在这个手机成为我们日常生活中不可或缺工具的时代,安全威胁却悄然增长。仅凭一个简单的玩具哨子,黑客们就能绕过电话网络,任意免费拨打电话?而这,只是冰山一角。
今天,全球仍在使用的过时电话信号系统让我们的隐私和安全暴露在巨大的风险之下。本文将揭示这一系统背后的漏洞和隐患,并呼吁监管机构采取措施,保护我们的通讯安全。如果你关心自己的隐私安全,那么这篇文章不容错过。
双语精读:
Security alert
安全警报
Hacking phones is too easy. Time to make it harder
黑客攻击手机过于容易。是时候提高难度了
Regulators have avoided the problem for too long
监管机构对此问题避而不谈已太久
IN THE MID-1960S enterprising hackers realised that if they blew a particular toy whistle down the phone, they could trick the network into routing their call anywhere, free. When phone networks got wind of this, they changed how the system worked by splitting the channel carrying the voice signal from the one managing the call. One result was the Signalling System 7, which became a global standard in 1980. SS7 stopped “phone phreaks”, as they were known. But the system, built when there were only a handful of state-controlled telecoms companies, has become woefully inadequate for the mobile age, leaving dangerous vulnerabilities at the heart of international phone networks. It is time to fix them.
20世纪60年代中期,有些有创意的黑客发现,如果他们用某种玩具哨子对着电话吹气,就能欺骗网络将他们的电话免费路由到任何地方。电话网络发现这一点后,改变了系统的工作方式,将传输语音信号的通道与管理通话的通道分开。其结果之一是信令系统7(SS7),该系统在1980年成为全球标准。SS7阻止了所谓的“电话狂热者”。但这个系统是在只有少数国家控制的电信公司时建立的,对于移动时代来说已严重不足,使国际电话网络的核心存在危险的漏洞。现在是时候修复它们了。
For more than 15 years experts have known that SS7 (or, occasionally, a later system called Diameter) could be abused to locate a phone user, intercept their text or voice data, or send texts or spyware to a device. Russia has exploited SS7 to track dissidents abroad. In 2018 the United Arab Emirates is thought to have used it to find and then abduct a fugitive princess. Earlier this year an American cyber-security official told the Federal Communications Commission (FCC), a regulator, that similar attacks had taken place in America.
超过15年来,专家们一直知道SS7(或偶尔使用的一个叫Diameter的后续系统)可能被滥用来定位手机用户、拦截他们的文本或语音数据,或向设备发送文本或间谍软件。俄罗斯曾利用SS7追踪海外异议人士。2018年,据认为阿拉伯联合酋长国使用它来找到并绑架了一位逃亡的公主。今年早些时候,一位美国网络安全官员告诉监管机构联邦通信委员会(FCC),类似的攻击已在美国发生。
Much like the internet, SS7 was built on the basis of trust, not security. That was reasonable when the protocol was introduced and only a few telecoms companies could access it. Today, many thousands of such firms can do so, the vast majority of them private. The complexity of the networks has also increased. Handsets roam from the jurisdiction of one provider to another, requiring a handover. Text messages are routinely used for vital transactions: think of the SMS authentication codes in global banking. And providers in one country can use SS7 to connect to others—the Emirati attack in 2018 appears to have involved the Channel Islands, lightly regulated British territories, as well as America, Cameroon, Israel and Laos.
和互联网类似,SS7是建立在信任而非安全的基础上的。这在协议引入时是合理的,当时只有少数电信公司能够访问它。如今,成千上万的公司可以访问它,其中绝大多数是私营公司。网络的复杂性也增加了。手机从一个提供商的管辖区漫游到另一个,需要进行切换。短信常用于重要交易:比如全球银行业的SMS身份验证代码。而一个国家的提供商可以使用SS7连接到其他国家——2018年的阿联酋攻击似乎涉及了监管宽松的英属海峡群岛、美国、喀麦隆、以色列和老挝。
Short of using burner phones and donninga tinfoil hat, ordinary people cannot completely escape the dangers of SS7. One sensible step would be to routinely use end-to-end encrypted messaging apps like iMessage, Signal or WhatsApp for texts and calls. Companies could ensure that codes for two-factor authentication come via an app, rather than SMS text messages, which can be easily intercepted. However, because phones still have to connect to mobile-network towers, these precautions cannot conceal where a caller is.
