Between Two Nerds: How the internet gets Salt Typhoon wrong - Risky Bulletin

Summary5 min read

Risky Bulletin Podcast Summary
Episode: Between Two Nerds: How the Internet Gets Salt Typhoon Wrong
Release Date: February 3, 2025
Host/Author: risky.biz

1. Introduction and Host Discussion

In this episode of Risky Bulletin, hosts Tom Uran and Grock delve into the recent cybersecurity incident involving the Chinese hacker group Salt Typhoon. The conversation kicks off at [00:03], with Tom introducing the topic and expressing his frustration over the misrepresentation of the breach details across the internet.

Tom Uran:
"People on the Internet are wrong. So around Salt Typhoon..." ([00:11])

Grock responds by broadening the scope of Salt Typhoon's activities, suggesting that the group's reach within US telecommunications is more extensive than publicly disclosed.

Grock:
"Do they have more than eight? I mean, they've compromised most of the US essentially." ([00:43])

2. Misrepresentation of the Salt Typhoon Breach

A central theme of the discussion is the misreporting surrounding the breach. Tom clarifies that the Salt Typhoon group did not compromise the CALEA (Communications Assistance to Law Enforcement Act) system itself but rather accessed the system that logs law enforcement's wiretap requests.

Tom Uran:
"There is no evidence so far that hackers have compromised the collection system itself through which law enforcement listens in on wiretapped calls." ([02:33])

Grock counters by emphasizing the broader vulnerabilities that exist in telco communications, highlighting that the lack of encryption allows unauthorized access.

Grock:
"Communications are not encrypted. Anyone who has access to the network can see them. Therefore, for security reasons, we need to encrypt those communication systems." ([04:24])

3. Importance of Encryption and Legacy Infrastructure

The hosts discuss the inherent weaknesses in the telecommunications infrastructure, particularly focusing on protocols like SS7, which were developed in an era with different security paradigms.

Grock:
"The foundational protocols of telcos like SS7 is like 1980s or something era technology. It's from that era of the Internet... it's archaic and it cannot be fixed." ([14:52])

Tom adds that the legacy systems impose significant challenges for implementing security upgrades, making it difficult to address vulnerabilities swiftly.

Tom Uran:
"So it's hard and super error-prone to try and fix." ([15:40])

They also touch upon the concept of technical debt, explaining how the US's long-standing infrastructure complicates modernization efforts compared to countries starting with newer systems.

4. Legislative Responses and Security Incentives

The conversation shifts to the varying legislative approaches different countries have taken to bolster telco security. Tom points out that while Australia and the UK have introduced specific security measures, the US lacks comprehensive legislation, relying instead on more convoluted methods like whistleblower incentives.

Tom Uran:
"Australia had some from 2017... And then the UK has some from I think 2021... and US just basically doesn't have any legislation." ([16:50])

Grock explains the SEC’s initiative to encourage whistleblowers to report companies neglecting security, likening it to minimizing internal threats by leveraging employee oversight.

Grock:
"They're making not having good security a financial liability." ([20:28])

Tom highlights the challenges of such policies, noting that it relies on insiders to enforce security standards, which can be unreliable.

5. Targeted Espionage and Political Implications

The hosts analyze the nature of Salt Typhoon's operations, suggesting that the group's activities are highly targeted towards politically significant individuals and campaigns.

Grock:
"The victimology suggests that this was espionage. They got what they wanted and it was targeted." ([09:48])

Tom remarks on the selective outrage surrounding the breach, noting that the focus tends to be on the inadequacy of the US telcos rather than condemning the Chinese hackers themselves.

Tom Uran:
"People seem outraged that they allowed it to happen rather than outraged that the Chinese are doing it." ([10:07])

They discuss the implications for politicians, emphasizing the need for secure communication channels. Grock points out that while security protocols are advised, the practical uptake among high-profile individuals remains inconsistent.

