Free Trial
Contact Us
Podcast

Root Causes 463: Cellular Networks Are Insecure

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
February 3, 2025

In this episode we explain that all cellular networks, contrary to popular belief, are fundamentally insecure.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanJason, we are here in Toronto doing Toronto sessions 2.0. We're having a great session. And in prep for this, one of the topics you put on your list yesterday really got my attention, which was essentially - let's see if I'll do this justice. All cellular networks are fundamentally insecure.
Jason SorokoJason SorokoLet's talk a lot more about that. And some of the implications. There's a few stories blended into this.

So you and I sometimes have episodes that are kind of pivotal, where we make big declarations. Deep fakes. You can't trust anything you see. That has implications for biometric authentication. Sometimes, some of these pronouncements may have big waves. And Tim, I think you're probably not much different than me in that you didn't trust Wi-Fi access points for hotels, coffee shops, airports, and we live in those things.
Tim CallanTim CallanAt no time in the last 20 years.
Jason SorokoJason SorokoYou and I live in those places constantly throughout the year. In the back of our minds, maybe the front of our minds, our cellular data networks we thought of as being like it's kind of a different class of network. I'm declaring right here with you, Tim, that you now need to add your cellular data network, your 5G or 4G, your LTE, your whatever you're connected to - You need to think about it the same as being in a coffee shop or hotel or an airport.
Tim CallanTim CallanSo let me paraphrase this and make sure I'm getting you right. You're saying when I sit on my phone and I do data - -
Jason SorokoJason SorokoYou’re not on Wi-Fi. You’re on the cellular data network.
Tim CallanTim CallanI’m not Wi-Fi. I'm using the cellular network. I have to be every bit as cautious as I do when I'm connecting to an uncontrolled Wi-Fi point.
Jason SorokoJason SorokoYes, because when you're in a coffee shop, you have to make the assumption everything's being recorded.
Tim CallanTim CallanIt’s anything all in the DMZ. It's all moving through utterly malicious territory.
Jason SorokoJason SorokoThe way to really put language around it that's easy to understand is anything that's not encrypted, anything that's in the clear is 100% available to the adversary. Same now with cellular data networks. That's very important.
Tim CallanTim CallanI think a lot of people unthinkingly assume that if it's inside of, for want of a better word, I'll say, this tunnel inside the cellular network, that they are maybe not immune, but at least considerably shielded from the threats that we get on the open internet.
Jason SorokoJason SorokoIt’s a different class of network, isn't it? Well, Salt Typhoon, which I will let you all do the research on that, I'm not going to talk about nation state attribution, but what I will say is everybody's - you must assume every carrier, the people you get your ISP from at home, for your network, the people that you pay money to for your cellular network, they are hosed. They've been popped. All their boxes have implants that are being lit. You have to now assume that.
Tim CallanTim CallanSo we have to assume, you're saying, that very sophisticated, advanced persistent threats are entirely inside of all of these networks.
Jason SorokoJason SorokoIt is now time to make that assumption. So Tim, you, probably not unlike me at all, you turn on your VPN, for example, when you're at the coffee shop. You connect to your Wi-Fi, you open up your VPN, and you proceed in your merry way, knowing that the VPN is protecting you across that network. Now, obviously there's a point, a demarcation point where the VPN is, where you have to trust that too, and maybe you should. Maybe you shouldn't. Different conversation.
Tim CallanTim CallanOr at least you are radically mitigating your risk.
Jason SorokoJason SorokoAt least you are encrypting across that absolutely un-trustable Wi-Fi access point. You're depending on them for Wi-Fi. You do not want to depend on them for anything trustable. Guess what? Same thing now on your cellular data network.
Tim CallanTim CallanSo I should be VPNing on my phone?
Jason SorokoJason SorokoMy phone right now is on a cellular data network, and I have VPN running right now.
Tim CallanTim CallanThat was gonna be my next question. I was gonna say, so what do I do about this?
Jason SorokoJason SorokoWhat you do about it is this.