除非使用一次性手机和戴上锡箔帽,否则普通人无法完全逃避SS7的危险。一个明智的步骤是常规使用端到端加密的消息应用程序,如iMessage、Signal或WhatsApp进行短信和通话。公司可以确保双重身份验证的代码通过应用程序而不是容易被拦截的SMS短信发送。然而,由于手机仍需连接到移动网络塔,这些预防措施无法隐藏呼叫者的位置。
In March the FCC announced that it was at last exploring “countermeasures” to location-tracking via SS7 and Diameter. Most big American mobile operators have retired SS7. But much of the world still uses it. And Diameter is still vulnerable. These systems can be secured by using filters that detect and block suspicious traffic. Many telecoms firms have resisted this, however. One reason is that filtering is technically complicated and can easily go wrong if important commands are blocked. Another is that firms have balked at the expense. Few want to make it harder or costlier for data to flow from their network into others.
今年3月,FCC宣布终于在探索通过SS7和Diameter进行位置跟踪的“对策”。大多数美国大型移动运营商已停用SS7。但世界上许多地方仍在使用它。而Diameter仍然存在漏洞。通过使用检测和阻止可疑流量的过滤器可以确保这些系统的安全。然而,许多电信公司对此表示抗拒。一个原因是过滤在技术上很复杂,如果重要命令被阻止,可能会出错。另一个原因是公司对费用望而却步。很少有公司希望使数据从其网络流向其他网络变得更难或更昂贵。
Underlying all this is a collective-action problem. If only a handful of firms deal with SS7 but others ignore it, the system will remain insecure. That is why national regulators need to step in. They have avoided action for too long.
所有这些的根源是一个集体行动问题。如果只有少数公司处理SS7而其他公司忽略它,系统将继续不安全。这就是为什么国家监管机构需要介入。他们对这个问题避而不谈已太久。
注释笔记:
1.alert 警告。 | 派生词:alertness, 警觉性; alerted, 已警告。 同义词:warning, 警告; notification, 通知; caution, 警告。 反义词:ignorance, 无知; neglect, 忽视。| 例句:The alert system issued a warning to all users, who were then notified about the suspicious activity, although some neglected the caution and remained unaware of the danger. 警报系统向所有用户发出了警告,随后通知他们有关可疑活动,尽管有些人忽视了警告,仍然对危险一无所知。
2.enterprising 有进取心的。 | 派生词:enterprise, 企业; enterpriser, 企业家。 同义词:ambitious, 有抱负的; adventurous, 有冒险精神的; industrious, 勤奋的。 反义词:lazy, 懒惰的; unambitious, 无野心的。| 例句:The enterprising young entrepreneur, known for his ambitious projects and industrious work ethic, often faced criticism from those who were unambitious and content with mediocrity. 这位有进取心的年轻企业家以其有抱负的项目和勤奋的工作态度著称,经常受到那些无野心且满足于平庸的人的批评。
3.routing 路由。 | 派生词:route, 路线; routed, 已路由的。 同义词:directing, 指导; guiding, 引导; channeling, 引导。 反义词:misleading, 误导; misdirecting, 错误引导。| 例句:The routing protocol effectively guided the data packets through the network, unlike some older systems that often misdirected information, leading to delays. 路由协议有效地引导数据包通过网络,而一些较旧的系统常常错误引导信息,导致延迟。
4.got wind of 得知。 | 同义词:learned of, 了解到; heard about, 听说; discovered, 发现。 反义词:ignored, 忽视; overlooked, 忽略。| 例句:When the company got wind of the security breach, they immediately took action, unlike the previous incident which was overlooked by the management. 当公司得知安全漏洞时,他们立即采取了行动,不像上次事件被管理层忽视了。