Grock:
"I feel like they should know to take security precautions." ([11:22])

6. Conclusion

In wrapping up, Tom reiterates his primary concern about the misreporting of the Salt Typhoon breach, underscoring the importance of understanding the actual vulnerabilities rather than conflating different aspects of the breach.

Tom Uran:
"So, you know, so I've gotten my major gripe out that people were wrong." ([14:03])

He also reflects on the broader implications for telco security, acknowledging the persistent challenges posed by legacy systems and the complex landscape of cybersecurity legislation.

Tom Uran:
"It seems like this is trying to create that sort of incentive where the employees are now incentivized to make sure that their company is doing the right thing." ([21:57])

The episode concludes with mutual acknowledgments of the complexities discussed, leaving listeners with a nuanced understanding of the Salt Typhoon incident and the broader state of telco security.

Notable Quotes with Timestamps

Tom Uran:
"People on the Internet are wrong. So around Salt Typhoon..." ([00:11])
Grock:
"Do they have more than eight? I mean, they've compromised most of the US essentially." ([00:43])
Tom Uran:
"There is no evidence so far that hackers have compromised the collection system itself through which law enforcement listens in on wiretapped calls." ([02:33])
Grock:
"Communications are not encrypted. Anyone who has access to the network can see them. Therefore, for security reasons, we need to encrypt those communication systems." ([04:24])
Grock:
"The foundational protocols of telcos like SS7 is like 1980s or something era technology. It's from that era of the Internet... it's archaic and it cannot be fixed." ([14:52])
Grock:
"They're making not having good security a financial liability." ([20:28])
Grock:
"The victimology suggests that this was espionage. They got what they wanted and it was targeted." ([09:48])
Tom Uran:
"People seem outraged that they allowed it to happen rather than outraged that the Chinese are doing it." ([10:07])
Grock:
"I feel like they should know to take security precautions." ([11:22])
Tom Uran:
"So, you know, so I've gotten my major gripe out that people were wrong." ([14:03])
Tom Uran:
"It seems like this is trying to create that sort of incentive where the employees are now incentivized to make sure that their company is doing the right thing." ([21:57])

This episode provides a comprehensive examination of the Salt Typhoon breach, highlighting the nuances often lost in broader media reporting. Through their detailed discussion, Tom and Grock shed light on the technical and legislative challenges in securing telecommunications infrastructure, emphasizing the need for accurate information and robust security measures in the face of sophisticated cyber threats.

