0

Cyber security experts: BTC network vulnerable

BTC Nassau Headquarters.

BTC Nassau Headquarters.

By YOURI KEMP

Tribune Business Reporter

ykemp@tribunemedia.net

Bahamas-based cyber security experts yesterday argued that the Bahamas Telecommunications Company's (BTC) outdated network equipment left it vulnerable to penetration by malign actors.

Scott MacKenzie, Cloud Carib's managing director, told Tribune Business that it was easy to access BTC’s systems because the carrier, and possibly its immediate parent, Cable and Wireless Communications (CWC), were using legacy networks and equipment that are at least 20 years out-of-date.

Speaking following allegations that Chinese state-owned entities had used BTC's network to spy on US citizens, Mr MacKenzie said: “The issue relating to the SS7 network that China allegedly hacked into is that SS7 is a very, very old protocol that was primarily used in PSTN (Public switched telephone network).

"So moving away from legacy network operator protocols would be important.” He said major telecommunications companies such as AT&T had begun to do this back in 1999-2000, and added: “Those large telecommunications companies started to move away from SS7, more towards SIP (Session Initiation Protocol) based protocols for their telecommunications operator.”

Describing SS7 as an “ancient protocol” for telecommunications providers, Mr McKenzie said it was vulnerable to hacking and other attacks from “bad actors” unless BTC and CWC were constantly upgrading their networks.

BTC, which is 49 percent owned by the Government, earlier this week told Tribune Business in a statement it was "carefully reviewing" claims - first published in the Guardian newspaper in the UK - that state-owned Chinese communications providers had used its systems to conduct surveillance on Americans roaming on their mobile phones in The Bahamas.

Other CWC subsidiaries in the Caribbean, especially Barbados, were also identified as major sources of these alleged breaches which - if true - have huge national security and economic implications for The Bahamas, as well as its ability to safeguard the personal data and civil liberties of both its own citizens and US visitors that make up 85 percent of its tourism market.

The assertion that major security vulnerabilities exist in the Bahamian telecommunications system was based on a report by Gary Miller, a US former mobile network security executive, who was said by the UK Guardian to have "spent years analysing mobile threat intelligence reports, and observations of signalling traffic between foreign and US mobile operators".

Miller and his business, Exigent Media, a cyber threat research firm, have published two reports that detail how BTC's mobile phone system was purportedly used in a "co-ordinated attack" on US cellular phone numbers by Chinese state-owned mobile providers.

The first report, Far from home - active foreign surveillance of US mobile users, argued that international roaming - the practice whereby Bahamians use a foreign carrier's network for communications services overseas, just as Americans use BTC and Aliv's systems when they are in this nation - has enabled "covert foreign surveillance" of mobile users.

It explained that hostile actors can exploit this to send signalling messages to Americans' mobile phones while they are in The Bahamas and other countries without alerting the user. While these SS7 signals can legitimately be used by operators to locate mobile users, connect calls and assess roaming fees, Mr Miller's report argued that they can also be deployed for illicit purposes.

He added that most such intrusions were intended to trace the mobile user's location, but they could also extend to monitoring and covert surveillance once the phone's "network identity" and number are obtained. Such information can be exploited to "purge" a user from their mobile network, and ultimately take over all communications they send and receive.

Mr McKenzie, meanwhile, said SIP allows for more encryption protocols for mobile networks, which makes technology of 20 years ago appear like using telegrams compared to fax machines and keypad telephones.

He added: “But, at the end of the day, it's not just BTC. It's just not those named operators. There are still a lot of legacy telecoms that are using SS7. It's just that companies have to move away from it over time, and there's different ways of protecting it and securing it as well.”

Suggesting that securing the old SS7 technology is “not as simple as flicking a switch”, Mr McKenzie said: “There's architectural planning, and they have to change all of the equipment out and it's not a simple thing.”

Philip Darville, SolveIT Bahamas' managing director, said there is “no such thing as an impenetrable network". He encouraged the Government to look closely at BTC, and said an investigation needs to take place into the Chinese spying allegations.

He added that he found it amusing, however, that the Americans were outraged over China allegedly spying on their citizens when several year ago their government was accused of doing the same thing in The Bahamas through a covert operation called “Operation Mystic".

That relates to claims made in 2014 by National Security Agency (NSA) whistleblower, Edward Snowden, that the US was intercepting almost every mobile call made in The Bahamas via a spying/surveillance initiative called SOMALGET.

BTC, as the then-monopoly provider, said it would investigate the allegations but asserted that "no such activity is ongoing". The then-Christie administration promised to take the matter up with US officials, but the outcome was seemingly inconclusive.

Comments

UN 3 years, 11 months ago

‘Vulnerable to the penetration of malign actors”: Yep, the malign actors are the entire country & others. Eight long years (every thought & plan known by others). The neighbors below try to make it appear that they’re the culprit (stupidly confirming they should be in prison for ‘invasion of privacy’ - in some normal countries that’s a two year term - it’s against the law to care too much about what a stranger who hates you does or says). Yes, Nygard somehow had his way with me but we sweet, creatively stalking ladies won’t leave a woman alone. A nation of anything goes.

Paging Dr. Minnis: please contact the ‘Richest Woman In The Bahamas’. Mailed and emailed a letter back in February and since then things have gotten a lot worse. Shameful how a citizen is being treated. Even criminal acts fall under ‘all a we is one.’ If it doesn’t involve ALL of us, then it’s not a big deal? Many against one is now the norm? I need resolution.

ohdrap4 3 years, 11 months ago

Tal russell is contagious.

John 3 years, 11 months ago

Paul Rolle needs to restrategize his approach to combating crime on the streets. When a young, innocent man cannot walk from his work place to a nearby take-a-wat to buy lunch, without being assaulted, harassed, cussed at by police who point guns at his head and make threats of desth’for one wrong move’ something is very wrong with that Paul Rolle. Disturbingly wrong. These are tactics Racist Smerica, and at one time South Africa used against Black people to deny them if their rights. The nee thing today is a gang of police officers busting into or shooting up sone innocent (Black ) person’s house or apartment, killing them even, then claiming it was a mistake. Why are you following down this path Paul Rolle. Siccing your officers on innocent young men like a pack of untrained, wild dogs. This action is totally counterproductive, especially and demonstrates your force lacks proper policing skills. They are not supposed to be combative against the general public without probable cause. And eventually you , Mr Commissioner, will have to account for the number of young men this type action is destroying. It is a racist tactic of America and not proper policing. Go in Lyford Csy if Old Fort Bsy or Albany and let your officers pull up on and pull automatic weapons in the first person they meet, then survey the consequences. Research your history, Paul Rolle and stop being an Uncle Tom Tom

Sign in to comment