5.woefully 悲惨地。 | 派生词:woe, 悲伤; woeful, 悲伤的。 同义词:miserably, 悲惨地; desperately, 绝望地; grievously, 痛苦地。 反义词:happily, 高兴地; joyfully, 欢乐地。| 例句:The system was woefully inadequate for the modern demands, causing many to desperately seek alternatives, although some joyfully clung to the outdated methods. 该系统对于现代需求来说是悲惨地不够的,导致许多人绝望地寻找替代方案,尽管有些人仍然高兴地坚持使用过时的方法。
6.vulnerabilities 漏洞。 | 派生词:vulnerable, 易受伤害的; vulnerably, 易受伤害地。 同义词:weaknesses, 弱点; susceptibilities, 敏感性; flaws, 缺陷。 反义词:strengths, 优势; defenses, 防御。| 例句:The cybersecurity team identified several vulnerabilities in the network, recognizing these weaknesses could be exploited, unlike their previous evaluation which highlighted only strengths. 网络安全团队识别出了网络中的几个漏洞,认识到这些弱点可能会被利用,不像他们之前的评估只强调了优势。
7.Diameter 直径。 | 同义词:width, 宽度; breadth, 广度; span, 跨度。 反义词:circumference, 周长; perimeter, 周界。| 例句:The engineer measured the diameter of the pipe, noting its width and span, which were crucial for the design, unlike the circumference which was less relevant. 工程师测量了管道的直径,记录了其宽度和跨度,这对于设计至关重要,不像周长那样不太相关。
8.intercept 拦截。 | 派生词:interception, 拦截; interceptive, 拦截的。 同义词:block, 阻止; seize, 抓住; hinder, 阻碍。 反义词:allow, 允许; permit, 允许。| 例句:The security system was designed to intercept unauthorized access, blocking potential threats, although some users preferred a more permissive approach. 安全系统旨在拦截未授权的访问,阻止潜在威胁,尽管有些用户更喜欢更宽松的方法。
9.spyware 间谍软件。 | 同义词:malware, 恶意软件; adware, 广告软件; trojan, 特洛伊木马。 反义词:antivirus, 杀毒软件; protector, 保护者。| 例句:The IT department installed antivirus software to combat spyware and other forms of malware, recognizing the importance of protecting systems against such threats. IT部门安装了杀毒软件以对抗间谍软件和其他形式的恶意软件,认识到保护系统免受此类威胁的重要性。
10.exploited 利用。 | 派生词:exploitation, 利用; exploiter, 利用者。 同义词:utilized, 使用; leveraged, 利用; manipulated, 操控。 反义词:ignored, 忽视; neglected, 忽略。| 例句:The hackers exploited the vulnerabilities in the system, utilizing their knowledge to manipulate data, while the security team worked to address these issues, unlike those who ignored them. 黑客利用系统中的漏洞,利用他们的知识操控数据,而安全团队则致力于解决这些问题,不像那些忽视这些问题的人。
11.dissidents 异议人士。 | 同义词:rebels, 反叛者; protesters, 抗议者; nonconformists, 不墨守成规者。 反义词:conformists, 墨守成规者; supporters, 支持者。| 例句:The government tracked the movements of dissidents, viewing them as rebels, while supporters of the regime saw them as a threat to stability. 政府跟踪异议人士的动向,将他们视为反叛者,而政权的支持者则认为他们是对稳定的威胁。
12.fugitive 逃犯。 | 派生词:fugitivity, 逃跑。 同义词:escapee, 逃跑者; runaway, 逃跑者; absconder, 逃亡者。 反义词:captured, 被捕的; detained, 被拘留的。| 例句:The authorities apprehended the fugitive after a long chase, unlike the previous escapee who managed to remain undetected for years. 当局在长时间追捕后抓获了逃犯,不像之前的逃跑者那样,成功躲藏了多年。