Loading summary

Transcript95 lines

[00:04]
Tom Uran
Hello everyone, this is Tom Uran. I'm here with the Gruck for another Between Two Nerds discussion. G'day, Grok. How are you?
[00:09]
Grock
G'day, Tom. Fine, and yourself?
[00:11]
Tom Uran
I'm well. This week's Between Two Nerds is brought to you by thinxt, maker of thinxt canaries and all other sorts of honeypot goodness. Sorry, Gruk, I've got this gripe and it is the picture. People on the Internet are wrong. So around Salt Typhoon. So the story is that Salt Typhoon is a Chinese hacker group. It's compromised. At this point when we're recording at least eight US telcos.
[00:43]
Grock
Do they have more than eight? I mean, they've compromised most of the US essentially.
[00:48]
Tom Uran
Yeah, well, I. They haven't specified which ones. You would imagine that it's the. The ones they actually care about which are the most important ones. It's a big deal. So people think that what has happened is that they've compromised the. What's called the CALEA system, the Communications Assistance to Law Enforcement act, where if you've got a court order, police can tell telcos give us the content of a call or a message, whatever.
[01:14]
Grock
Right.
[01:16]
Tom Uran
But that's not actually what has happened. So this is my gripe that it's being.
[01:21]
Grock
Because, I mean, that's what's being reported, right. That they had access to the CAT system. So.
[01:27]
Tom Uran
So what? And now I actually got one of the stories because I've written about it a few times. And when you're in the writing newsletter business, it tends to make you quite pedantic, unfortunately, I think. And so what the report actually says. And now this is from the Washington Post. Hackers have acquired access to the system that logs US law enforcement requests for criminal wiretaps. So another newspaper described it as the. Kind of. As the tasking portal.
[02:00]
Grock
Right.
[02:00]
Tom Uran
So if you get access to that, you can obviously see all the numbers that are tasked.
[02:05]
Grock
Right. So that's. I mean, that's useful for counter intelligence, obviously.
[02:09]
Tom Uran
Oh yeah, I think it's a huge deal. Oh, yeah, yeah, yeah, yeah. So I'm not saying that it's not a bad hack. I'm just saying that people on the Internet are wrong. God damn it. And, and it goes on. There is no evidence so far that hackers have compromised the collection system itself through which law enforcement listens in on wiretapped cause.
[02:34]
Grock
Okay, so. But, but they. They have been listening in on calls anyway.
[02:39]
Tom Uran
Yeah, yeah. So why. So why me? And maybe this annoyance. This is what we'll discuss. I guess maybe this annoyance is just all pointless. That people use their interpretation, the sort of misinterpretation that the Caleist or wiretap system was compromised as an argument that we shouldn't have wiretap systems. But that's not actually what's happened. And so they're kind of segueing off onto relevancy.
[03:12]
Grock
See, you say that, but I actually disagree.
[03:18]
Tom Uran
So like, you disagree with which bit?
[03:22]
Grock
So I disagree with the. They're using the wrong reasons to come to the right conclusion.
[03:28]
Tom Uran
Right.
[03:29]
Grock
Okay. So to say that we shouldn't have a Calia system because the Calia system was compromised and abused is incorrect. But the vulnerability that the Calia system exploits was abused anyway. So they're correct in that communications are not encrypted. Anyone who has access to the network can see them. Therefore, for security reasons, we need to encrypt those communication systems. Saying that the Calia system is responsible for. For that is, you know, based on, based on this new information. Because I was under the impression that the KALIA system was being used.
[04:12]
Tom Uran
You were one of those people on the Internet who annoys me.
[04:17]
Grock
Not just on the Internet.
[04:20]
Tom Uran
Yeah, sometimes in my DMs as well.
[04:24]
Grock
Right. So I think that the, like the fundamental issue is that telco communications can be monitored. Right. Like they're not secure. That gets solved by encryption. Catia is sort of tangential, it's orthogonal. It's like law enforcement has been exploiting this vulnerability for decades now the bad guys are exploiting it. It's time to reconsider whether we want this to be embedded into our infrastructure or not.
[04:56]
Tom Uran
Yeah. So I would first of all take issue with the way that you described it as a vulnerability in the sense that, I mean I would describe vulnerability as something that like there was no other choice back in the day.
[05:10]
Grock
Right.
[05:10]
Tom Uran
So maybe now it's a vulnerability, but it's a weakness, perhaps is a shades of gray.
[05:18]
Grock
It's sort of, it's a, it's a way that it's weak or vulnerable to attack. A weakness, one might say. Well, I'm sure there's another word for it.
[05:36]
Tom Uran
Okay, so.
[05:37]
Grock