Number one, I need you to think very hard about your messaging systems. Because there's a mix of messaging systems in the world. SMS -that was always hosed. That was always in the clear. But back in the day when a cellular data network, you could kind of consider it like a better than a Wi-Fi access point out at a coffee shop. Nobody thought about it too, too much. If you went to Black Hat and you went to DEF CON, and you got to see the big boards where people's SMS messages in the room were being captured by a femto cell, it was fun to text your friend and see it on the screen. It was just proof that everything was in the clear. Well, SMS is quickly becoming deprecated for not just authentication. I remember the Wild West days when there were actually security architects who should have known better, but were using SMS as a second form of authentication. Basically, a two FA.
Tim CallanTim CallanThey still are.
Jason SorokoJason SorokoDeprecated by NIST. That's another story. What I'm saying to people is this - if you're using Apple iMessage to another Apple iMessage person, that's end-to-end encrypted. If you are using RCS Google, from one Google user to the next.
Tim CallanTim CallanOne Android to another. That's end-to-end encrypted. Sure.
Jason SorokoJason SorokoHere’s the big problem is that I think the way that it was, I'm not going to accuse Google of anything, because I'll let other people do that. Google had a really good intention, which is, hey, let's get RCS across everyone because there was a kind of a joke amongst people, and a lot of you might have heard about it, which is if you're an Apple iPhone user, your SMS friends showed up as a green bubble. It was kind of like less functionality. I can't do anything with that person, and the one person in the group chat who had the green bubble was the problem child. That's that. Well, if you're going RCS Google to RCS iPhone, you are not end-to-end encrypted. I'll tell you exactly why. I’ll tell exactly what it is. It's because RCS is carrier-based. Therefore, Google doesn't own the ecosystem. Apple doesn't own the ecosystem. The carriers do. The carriers did not set up E to EE between those two people on disparate mobile operating systems.
Tim CallanTim CallanSo if I go across carriers, but I'm still Android to Android I am end-to-end encrypted. But as soon as I jump OSs, that's when I lose it?
Jason SorokoJason SorokoBecause you are now crossing a telco demarcation point. So rich communication services, RCS, is really only end-to-end encrypted if you're only talking to Google customers.
Tim CallanTim CallanThat’s problematic because, like very few of the people that I communicate with on the phone, do I know what mobile operating system they have. Like I know for some of my close friends and family, and other than that, I don't know.
Jason SorokoJason SorokoIn fact, I even happen to know some of the people personally who were responsible for getting the carriers to all kind of have everything really well integrated. So you didn't have to care with SMS back in the day, but now we're dealing with, oh God, we have to care again. Nobody knows about these things.
Tim CallanTim CallanNobody knows this.
Jason SorokoJason SorokoSo let's back up. Jay, you're scare mongering. I can't believe the carriers would do this to us. Maybe you believe the FBI.
Tim CallanTim CallanLet me rephrase this and then you respond. Jay, aren't you talking about a very esoteric corner case? Do we really need to be concerned about this? Go ahead.
Jason SorokoJason SorokoNot just the FBI, the FBI along with the Five Eyes. In other words, the five western nations who collaborate on intelligence, wrote an extremely detailed - - Jason Soroko gets into the weeds a lot. I am guilty. Trust me, the FBI got into extreme weeds for very good reason, because what I'm talking about is incredibly real, and for the first time I think I've ever seen in my career, Tim, the FBI called for us to go to end-to-end encrypted communication platforms and avoid RCS.
Tim CallanTim CallanSo this, I mean, let us not understate the significance of this. The fact that the FBI, instead of licking their lips and saying, oh, goody - -
Jason SorokoJason SorokoEverything's in the clear now.
Tim CallanTim CallanLots of intel. I'm going to go collect it all and stay as quiet about this as I conceivably can, decided that the threat to the United States and its citizens and its allies was sufficiently large that they were prepared to forego that opportunity for the sake of preventing foreign attackers from doing the same thing. That's a big statement, because these guys love their secret intel.
Jason SorokoJason SorokoI remember once hearing an FBI officer speak at a conference. I guess he was allowed to say certain things. He said, hey, one of our operational procedures is once a bad guy has rented a car, we always double check to see whether or not he's that person has paired their Bluetooth and made the mistake of allowing their contacts to be loaded into the car. We just go into the car with a stick and download all that person’s the contacts. We just get all the contacts and the FBI is like you make it so easy for us. Of course, imagine if the FBI never would have said anything about it. If Five Eyes would have just been quiet, they would have had unlimited ability to have in the clear data for so many people who are just simply doing Android to Apple communication.
Tim CallanTim CallanSo this is where I was going with this. This shows you how bad it must be.
Jason SorokoJason SorokoYes. It is that bad. So for those of you who are on iMessage, and you heard Tim Cook's explanation about privacy and he gave these great messages about, if you're on an Apple System, you're secure. You're an Android user, and you listen to Google, we are absolutely behind end-to-end encryption, and we're going to push RCS across into Apple. You heard all these things, and you're like, thank God. I don’t gotta think about this anymore, because I don't have to listen to that guy, Jason Soroko, all he doesn't scare me. I'm not here to scare you. I'm here to tell you, treat your daily data cellular network like a coffee shop.
Tim CallanTim CallanSo the VPN thing I got. The other thing is there are end-to-end communication platforms that are multiplatform.
Jason SorokoJason SorokoThere are.
Tim CallanTim CallanTelegram.
Jason SorokoJason SorokoThis is precisely what FBI was telling people to do. Which was go to WhatsApp, which is essentially using Signal, is my understanding. The Signal app itself is available, and they were saying, go use that. Is this the death of RCS is the question.
Tim CallanTim CallanInteresting. I mean, one wonders if that bridge problem can be fixed.
Jason SorokoJason SorokoNo less smart people than the people at Google are probably thinking about it. I'm sure there's some heartburn over there, but if anybody could figure it out, it would be them. Stay tuned.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud