CXTech Week 49 2024 News and Analysis

Leave a reply

The purpose of this CXTech Week 49 2024 newsletter is to highlight, with commentary, some of the news stories in CXTech this week. What is CXTech?  The C stands for Connectivity, Communications, Collaboration, Conversation, Customer; X for Experience because that’s what matters; and Tech because the focus is enablers.

You can sign up here to receive the CXTech News and Analysis by email or by my Substack. Please forward this on if you think someone should join the list. And please let me know any CXTech news I should include.

It’s been 2 weeks since the last CXTech news and analysis. The hacking of the US Telecoms network has kept me busy, the sources of the hacks are numerous, particularly from the 3rd parties telcos outsource their services to, we’ll review in this CXTech.

Amazingly the MEF continues to claim we (TADSummit) are lying about the MEF and some of its member. All data presented is backed by leading experts in the industry, and public data sources. The MEF should not cast blanket aspersions given the state of telecommunications security. Urgent change is required, not more coverups.

Covered this week:

  • Podcast 100: TADSummit Innovators, Bohdan Hopanchuk, Ethical Hacker, Made in the UA. Part 2.
  • Podcast 99: TADSummit Innovators, Bohdan Hopanchuk, Ethical Hacker, Made in the UA. Part 1.
  • FBI and the Cybersecurity and Infrastructure Security Agency Urging Americans to use Encrypted Communications

Podcast 100: TADSummit Innovators, Bohdan Hopanchuk, Ethical Hacker, Made in the UA. Part 2.

Bohdan Hopanchuk is an ethical hacker, based in Kyiv, Ukraine. Check out his first podcast (Podcast 99) with us focused on some of the scams operated by CPaaS. Bohdan received great feedback on his first episode.

One person, who provided feedback, claimed Johnny has a poor reputation in the industry because he names the organizations commiting fraud. This demonstrates the level of corruption in CPaaS when the crooks expect to remain nameless.

We should be celebrating the CPaaS committed to doing the right thing for their customers, like BT Group, Deutsche Telekom, and TSG Global. Crooks can not be trusted, they should not be allowed to operate in the CPaaS industry, just look at the state of the US telecoms industry where lawmakers are advising Americans to avoid using the PSTN. We’ve been warning the industry for close to 18 months on the issues. And still some people / organizations try to maintain the cover-up.

We all know a grandma or grandpa who have been scammed. One the the TADHack participants parent’s lost their life’s savings to a romance scam, so their children now support them. Scammers and those who enable scammers should be sent to prison. This is not like a speeding ticket, this is like driving drunk and killing the people in the other car. Lives are being lost and ruined every day, and we can stop this together, by naming the crooks facilitating it, and showing the solutions telcos and individuals can adopt, e.g. in the Honest CPaaS Review.

Here is part of an email Bohdan received from a international Cyber Criminal:

We’re looking for local USA route (both SIM and Direct) that can accept marketing type traffic (we got daily 1-3 mln SMS) Have u got this kind of route now?

Millions of SMS per day, for ‘marketing’ messages (likely containing a URL), for local USA routes. Its phishing coming into the US.

Digital Armies of Tens of Millions of devices

But back to Bohdan, he ties together several threads that made me realize how vast the problem has become. He covers AIT, SIM/eSIM, hacking QR codes (quishing), huge BOT-nets via telecom routes, and infected devices. Simply there are digital armies of millions / tens of millions of devices under state sponsored control.

We had an excellent presentation last year on The EU Cyber Resilience act on the risks of out of date open source software in IoT devices. From Olle Johansson, Experienced consultant in network security and real time communication – PKI, webrtc, SIP , XMPP. Kamailio and Asterisk expert. And Sandro Gauci, CEO / Senior Penetration Tester / Chief mischief officer at Enable Security.

