verizon said the IPSec protection is optional:

>After reviewing the issue you raised, it appears the GSMA and 3GPP provisions you referenced are not mandatory, allowing carriers the flexibility to adopt the protocols at their discretion.

Researchers pushed back:

>Verizon initially acknowledged the issue and stated that integrity support would be available upon request and extended broadly later in the year. However, the company has since ceased participation in coordination, including follow-up discussions and draft review, and has not provided verifiable evidence of mitigation.

Verizon MVNOs would inherit the same vulnerability.

reddit.com
u/ruddy-at-cape — 14 days ago

Network status update

We've had some customers experiencing failed calls, and have traced it to two issues: (1) a change that was introduced last week during regular network upgrades, and (2) an issue with our second domestic roaming partner. For (1), we rolled back changes and for (2) we've turned off that partner for the time being, so everyone should be defaulting to our primary domestic roaming partner.

Calls should be working, but if not, restart your device. You can always check our network status here.

cape-status.trust.pagerduty.com
u/ruddy-at-cape — 24 days ago
▲ 138 r/CapeCellular+1 crossposts

FCC KYC rule

This 404 Media article gathers views from the EFF, ACLU, Center for Democracy and Technology, and Cape on the FCC's proposed requirement to require gov't ID and more for every phone line in the United States. Our stance:

>We hate robocalls and support eliminating them, but entrusting telecom carriers to effectively create a nationwide ID registry for every American with a phone is not the solution. Mobile carriers have been breached time and again because the incentives to secure trillions of dollars of legacy architecture aren’t there. Further enriching compromised telecom datasets with government ID, physical addresses, and alternate phone numbers harms our security rather than improving it.

u/ruddy-at-cape — 15 days ago

Cape news--Surveillance Watch, Kagi, FCC KYC rule, paging attacks

This week we announced our support for Surveillance Watch, a cool project that maps out global surveillance actors, and our partnership with the private search engine Kagi (which uses the Surveillance Watch API to label known surveillance and spyware entities). Cape subscribers can now get 3 months of Kagi Pro for free (check in your app).

We recently also raised privacy concerns to the FCC re:a new proposed rule that requires collection and retention of gov't ID, name, physical address, and alternate phone number for every single phone user in the US. You can see our public filings here and here.

Finally, check out our recent blog post on paging attacks. Your phone wakes up at predictable timeslots deterministically computed from your IMSI, so paging attacks leverage this invisible behavior to reveal location and identity. It's another type of attack that's addressed by IMSI rotation.

u/ruddy-at-cape — 1 month ago

I work at Cape and wanted to highlight Citizen Lab's new report (a great read, regardless of where you get your cell service) and explain our approach to this specific threat vector. 

These surveillance vendors can track location in real time and intercept text messages and calls, without ever hacking a phone, employing spyware, or phishing for credentials. In the report's words:

>These vulnerabilities are not the result of software bugs or network misconfigurations; rather, they are inherent to global telecommunications design and business practices… Unlike conventional cyber campaigns, telecom-level surveillance is almost entirely invisible to the broader security community.

Here’s a few ways Cape works to mitigate signaling attacks:

  • IMSI rotation: According to the report, “each campaign targeted specific subscriber phone identifiers (IMSIs).” This echoes prior academic research showing that signaling attacks virtually always start with an IMSI, and that typically years go by between the “harvesting” of the IMSI and the attack. So daily rotation of your IMSI would nullify that attack pattern. 
  • No SS7. To reduce attack surface, Cape does not support SS7. This prevents “combined attach” or “cross-protocol” attacks, whereby the attacker switches between SS7 (used for 3G) and Diameter protocols (used for 4G/5G) to outwit standard telecom firewalls.
  • Network location check. One surveillance vendor rapidly cycled their attacks from operators in Cambodia, Mozambique, Sweden, Italy, Liechtenstein, and Uganda in order to avoid detection. Cape crosschecks the location of the requesting network against the location reported by the Cape app on your phone, and if there’s a mismatch, the network attach is denied.
u/ruddy-at-cape — 2 months ago