Disclaimer:
After some serious time consulting with WOPR, I wanted to address the giant elephant in the room that many of you are reliant on and some of you think you are being clever with using. This information is provided for educational and safe preventative measures. What you do with it is up to you, and only you.I am not responsible in anyway for your actions and this should be common sense, but often it is not.
Wardialing, a quick trip down memory lane
Wardialing is the act of calling random number block. In the united states we use the following system in North America for phone numbers.
These essentially create blocks of numbers, the act of Wardialing is calling a block of numbers and get a report of the devices and responses for the number in the block. This was extremely popular in the 80’s and 90’s. Often times you would simply call to get a response to determine
if it was a modem, a fax, and or a real number. In some cases this could be used to access systems especially those without passwords. In some cases password protected systems would be broken into as well because of weak passwords, this was common practice that our government’s and defense
contractors fell victim to in this time frame.
We often do not look at the modern systems in the same way as the old, and this is problematic as we focus too much on the details of the complexities and overlook the simplistic approaches that could be used to compromise a user or a system. Most applications you use today do some sort of phone validation
there is a high likelihood that you are using some sort of social media, Facebook, Twitter, Instagram, et al. There are also many of you that are using privacy services and applications as well. Some of you may be using
Signal, Telegram, and plenty of others. This is and the aforementioned social media platforms have started to raise some serious concerns about privacy and whether or not they are actually private. That being said, we
are now entering a new world of wardialing, this time with targeting and a lot more to gain or lose dependent on which side of the attack you are on.
Many of these companies do phone validation methods, even more store these numbers in their system as a recovery method for your account. Some systems, I will not go into details as you should read up on what services you run, will use the phone as a primary or overriding recovery system for your account. This is quite dangerous as there are a number of vectors with this model that are not quite well explained to the user and are even murky for the legalities of what law enforcement could possibly do or a nefarious actor. What I mean is, someone can become you, without you knowing it and it not necessarily be a sim swap. While sim swapping is no laughing matter, the following section will outline some things you may not know.
Phone Carriers, Temporary Numbers, and Dangers to YOU.
Phone numbers are issued by carriers if you have a subscription, pay for a pre-paid sim, number, or you could even use a temporary service like Google Voice(I do not recommend), Temp Services, or other companies providing them. These alternative options often seem like a great tool for individuals that do not want to tie their actual service plan or they do not have a
phone for various reasons. While these services do provide functions to help individuals there is some real inherent risks that are not seen by the individuals that may be forced to use these options. This poses some concerns on a privacy level that are not usually discussed as being an attack vector but are often seen as an anonymous and opsec safe way of handling these verification processes. However, let’s take a closer look into this and discover why each have their own risks and their own dangers.
Carriers issue numbers to subscribers. You will usually be issued a phone or bring your own device and in which case the IMEI is then directly associated with the service provided number and your account information. To get a cell phone subscription usually requires your identification, a debit credit card, a credit check, and in some countries it may require proof of residency.
These are methods for the company to guarantee payment and that they can have this information on the subscriber for various reasons including inquiry from law enforcement, creditor inquiry, or to sell as marketing and targeted ad data. This information is you and that information is verified you and so it has values. This is also a risk as the provider is not necessarily following best practices to keep your data and this has been proven time and time again by big phone companies. There is also a little known risk too, many forget
number reuse. A carrier is only legally required to wait 30 days, a lot wait 90 days to reuse but not always the case. We will cover that later why it is important.
Temporary number providers such as Google Voice, Sideline, Twilio, and some others may provide a solution. Some are paid and some are not.
This can pose a number of serious privacy implications as well as potential attack vectors normally overlooked because they believe that
it does not apply to them but that is not the case. Understand that these issuers of temporary numbers including Google will reuse the numbers and in some cases much sooner than the 30 days. As you agree to their Terms of Service, you should be aware what each is providing and the length of the issuance. With free services often they can reuse almost immediately as they are not considered carriers so they do not have to adhere to the 30 day rules set in place. There are other providers that require no setup and or account these providers provide open numbers for anyone to use. This can pose another type of problem which will be outlined later, but it is not just a privacy nightmare it is also a harsh reality many face in this world. As numbers reused or numbers available to all many of these numbers receive sensitive information even though they should not, such as verification codes for applications and services like banks, social media, or email providers.