Bohdan confirmed that risk is widely exploited, so there are millions, likely tens of millions of devices sending SPAM (email and SMS), malware, and any credentials used on compromised devices. 2023 and 2022 we saw bot-nets being used for DDoS (Distributed Denial of Service) attacks. In 2021 Sandro Gauci gave an excellent presentation at TADSummit on The worst of enemies – let’s talk about DDoS and RTC.

TADSummit has covered many of the issues over the years, but we did not join up the thinking on these issues, which Bohdan is now enabling. Cyber criminals, and also kids as the technology as become so widely known, infect devices like web cams, EVs (Electric Vehicles), etc. And then upon the criminal’s command they can be used for any campaign. For example, sharing all your credentials to steal from you, spy on you, or hold you to ransom. Its multi platform: calls, emails, SMS, eSIMs, messaging clients, etc.

With state sponsored attacks they target government agencies, and financial institutions, Stealing tens of billions of dollars.

Biometrics, Zero Day Exploits, Scale of Bot-Nets

An important point Bohdan made is use your biometrics, e.g, finger print as that has not yet been compromised. Use passkeys! My family use biometrics across our phones and laptops. Though not on the many other devices we use around the home, though we do try to ensure the software on the IoT devices are up to date, no default passwords, and monitor for unusual home network traffic.

Bohdan moves on to zero day exploits, that is inherent weaknesses in software system. And how state sponsored hackers are placing malicious code 24/7 wherever they find zero day exploits, for later activation. As an example Bohdan uses the Deloitte hack, reported yesterday, where Brain Cipher Ransomware Group allegedly stole 1 TB of data.

I then ask about the ratio of fraudulent traffic between SIM boxes to bot-nets. Bohdan highlights the bot-nets have access to not only SMS; but to SS7, grey routes, zero hop direct routes, etc. Scammers are so confident on delivery of phishing SMS, their concern is only click rates for a campaign.

Johnny highlights the unusual situation we’ve reached where senators are warning people to not use the PSTN. That ultimately telcos will be held responsible for the situation, not their third parties. In the Honest CPaaS Review, we highlight the steps telcos can take to protect their customers and their networks.

Bohdan on his next TADSummit episode will get into more details on the exploits and how people can protect their emails. Bohdan joined up the thinking of several topics TADSummit has covered over the past few years, to realize the scale of the threats we face. When the US lawmakers are briefed on Dec 11th, the outcome could be again unusual, as we do live in interesting times.

Podcast 99: TADSummit Innovators, Bohdan Hopanchuk, Ethical Hacker, Made in the UA. Part 1.

Bohdan Hopanchuk is an ethical hacker, based in Kyiv, Ukraine. That’s the reason he’s in a darkened room, at night they black out. Like the UK did during World War II. We were prepared to pause recording if the air raid siren went off, fortunately it did not.

Bohdan is a fan of the TADSummit Podcast, his objective for this podcast is to add value, by bringing his experiences to the body of work we’ve amassed. He brings both cyber security and messaging expertise. In particular Bohdan wants to help young route managements understand the industry and make the right decisions.

Bohdan brings the coal face experiences for setting up routes, and how to buy, sell, and test those routes. He knows how to set up zero hop direct routes, and the testing, for example whether the DLR (delivery receipt) are real or fake. This is one of the methods used to steal from the customer. Claiming delivery, when there was none.

Such simple fraud is widespread. 80% of the DLRs could be fake, only 20% real, yet all are charged. This enables extremely high margins by some CPaaS. Bohdan share the reality of inter CPaaS deals, where they share traffic, customers, revenues, margins and commitments. Essentially its AIT, we are going to come back to this in Part 2 of the Bohdan interview.. BUT Bogdan draws the line at phishing SMS, this leads to serious losses and security issues. Young managers should NOT transport phishing.

Bohdan has been contacted directly by scammers, who are premier sponsors of industry events. There are vastly too many events, even down to a country level. As Robert Vis has said on the TADSummit Podcast the scammers are on the board of some industry bodies.

