Indeed!

And if you have access to SS7, you can do it without the middle-man $15 service!

These systems are really designed for use in a world where only trusted actors have any access to the system! That's clearly not true with all these third parties exposing functionality to the general public!

[1] https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet...

> And if you have access to SS7, you can do it without the middle-man $15 service!

This doesn't really seem to make things any worse. Surely it's easier to have $15 than it is to have access to SS7.

Yeah, but say you want to hijack a million accounts. It's easier to have access to SS7 than $15 million.

What's the threat model there?

Installing a backdoor to a a piece of equipment that handles SS7, for instance?

No, what is the threat model for the agent who wants to hijack text messages to a million random phones? Why are they doing it?

Off the top of my head:

- Major players are using phone numbers to de-dup people. Use your million phone numbers to bypass such verifications and aggregate more power than intended. You could sell the accounts directly or monetize them individually (e.g., social media like farms, turning cloud free trials into dogecoin, ...).

- Way too many services believe that if you control a phone/email you must be the account holder. Banks, 401k managers, and other critical pieces of infrastructure are more than happy to harvest your phone number for "added security" and proceed to weaken the security on your account by allowing anyone with control of that phone number to hijack the account.

- Unique phone numbers are valuable in their own right. Individual numbers have max message rates and other garbage, but with an army of phone numbers you can, e.g., send out the same scam message to most phone numbers, see who bites, and use that to build a curated list of a hopefully much smaller set of numbers to target with real people.

- If you have any extra information like a plausible contact graph you can use that to impersonate people for viral marketing or something (kind of like how the Marco Polo app texted your entire contact list without your permission). I'm pretty sure permissions are way more locked down than they were when apps used to just use your phone directly, but if you control the phone number and have that contact info then you could pull off a similar marketing trick still today.

- Just snooping on the information is probably valuable. I'm struggling to imagine how you'd monetize it directly (some kind of insider trading?), but 1M person-hours worth of intercepted texts can't be worth <=$0 I don't think.

> Banks, 401k managers, and other critical pieces of infrastructure are more than happy to harvest your phone number for "added security" and proceed to weaken the security on your account by allowing anyone with control of that phone number to hijack the account.

This is a targeted attack.

> Individual numbers have max message rates and other garbage, but with an army of phone numbers you can, e.g., send out the same scam message to most phone numbers

As I read this, it involves sending messages from random numbers, not reading messages that get sent to random numbers?

> I'm struggling to imagine how you'd monetize it directly (some kind of insider trading?), but 1M person-hours worth of intercepted texts can't be worth <=$0 I don't think.

Data can easily be worthless if it takes effort to process and doesn't produce much value. This is a common case; "if the data exists, it must be valuable" is not a particularly strong argument.

Insider trading doesn't really work, since by hypothesis you have no idea who the people are whose messages you're reading. (If you know, then you're performing a targeted attack.) There's no "inside" as far as you're concerned.

> This is a targeted attack.

Kind of. If you have a dump of email/phone combos lying around then it's just a dragnet operation against vulnerable institutions.

If you're pointing out that you said "random" phone numbers, I think it's worth mentioning that the techniques mentioned in this thread can let you target your favorite million numbers, but even just having a pool of a random numbers is still valuable -- for any account you want to compromise you have a 1/10k chance of controlling the number needed. That's an annoying cost but not prohibitive even for accounts only worth pennies on average.

> As I read this, it involves sending messages from random numbers, not reading messages that get sent to random numbers?

Send and receive (since you need to know which people would respond to obvious scams). As I say that though, I don't think there's much if any benefit over the other SMS spoofing scams which just use a link as the payload.

> "if the data exists, it must be valuable" is not a particularly strong argument.

True, but that wasn't _quite_ the implied argument. People mostly view phones as private, and in 1M person hours you're likely to capture admissions of crimes, cheating, and all kinds of things. If for no other reason than pure blackmail those should have value to an adversary; the question at hand is more about how much value exists and how hard it will be to find and exploit. Private comms are qualitatively different from, e.g., the twitter firehose.

> Insider trading doesn't really work, since by hypothesis you have no idea who the people are whose messages you're reading.

I don't think that's actually a requirement. If somebody confidently asserts they're personally doing [important thing] tomorrow (as opposed to you just sniffing a text saying they think doge is going up) then that can be a strong signal that [important thing] is going to happen. Since most texts probably aren't actionable on the stock market, you probably won't get many such signals, so you can probably afford to actually look up the owners for any matches you get to double-check your hunches.

I still don't think that'd be super easy to turn a feed of texts into insider trading (some ballpark math suggests you might not get much if any actionable intelligence in a reasonable period of time even if you could sift through it), hence my lack of confidence when I proposed it, but there aren't any fundamental barriers that would prevent texts from a pool of randomly selected numbers from being indicative of stock movements.

You could become employed at the company, or break in or compromise one of the employees, to get access to the messages from valuable targets

And how to get that?

It's not a publicly facing service that's on offer, but some smaller telcos and sketchy VoIP providers with legacy access often re-sell it.

There's some good CCC talks on the subject if it's of interest.

The funny part about that is the $15 hijack service was predicated on the flimsy legal fig leaf of somebody writing in an ink signature on a piece of paper and scanning it to port a number (term is an LOA, letter of authorization), same as I have to do when I port a bunch of DIDs between voip providers.

Literally anyone with a printer and a pen can forge any signature and have a fairly high degree of success in the porting process.