Privacy and Opsec
Many of you reading this are familiar with privacy and many of you are huge supporters of operational security or opsec practices as well
as situational awareness. These are vital not only for protecting yourself against law enforcement and governments but it is also important
for protecting yourself against nefarious actors, scammers, et all. We rely on open source tools and many in this world also rely heavily on
free services for important parts of our lives. For example, how many of you are paying for email? How many are using a privacy focused email
service provider? How many of you are just relying on Gmail? Note that nothing is truly for free without compromise to some degree. Some service
providers may give you free service such as ProtonMail but it is in limited fashion but it overall hits the marks as to keeping in line with the
paid service, just you do not get some of the added features, but for the most part your privacy is protected. Good on them, however, Gmail is free
or even GSuite email your company may use will provide you email services yet will also harvest data. There is also a perception issue with providers
that is creating a need and a want to use them and this is creating a further nightmare for some groups.
Many of you may be using a cellphone or a laptop to view this as you sip your coffee, tea, or even an adult beverage. Consider, that a growing percentage
of people are not so lucky. They may have to rely on public devices in a library, a friends device, or an internet cafe in some parts of the world due
to their financial situation. As stated many are looking to use free services as they need them to apply for jobs or they are looking to be able to communicate with their friends or family. While Gmail is free, it also requires a phone, you may say that well, use another service and I would agree. There is a growing trend of perception of certain services when an individual is applying for work about what email provider they use, this is further marginalizing some groups even though the said individual may be more than capable of the requirements for the position they just lack a phone they control for Gmail or <insert service here>. You can search on DuckDuckGo and see for yourself the perception, even look on your social media but there is definitely a bias here and this creates further problems for those in hard times. This is only one piece of the pie, there is yet more pieces of this problem that will come to light.
As stated many of us are extremely lucky to be where we are in financial situation or the hand dealt to us and we should be grateful. There is also a growing number of the population who are struggling to just get by even when working two jobs and supporting a family. These people sometimes have to make hard decisions about priorities, for example is it more important they and their family have food or is it more important for a phone that they can try to deal without for a month or two till they can kind of get ahead? These choices are real and not pleasant to even think about but it is the harsh reality for more than you would think and this is where another issue with phone registration creeps up, what if they lose their phone and number so now they must rely on such a service in order to login to a banking app, and they may not have much money so they have to pay close attention to funds. Or say they want to setup a social media site, Signal, Telegram, or some other communications application on their device without their number. They are hard pressed to do so without phone verification. Now this creates a further privacy nightmare and operational security danger for these individuals who are not in anyway doing anything wrong, just are in hard times. But there is even more to this.
Another situation that could happen is say for example a friend or contact of yours is apprehended without your knowledge, say they do not tell you they were charged in a case or that their phone was taken in lieu of them going to jail. You may even have them text you from their number and all and everything seems ok, but what if it was not the person? What if they were able to contact you with no visible differences to their text style and you started responding naturally? Well this may happen more than you think or even want to imagine in practice. Consider the aforementioned service provider or temporary number provider reuse of the number and said new phone
subscriber or new number recipient signs up for a service and you get a notification about the user joining said service. Or that you search and you find them as being active because social media suggestion, which you should never do by the way. But many do this and while against best practices now you are engaging in conversation with what you perceive to be this person, many of you do not even check safety numbers or have some form of verification process to indicate to each other if they are the
person. This is a huge opsec problem and one that can not only be exploited in this scenario but could be used in stalking, spying, and even to get you to incriminate yourself to law enforcement agencies. Seems wild? Think about the metadata tools available to you the individual and then research what is available to agencies and you can begin to piece together where this becomes a huge problem. This is also possible to deploy against protestors, activists, and journalists. Do not think that you are always protected with use of these services and never believe that you are not being targeted for such activities. Tread carefully, but be aware of the attack surfaces. Very few or any laws on the book to prevent certain vectors. Yet there are even more, and I could go on for days about the dangers.
So one might ask how do we keep our privacy and opsec in this scenarios? The real question you have to ask yourself is how limiting are you in your personal information with people that you know and even have relationships with to some level? How many people in your contacts list on your phone, do you actually talk to with any regularity and still yet they have you on services such as Telegram, Signal, and others? Are they and should they be in your list anymore? These are all questions you should ask yourself even on a monthly, quarterly, and yearly basis. I ask this question to myself quite often but each of these vectors listed here and the contacts we have and people we have shared our numbers and details with are all surfaces that could be used against us. Let’s explore it.