So point taken. It's so. But here's the thing is I think that it has become a vulnerability at this point in time. That's right. I'm willing to accept that. In 1990 it wasn't like we could have just used signal. Right.
[05:54]
Tom Uran
There's no other choice.
[05:56]
Grock
Right. You know, we had like what, like 286 or 386 or something back then. Like encryption was not A thing that happened. Right. It just. It wasn't feasible. So, yes, absolutely, we had to do that. I think at this point in time, we're now seeing sort of like the pigeons come home to roosters. Right.
[06:16]
Tom Uran
Like, yeah. So I guess that leads naturally to the question of what would you do about Salt Typhoon? And so, see, I would just.
[06:26]
Grock
I would just fix the telcos. I would simply not be compromised in the first place.
[06:34]
Tom Uran
Right, yes. You would just make yourself perfect and behave naturally.
[06:39]
Grock
Exactly. I think this is a big issue because even if, just for sake of argument, if we completely removed Calia systems without fixing the fact that this is not encrypted, nothing would change because that's exactly where we are right now. They were exploiting the RAW access. And just before we started recording, we were discussing that in all likelihood, it's probably easier to use RAW direct access to get phone calls than to use the Calia system because all the monitoring and logging is going to be via the authorized channel that's going to be used by law enforcement.
[07:20]
Tom Uran
Yeah.
[07:20]
Grock
Whereas just, you know, your regular engineer is going to be able to do that anyway.
[07:25]
Tom Uran
But yeah. Yeah. A few weeks ago on the Risky Business podcast, Adam Wallow spoke about his time as a pen tester. And it's quite an entertaining story. He basically went above and beyond to actually compromise working Lawful Intercept System. And it was something like he had to compromise the data center and then the control plane of the racks of the data center to then be able to connect to the Lawful Intercept System. So his take home was that they'd done actually a pretty good job of separating it from the.
[08:03]
Grock
So. So it was. It took him a bunch of hops to get there.
[08:07]
Tom Uran
Yeah, yeah, that's so. Yeah. I think there's two things there. They. They had really tried, they had failed. But I think the A for effort, but it seemed like a very good effort, but it also seemed like, well, that that kind of system would have a lot of logging and a lot of monitoring and it's. I don't know if they would have detected him because I guess there's two things once you separate it like that people tend not to monitor it because that happen or because they care so much. They actually do monitor it. So you never know. But I think from an outsider's point of view, you would be very cautious about going to that system because of the possibility that it was logged very heavily.
[08:53]
Grock
Right. I think the point here is that it either is logged very heavily or if there's ever an audit, it will be Monitored like it's the most likely place to be searched.
[09:05]
Tom Uran
So whether it's in some way.
[09:07]
Grock
Yeah. So you're much better off having system engineer access or the access of someone who has to debug and fix things because no one cares what they do. They just care that, you know, things were, they made. Yeah, right. So, yeah, like the odds of like some random engineer having all of their stuff logged and monitored is very low.
[09:30]
Tom Uran
I mean, and in this case, in the salt typhoon case, the Chinese actors have gotten what they want without bow accounts. It seems like a very targeted operation. So.
[09:42]
Grock
Right.
[09:43]
Tom Uran
It's maybe hundreds of phones where they're trying to get content, not whichever phone we feel like.
[09:48]
Grock
Like the victimology suggests that this was espionage. They got what they wanted and it was targeted. It was proportional, it was targeted. And it was exactly the sort of thing that like the US wants China to do as opposed to what they're.
[10:07]
Tom Uran
I've not. I mean, people seem outraged that they allowed it to happen rather than outraged that the Chinese are doing it. So, like one particular senator I remember, like, you know, more for us essentially was what he was saying. So it seems like you could, in terms of the targeting, you could then as a piece of advice, say, well, if you're important politically or in government, you should use encrypted apps. Right, Right.
[10:39]
Grock
It seems to me like that would have been the suggestion anyway from the security people. Like if you're a senator, one would assume that like the FBI or someone has a security chat with you to say like now that you have security clearance and you're on this, you need to do things to, you know, prevent spies or whatever. And one of those things should be, you know, use signal. Use tor. Yeah, But I do feel like, all right, this is like I feel that they should know better, but I hear how weak that sounds.