13.protocol 协议。 | 派生词:protocols, 协议; protocolary, 协议的。 同义词:agreement, 协议; treaty, 条约; code, 规范。 反义词:disagreement, 分歧; dispute, 争议。| 例句:The international protocol outlined the guidelines for data exchange, establishing a code that all parties agreed upon, unlike previous agreements that led to disputes. 国际协议概述了数据交换的指南,建立了各方同意的规范,不像之前导致争议的协议。
14.jurisdiction 司法权。 | 派生词:jurisdictional, 司法的。 同义词:authority, 权力; control, 控制; governance, 统治。 反义词:powerlessness, 无力; subordination, 从属。| 例句:The court’s jurisdiction extended to all criminal cases in the region, exerting its authority over legal matters, in contrast to areas where governance was weak. 法院的司法权延伸到该地区的所有刑事案件,行使其在法律事务上的权力,与治理薄弱的地区形成对比。
15.handover 移交。 | 同义词:transfer, 转移; delivery, 递交; passing, 传递。 反义词:retention, 保留; withholding, 扣留。| 例句:The seamless handover of control ensured continuity of service, unlike previous transfers which faced retention issues. 顺利的控制权移交确保了服务的连续性,不像之前的转移面临保留问题。
16.authentication 认证。 | 派生词:authenticate, 认证; authenticator, 认证器。 同义词:verification, 核实; validation, 验证; certification, 认证。 反义词:disproval, 否认; refutation, 反驳。| 例句:The system’s authentication process required multiple forms of verification, ensuring security, unlike older methods prone to disproval and security breaches donning 穿上。 | 派生词:don, 穿上; donned, 穿上的。 同义词:wearing, 穿戴; putting on, 穿上; dressing, 穿衣。 反义词:removing, 移除; taking off, 脱下。| 例句:He was donning his protective gear, preparing for the hazardous task, while his colleague was just removing hers after a long shift. 他正在穿上防护装备,为危险任务做准备,而他的同事刚结束长时间的工作正在脱下她的装备。
17.precautions 预防措施。 | 派生词:precautionary, 预防的。 同义词:safeguards, 保护措施; preventive measures, 预防措施; protections, 保护。 反义词:negligence, 疏忽; disregard, 忽视。| 例句:The team implemented strict precautions to ensure safety, establishing preventive measures that minimized risk, in stark contrast to previous negligence. 团队实施了严格的预防措施以确保安全,建立了将风险降到最低的预防措施,与之前的疏忽形成鲜明对比。
18.suspicious 可疑的。 | 派生词:suspicion, 怀疑; suspiciously, 可疑地。 同义词:doubtful, 怀疑的; questionable, 可疑的; wary, 警惕的。 反义词:trustworthy, 可信的; reliable, 可靠的。| 例句:The guard was suspicious of the visitor’s intentions, remaining wary and questioning, unlike his trusting colleague who believed the story. 警卫对访客的意图感到怀疑,保持警惕并进行询问,而他的同事则轻信了这个故事。
19.balked 畏缩。 | 派生词:balk, 畏缩; balking, 畏缩的。 同义词:resisted, 抵制; hesitated, 犹豫; refused, 拒绝。 反义词:accepted, 接受; agreed, 同意。| 例句:The committee balked at the proposed changes, hesitating to implement them, while others accepted and agreed on the necessity of the reforms. 委员会对提出的变更畏缩不前,犹豫是否实施,而其他人则接受并同意改革的必要性。
20.Underlying 潜在的。 | 派生词:underlie, 构成…的基础; underlay, 垫在下面。 同义词:fundamental, 基本的; basic, 基础的; hidden, 隐藏的。 反义词:superficial, 表面的; obvious, 明显的。| 例句:The underlying issues were fundamental to the problem, hidden beneath the surface, while the more superficial aspects were obvious to everyone. 潜在的问题是问题的根本,隐藏在表面之下,而更表面的方面对每个人来说都是显而易见的。
原创文章,作者:速盾高防cdn,如若转载,请注明出处:https://www.sudun.com/ask/78030.html