Wardialing in 2020.
Wardialing today is much different than it was, now we do not need to wait for a response. In this case we can use a different approach. We could in practice begin targeted attacks now that we have a better understanding of phone system, number reuse, and other scenarios of the realities in this world. This opens up a flood of new opportunities for exploitation. This also permits for targeted exploitation on levels we could not do before. Targeted exploitation of some of these attack surfaces could be used by authorities and nefarious individuals who might be out to harm others, scam, or provide details to those that wish to harm the individual.
**Warning, the following information will be vague and I am not including specifics so that this article is not seen as a doctrine of how to do these attacks, for specifics you will need to do your own research and again this is for educational and preventative educational resource only**
Security at “platforms”, I use quotes as they are services in which they pretend to give you some type of control of your data when in reality they control and own your data and content on them. This poses serious problems for the users and it allows for censorship, data harvesting, as well as compromises the user who may already be marginalized in some way. Consider that each of these companies in most cases collect your phone number as mentioned before. Also note many of these companies have been hacked, internal database leaks, or private employees in the company sell this data to individuals. This is very common in the service industry contrary to whatever they want to tell you. The sell of your personal information to ads is one thing, the providing of your information to governments and the law enforcement is another, but the sell of your data from an employee to a group and or a nefarious actor is another and it is more common than you think. Database leaks are the most common way for an attacker to get your account details, many think oh ok I will just change my password and I should be fine. This works for most people, but what about that phone number you registered under? Most of these services do use the phone number verification as an override in case you lose email access. Again, we trust devices that are glorified spyware over anything which is representative of how much we actually care about privacy.
This data obtained through illegal or legal means would allow an attacker whether government or not to have a clear surface for them to go after. As you may not have paid attention to the number saved to your account you may no longer have, or was a temporary number that could get reused, well now there is an easy vector. Now, they just need to convince a carrier to give them this number, use api calls to get these numbers, or re-register the service to the number and circumvent the security measures in place by these services providers of social media or SaaS providers. Many may consider this as a blatant issue, however, it is one that is exploited more than you consider
and even without the user knowing. Because they can use this process to gain further details about communications this user may have with the actual intended target. Often, you may not be a target but a byproduct to get to the actual target. As the old saying goes bigger fish to fry. Now how is this wardialing? Well instead of just blindly calling numbers which spammers do, you are using a refined list for your attacks or explorations. Which was the goal of wardialing to begin with, now these companies and their terrible security practices and bad actor employees do all the wardialing, you can just cherry pick what you need and focus on the real attack.
A new high profile political target that requires identification can easily be exploited using this model as well. Which any company that requires your phone number and or identification should not be trusted as they are honeypots. Parler is one of many new form of social media platforms that require a phone number registration as well as your identification to be verified and use the service. DO NOT TRUST THIS, DO NOT TRUST ANY COMPANY WITH YOUR DATA. If Equifax, who has your credit information can be simply hacked then so can these companies. There are few if any security audits on these services. DO NOT TRUST THEM, IF YOU DO IT IS ON YOU AND THESE COMPANIES DO NOT CARE ABOUT YOU.
Is Privacy Dead?
No privacy is not dead and we should not mourn it as if it is. There are plenty of ways to combat this vector and many others but instead of being real complex in our approaches we must return to simplicity. As simplicity removes attack surfaces but it introduces something we must all begin to take hold of anyways, personal responsibility. It should not and can not be left to third parties to protect your privacy, it should be your own and you should do your best to understand how things work. We should also begin a more focused movement to distributed services and networks. These services and networks are ran by individuals. They can also be ran by companies but mostly individual operators will represent a larger percentage of these services and networks. For social media experiences like Twitter one could use a service like Mastodon, and support the operators of the network. For a private Facebook a family could and should use something like Retroshare, this will allow for private sharing of files, pictures, and discussions. Not everything should be given to these companies. You need to understand that there is a cost to privacy and sometimes that could mean monetary or it could mean some assembly required, meaning your time.