[11:21]
Tom Uran
Who should know better?
[11:22]
Grock
Sorry, the senators. Or like these important people doing highly sensitive things or some of what they're doing is sensitive. Like I feel like they should know to take security precautions. I know, and I'm not even a.
[11:37]
Tom Uran
Senator, so I mean, I do know at least when it comes to Chinese threats. There are Australian politicians who use Signal or WhatsApp, even in groups where they talk with fellow like minded people. But that's kind of driven by the threat in a way. You know, they. Because they're aware of that. Yeah. They're perceived as Chinese hawks or China hawks. And so there's, you know, a dozen stories at any one time floating around about whoever, who's being Targeted because they're perceived by the Communist Party as anti China. And so that sort of makes sense.
[12:20]
Grock
I'm gonna just throw in that it's probably to a degree performative, because if you're one of these China hawks, then you want, you want to show that you're taking it seriously and doing this thing like you're not, you're not blase about it.
[12:35]
Tom Uran
Right, right, right. So it's self reinforcing as well.
[12:37]
Grock
Right?
[12:38]
Tom Uran
Yeah, yeah. So some of the people who seem to have been targeted are the campaigns in the States. Both the Harris and the Trump campaign.
[12:48]
Grock
Right.
[12:49]
Tom Uran
Was one of the names mentioned. I would be super surprised if Trump wasn't also targeted. I can't recall.
[12:55]
Grock
Right, Yeah, I can't recall.
[12:57]
Tom Uran
But then maybe it would be such. Well, of course, that I wouldn't remember.
[13:01]
Grock
Right. But I think the other thing is they might want to mention like the lesser peoples that got targeted and not say Trump was vulnerable and was hacked because that might upset him.
[13:15]
Tom Uran
I read a long time ago, or maybe I read that Trump just loves talking on the phone and so therefore he was a perennial target during his first presidency.
[13:28]
Grock
Absolutely. I mean, this is the same campaign that asked the Russian embassy for a secure phone from the Russians that they could use to talk to the Russians like that. I congratulate them on their security consciousness at that point. However, it seems a little bit misguided.
[13:53]
Tom Uran
Yeah. So, I mean, you use those sorts of devices when you talk within a trusted community.
[14:00]
Grock
And you want to keep outsiders from knowing what you're discussing.
[14:03]
Tom Uran
So, you know, so I've gotten my major gripe out that people were wrong. So, you know, on between two nodes, we've set the record straight so no one lives again. But the rest of our discussion we've kind of said it doesn't really matter because the argument that spun out of it that lawful intercept is bad is kind of irrelevant to what's going on with Assault Typhoon. But also the Chinese hackers have been very successful. They've actually gotten all that they want. And there may be reasons why they didn't go after lawful intercept just because it's riskier. Right, right. But in terms of the telco network, it's. Yeah, it's done. They seem to have very good access. No one's been able to kick them out.
[14:52]
Grock
Yeah. So I mean, I think the thing is that the foundational protocols of telcos like SS7 is like 1980s or something era technology. It's from that era of the Internet is academics, we're all trusted Here, why would we ever need security?
[15:13]
Tom Uran
Right.
[15:14]
Grock
So it was, it was built on the mindset of like TCP or bgp, you know, like when the idea of security was like. But it's on the Internet, of course it's safe. There's no one here but us. Like, you know, so like SS7 is just, it is archaic and it cannot be fixed. It's. But it's also so tied into the backbone that it's like if we decided that IP was broken and we just needed to replace it.
[15:41]
Tom Uran
Right, yeah. So I guess what you're saying is there's no short term quick fix that's going to remediate the telco network anytime soon?
[15:49]
Grock
Absolutely nothing. I think more to the point as well is that this is one of those cases where first mover advantage works against you. So because the US sort of built up their tech stack organically at every increment, they're going to have so much legacy equipment that's load bearing, it's just going to be expensive, hard and super error prone to try and fix. Whereas I think in a country that has more recently adopted the stuff, they can get newer equipment from the get go. They don't have legacy kit from like the 80s that's holding up their, their billing system or something.
[16:33]
Tom Uran
Right. Yeah. So it's a bit more greenfields. So there's this.
[16:36]
Grock
Yeah. So that I think they're starting at a higher level of security just from not having that history behind them. So yeah. Like I think that the US is facing a particularly difficult situation here.