Bohdan makes clear some well known wholesalers (gateways) at these events are continuously transporting scams. He then raises the question on why SIM boxes are allowed to continue to exist, and can be bought so easily on Amazon. Carriers generally use drive test and other core solutions for their networks, which are not ideal for catching SIM boxes. While solutions like Wadaro, as shared at TADSummit last month, are effective. Telcos could report vendors for selling SIM boxes in their countries of operations. They could use Wadaro to close down SIM boxes. It’s simply a matter of motivation to protect their customers.

Bohdan also highlight how SIM boxes can be used to mix good and bad traffic. So called ‘optimized routing’ can include 90% zero hop and 10% SIM box. Its illegal, but it’s become accepted practice. Carriers need to report such activities on their network. They have to act like the network police to protect their customers as the wholesalers (firewall / gateway providers) have multiple decades of not acting in the best interests of the carriers’ customers (all of us).

The cost of the fraud is tens of billions. But can it be stopped? Johnny is doubtful, so concludes, live with it. We’ve described in the Honest CPaaS Review, the necessary steps and the critical role carriers must play. As we see with BT Group and DT. Others can join their leadership.

Bohdan shared how he is contacted by people from Asia with requests to test routes with sample content and specific sender IDs. To check if the content will be delivered through his routes. It was phishing traffic to banks across many countries. Naturally, Bogdan blocked that traffic.

After that experience he built a firewall that search for keywords, and used AI to get around scammers tricks of using mis-spellings and special characters. We discussed with with Ameed Jamous about OpenTextShield. There are solutions to limit scammers, it is a game of cat and mouse, but carriers can protect their networks and customers.

Johnny came back to his point, it can not be stopped. While Bohdan believes is can be stopped in the future. Johnny raised SS7 is broken, Bogdan explained SS7 is only signalling. It should not be used for transport. Use direct routes. Carriers see the problems with SS7 on their dashboards. But enforcement is the issue, again carriers have to take control of their network.

This then brings the issue of social engineering and human factors, In the limit its bribery. Carriers needs to trust and educate their people, enforcement is important. Catch a cheating employee, it goes to court, similarly with catch a cheating CPaaS, fine them under the terms of the contract, like we see with BT Group.

Interestingly, Bohdan thinks the crypto-industry will be one of the drivers for bringing honesty to telecommunications. However, Bohdan sees Africa as under control over China. So it a significant threat, again carriers must protect their networks from the rest of the telecoms industry.

In part 2 we’ll delve into AIT and all the shenanigans there. The future of SIM/eSIM, hacking QR codes, building huge BOT-networks via telecom routes, and infected devices.

FBI and the Cybersecurity and Infrastructure Security Agency Urging Americans to use Encrypted Communications

FBI and the Cybersecurity and Infrastructure Security Agency Urging Americans to use Encrypted Communications

https://alanquayle.com/2024/12/fbi-and-cisa-urge-use-of-encrypted-communications/

Yep, do not use SMS or PSTN voice, that’s an exceptionally strong statement. One of the reasons the PSTN has become so insecure is telcos have outsourced so much of their infrastructure to third parties. In some cases foreign owned businesses with links to China. The PSTN attack surface is vast, it’s a whack-a-mole game to protect it, but with little whacking of the hackers as the third parties point fingers at each other.

Last year we pointed out the risks of TCR (The Campaign Registry) being owned by Tata Communications, https://alanquayle.com/2023/08/the-campaign-registry/. Frederick (“Rick”) Joyce has the highest security clearance because he was Chief Counsel to the Chief Information Officer/Assistant Commandant for C4IT. He did this as an individual, no politics, simply trying to protect his country. The Mobile Ecosystem Forum did a hit job on Rick, https://alanquayle.com/2024/09/industry-fora/, the MEF should be ashamed of themselves given the current hacking events.