Anything that is simple requires a compromise, these compromises can be used against as us highlighted in previous sections. So what steps can you take to protecting yourself with regards to the phone verification problem? Well this poses a number of real issues one being that those systems are not able to be controlled by individuals due to cost and legislation of how the telecom systems work. The real concern becomes how to prevent number reuse and to keep this from happening when using a temporary number, that will involve
a monetary cost. However, if you keep your data off of third party systems and rely on distributed networks you not only remove your reliance on such devices and numbers you also greatly restrict what data if any a profile could be built against you or your family. To really keep your number for your services, you need to keep your number which costs and it also poses privacy issues if it is disclosed by someone to the wrong groups or spammer target. You could use a prepaid burner bought with cash and paid with prepaid visa also filled up with cash or cryptocurrency. Understand that there is still a cost and that the burner number once you stop paying could end up being reused. These are always vectors with using registration via phone.
The balance here is that we can regain our privacy by not allowing companies to collect the information and to switch to distributed systems that do not collect them. We should also support companies that do not collect your data and provide you services as well. Many may collect an email, and emails you can create compartmentalized emails with any service so that you can have multiples and not need to rely on the number verification process as well. This will give you more control of your data and protect your number from
prying eyes as aforementioned. There is no silver bullet in software. There is no perfect solution, understand what your attack surfaces are and the compromises for what YOU want and be responsible for YOU.
Why Did You Write This?
This all started when an anon reached out to me after setting up Signal, this is a first time user of Signal and he had a few questions related to some of the behavior he saw.Specifically this user was receiving messages intended for other people, when I inquired he had used a number service to provide verification to use signal as they do require the registration process. This was interesting to me so I went down the rabbit hole and some exploration was hide, there is more not included in this article that will come to light soon as a byproduct.
This process was reproducible with a number of applications, to which I will not go down the list. There are plenty of interesting things that people as mentioned above that are using these temporary services for and some are not being nefarious but actually can not get or keep a phone number. This anon who reached out, however, had used a temporary number service as many articles(#1, #2) describe this process to use a temporary number in order to setup Signal. This poses serious risks as covered before the problem is that this exposes the users who were contacting the original user of the number may only be told that in some cases the safety number changed, in other apps they are not told anything. This is a huge operational security damage for the others. This could be leveraged by law enforcement and others in order to gain intelligence and evidence. I want to personally thank the anon for reaching out. I want to thank those that encouraged me to write this, my friends, associates, and others who provided inputs. The next few articles will contain more details to which some of them are privy to and have not been publicly disclosed here.
At minimum for your security right now enable registration lock on your Signal and use a complex pin. Do this for all services that support this and enable two factor authentication. IF YOU RECEIVE NOTICE THAT A SAFETY NUMBER HAS CHANGED VERIFY THROUGH OTHER MEANS IT IS WHO YOU THINK IT IS.
Conclusion
There will be more articles and explanations for various services coming in the days and weeks ahead exposing more and more of the dragnet and the #BigTech problem you only think that is being covered. To really begin to take control again we need to use technology that we often are overlooking for modern services. We can and should implement models in which we use public key cryptography such as PGP in order to regain our privacy and prevent data ownership from companies. We need to support distributed networks and hurt these companies where it counts, the pocket books. Understand that by having governments step in on large businesses to force them to abide by policies this will have a trickle down effect on smaller companies as well and stifle innovation and impact further privacy enabling tools and services. Do not give control if you do not have to, instead take it back.
There is a price for privacy, there is a price for everything. Not everything in this world is free, as in free beer, but the things that are “free” often have a larger price than the sticker price. Individuals have long been victim to this and are continuing to be placated by the ideas that this ok, it is not. The only way to change this is for you to stand up and make a change, one person, one step, one thing at a time. The future could be bright, but it fades with each passing day.
TL;DR: Just like bitcoin, not your keys not your coins. In this case not your number, not your data.
This is part of a series as to fully understand the attack surfaces and vectors one needs to get perspective on how the technology works as well as the services.
Article 1 of 4, Article 2 will contain some live examples of attacks on users, if you would like to see one feel free to hit me on signal with the following number(a live example). You can perform live examples if you choose to but understand the laws in your jurisdiction and do not impersonate anyone. Article 3 will be a disclosure on VPN’s. Article 4 will contain a very special surprise.
**Proper disclosure has been followed in reporting to services. You should also follow proper disclosure. **
If you wish to support this series, reach out via Twitter, Signal, or Telegram.
You can buy me beer with Bitcoin, Monero, Burst, or Doge if you want. Hit me up for addresses.
Some links:
Database dumps: Lol no that is illegal, do your own research.
Examples of free number services: Quackr(#1, #2, #3, #4, #5), SMS-Receive(#1, #2, #3)
Paid services: GoogleVoice, Twilio, and you can DuckDuckGo others.