[16:50]
Tom Uran
Yeah. So it's curious that that has probably been true for 20 or 30 years. Right. And yet I sort of did a survey of different legislation about getting telcos to care about security and Australia had some from 2017, hilariously it just says telcos, you've got to do your best on security. That's it. And then the UK has some from I think 2021, like relatively recently and that was kicked off by the Huawei security. It was a supply chain review kicked off by concerns about Huawei. And then the US just basically doesn't have any legislation. And so the response has been not.
[17:35]
Grock
Even try to do your best.
[17:40]
Tom Uran
Which.
[17:41]
Grock
Is apparently the high bar at this point.
[17:43]
Tom Uran
Yeah, yeah. And you've. And yet they're the ones who probably have the longest history and I want to use the word technical debt in that sense. It's probably not exactly. You get the idea.
[17:58]
Grock
Right, right.
[17:58]
Tom Uran
And so. And it seems like everyone in the US has just been like, oh yeah, our telcos are good, nothing to worry about here. They innately care about security because we are the U.S. yeah, I don't know why that would be so one of.
[18:12]
Grock
The things that at least it was true many years ago when I was doing pen testing on telco networks. I assume it's true these days telco's definition of security was revenue leakage. Basically if people got things for free and they weren't being billed, that was a security issue. So if someone was getting like SMS and wasn't paying for it, that had to be remediated immediately. Immediately. But if someone unauthorized was reading sms, well, I mean that's just the nature of the beast, you know, what are you going to do? And that was very much the attitude of just like as long as we're not losing money here, right. Like it's okay.
[18:57]
Tom Uran
That to me totally makes sense in terms of the default incentives.
[19:03]
Grock
For example, SIM cards and the way that you authenticate to the network is very, very secure. Right. You've got like this hardened secure chip environment that authenticates using secret keys to like there's all this stuff that's super secure because that was revenue leakage. Right. But SIM swapping, they still haven't fixed it, where someone just phones up and hi, I'm Tom Uren of Seriously Risky Business and I'm here to get my, my SIM card switched. And I go, okay Tom.
[19:37]
Tom Uran
Yeah, I mean that totally makes sense to me as the default set of incentives. Right. Like, you know, you're here to make money, there's a lot of security stuff that is revenue neutral or even possibly positive that.
[19:51]
Grock
Right.
[19:52]
Tom Uran
Is bad security, but like it doesn't cost you any money. And so I spoke to someone who was involved in the Australian legislation and they said it was just basically people felt that telcos were undervaluing security. And I think that that kind of attitude, that's why you need legislation, is to overcome that kind of attitude because that's the default attitude you're going to have.
[20:15]
Grock
So I saw that one of the things that they're doing in the US is the SEC has set up a thing for whistleblowers to come forward about companies that are not implementing security security properly. And so whistleblowers can get paid out when those companies get fined.
[20:29]
Tom Uran
Yeah.
[20:29]
Grock
And so because they're making not having good security a financial liability. Right. They're creating an incentive and it seems to me like it's a bit of a convoluted way to do it. We will pay people that betray you if you do this wrong. Like, that's.
[20:51]
Tom Uran
Yeah. So it's. That's the False Claims Act. And if it's. I think it relates to the federal government. So if you've got a federal government contract and you're stamping on security.
[21:01]
Grock
So one of the ways that. That seems like a good idea to me is it's. It's the way that you, like with a quick E Mart sort of place, you can't monitor that the employees aren't stealing from the till. Right? And the easiest way to do that is you look at what someone's buying, you say, all right, that's going to be like, whatever, 10 bucks. They give you a 20, you hit no charge, cash register pops open, you get them their change, and it hasn't been rung up, and now you've just made 10 bucks. So the way that you work around that is you say to the customer, if you don't get a receipt, everything is free, right? So now the customer is incentivized to monitor that the employee is actually doing their job. And it seems to me like that. Like this is trying to create that sort of incentive where the employees are now incentivized to make sure that their company is doing the right thing for.
[21:58]
Tom Uran
The federal government, which brings a whole new meaning to the word insider threat. Somewhere in our company might help the government. God damn it.
[22:14]
Grock
Thanks a lot, Tom.
[22:16]
Tom Uran
Thanks, guy.