Even though I, like you, have become indifferent to all the companies holding my data being hacked, and our personal details exposed yet again on the dark web. Scams continue to rise, as covered in The Honest CPaaS Review, https://blog.tadsummit.com/2024/10/26/the-honest-cpaas-review/. The big risk with SMS and PSTN voice is your current actions in real time can be used against you.

For example, Daniel Gill, founder and CEO of Augnet shared the reality of this real time hacking with #AIT (Artificially Inflated Traffic). https://www.youtube.com/shorts/_eNjkaWZY_Y

The sustained hacking of telecoms is an issue of increasing concern for most US lawmakers, with Senate Intelligence Committee Chair Mark Warner (D-Va.) describing it as the “most serious breach in our history.”

“Unless you are using a specialized app, any one of us and every one of us today is subject to the review by the Chinese Communist government of any cell phone conversation you have with anyone in America,” Sen. Mike Rounds (R-S.D.), ranking member of the Senate Armed Services Committee’s cyber subcommittee.

This isn’t some recent political firestorm, as some telecom bodies claim. Last year Rick Joyce was pointing this out. Eric J. Troutman also pointed this out when he saw how the MEF and TCR lawyers (Latham Watkins) were attempting the discredit Rick.

I’ve shared the data, the methods, and tens of billions being stolen, https://blog.tadsummit.com/2024/10/26/the-honest-cpaas-review/. I’m pleased to see lawmakers taking the issue seriously.

Remember, the MEF asked its members to ignore my work, and continue to claim I am lying with all this analysis. Shame on them for not focusing on truth and integrity like TADSummit.

My multi-decade history in telecoms stands as a testament to delivering analysis focused on truth and integrity. Take the nonsense with Camara given the failure of OneAPI. I could easily make a few bucks cheerleading Camara. BUT, I remember developers going bankrupt because OneAPI was cancelled with little notice. Telcos have cancelled developer programs multiple times in the past. I’ve pointed out history is being repeated, and not one telecom event has invited me to provide balance on a discussion about network APIs. Banks do not love SIM Swap APIs, Banks think SIM Swap is a telco problem with bribed employees. At what point will the industry hold their Industry Fora to account?

My role has become promoting innovations that work, there are loads of them, but are generally ignored as large vendors can not make big bucks. And providing balance for developers to make an informed decision on the current network API circus.

People, Gossip, and Frivolous Stuff

This is a professional match made in heaven. Sam Machin is now Principal Engineer at Jambonz. I’ve known Sam for over one decade, and he is an invaluable member of the TADS community.

Ashif Dhanani has a new position as Strategic Marketing Advisor at Bessie’s Hope Legacy. I’ve known Ashif since his time at Voxeo over one decade ago.

Robin Hattink is now Strategie & Business Manager (a.i) at APK Group. I’ve known RObin for nearly 2 decades, since his time at KPN.

Jussi Räisänen is now CEO of Docue, a software company that makes the life of SMEs easier by democratising their access to high-quality legal services. I’ve known Jussi for over 1.5 decades. Since his time with SEVEN Networks, mobile app provider. Back when mobile apps were realy HARD!

Arjun Kamath is now Engineering Manager at Elekta Kaiku. He took part in the first TADHack in 2014, with his now wife, Ella Kaila. The second Nexmo prize went to Arjun Kamath and Ella Kaila with Super Streamer that uses WebRTC to broadcast video, not just peer to peer.

Amandeep Singh is now a Sales Manager at Karix.

Lisa Epstein is now a Senior Communications & Content Strategist, Sports Marketing at Amazon Web Services (AWS). I’ve known Lisa for over one decade, since her time at Elemental, which was bought by AWS.

Dominik Blanckenstein‘s new position is COO – Head of Digital & Customer Success at pure11 GmbH

You can sign up here to receive the CXTech News and Analysis by email or by my Substack.

Leave a Reply

Your email address will not be published. Required fields are marked *