| ▲ | dlenski 16 hours ago |
| From their "Features" drop-down: > Minimal Data Collection > Identifier Rotation > Secondary Numbers > Disappearing Call Logs > SIM Swap Protection > Network Lock > Encrypted Voicemail > Private Payment > Last-Mile Encrypted Texting > Secure Global Roaming "Identifier (IMSI) Rotation", "Secure Global Roaming" and "Network Lock" do look interesting *IF* they can actually address some of the baseband vulnerabilities that plague all modern devices. That's a Big If. SIM Swap Protection you already get by using a VoIP number rather than a cell number. And the other features are irrelevant if you're using over-the-top end-to-end encrypted messaging, like Signal, rather than Plain Old Telephone Service and SMS. |
|
| ▲ | gruez 15 hours ago | parent | next [-] |
| >do look interesting IF they can actually address some of the baseband vulnerabilities that plague all modern devices. That's a Big If. Baseband vulnerabilities are overhyped, imo. On proper phones (eg. pixels), their access to memory is restricted by IOMMU, which protects the rest of the phone from being compromised if there's some sort of an exploit. Once that's factored in, most exploits you can think of are "on the other side of the airtight hatchway[1]". For instance if you can hack the baseband to steal traffic, you should probably be more worried about your carrier being hacked or getting a lawful intercept order. Or if you're worried about the phone triangulating itself, you should probably be more worried about your carrier getting hacked and/or selling your location data. [1] https://devblogs.microsoft.com/oldnewthing/20060508-22/?p=31... |
| |
| ▲ | dlenski 7 hours ago | parent | next [-] | | > Baseband vulnerabilities are overhyped, imo. On proper phones (eg. pixels), their access to memory is restricted by IOMMU, which protects the rest of the phone from being compromised if there's some sort of an exploit. Doesn't Google require all new Android-branded devices to isolate the baseband from the Android OS and applications? I swear I read this somewhere in the last few years, though I can't seem to find any clear reference to it now. Hmmm. > For instance if you can hack the baseband to steal traffic, you should probably be more worried about your carrier being hacked or getting a lawful intercept order. Everything should use TLS/DTLS/QUIC, and an up-to-date PKI for obligatory certificate validation, otherwise I assume it's already being MITM'd by the NSA, every other three letter agency on the planet, corporate firewalls, and my ISP. | |
| ▲ | rl3 13 hours ago | parent | prev [-] | | Baseband vulnerabilities are overhyped, imo. On proper phones (eg. pixels), their access to memory is restricted by IOMMU, ... That just kicks the can down the road to "Why should we fully trust the IOMMU?" Granted, it does defend against the vast majority of actors. | | |
| ▲ | fc417fc802 12 hours ago | parent [-] | | ... because that's literally the IOMMU's job? Why should we trust the TPM or the CPU or a YubiKey or anything, really? I don't completely trust any of it but to get anything done you have to trust something at some point. | | |
| ▲ | rl3 7 hours ago | parent [-] | | >Why should we trust the TPM or the CPU or a YubiKey or anything, really? You raise a good point. |
|
|
|
|
| ▲ | 0xWTF 15 hours ago | parent | prev | next [-] |
| They built their own mobile core, does that help with resolving your "Big If"? I'm not a cellular guy, I don't know which pieces of the stack cover which attack vectors: I'm genuinely asking. Also, the 50 foreign countries seems interesting. |
| |
| ▲ | wil421 14 hours ago | parent [-] | | Do they own the enodeBs or the RAN? How many hops does it take to get to their core? Not sure how MVNO works maybe they have encrypted VLANs to their systems. Not a RAN guy. | | |
| ▲ | alek-cape 12 hours ago | parent [-] | | We don't own eNodeBs/gNodeBs (the RAN). We operate as an MVNO. It is worth calling out that we operate as a full MVNO though, which is different from many MVNOs in the US currently, who tend to fall on the lighter end of the MVNO spectrum. The primary difference is we run our own mobile core entirely. Can you elaborate on the hops question? Not sure I quite understand what you're asking since there are a few ways to interpret "hops". |
|
|
|
| ▲ | qingcharles 14 hours ago | parent | prev | next [-] |
| Are there solid VoIP providers that aren't detected by 2FA SMS services? I can't use my Google Voice for a decent chunk of sign-ups because it is detected (and rejected) too easily. I hate getting spam, so I try to keep my primary phone number only for friends and family. |
| |
| ▲ | fc417fc802 12 hours ago | parent | next [-] | | Serious question, what services are you using that this isn't a deal breaker for you? And why isn't it? Most services either don't have a legitimate interest in my phone number (so they can get bent) or they do have a legitimate interest in which case not accepting my phone number means they aren't doing their #$&^ job (so they can get bent). It helps that the only services I'm willing to provide my phone number to are those that already inherently involve my PII. Banks, online shopping, etc. So if they won't accept whatever I give them I'll take my business to a competitor. | |
| ▲ | dlenski 9 hours ago | parent | prev | next [-] | | I've used my Google Voice number as my primary number for ~15 years at this point. (I use my "real" phone number so little that I have trouble remembering it.) I've had almost no problems using my GV number for 2FA. Venmo is literally the only service I've ever used that won't accept it for 2FA… and now Venmo offers non-SMS based alternatives, which is good because SMS-based 2FA is the reason that the SIM-swap attack is worth doing. List of services that allow Google Voice for 2FA: https://www.reddit.com/r/Googlevoice/comments/1c571kw/crowds... | |
| ▲ | gruez 14 hours ago | parent | prev | next [-] | | Use sms verification services that spammers use. They're implemented by using banks of sim cards placed in some apartment somewhere, so it's as "real" as it can get. https://cotsi.org/methodology | |
| ▲ | busko 14 hours ago | parent | prev | next [-] | | Objectively, it gets even worse in regions where Google voice isn't available. The only options seem to be online SMS portals where a relatively small set of numbers are shared across many users. If anyone knows of a good, secure VoIP provider outside of the US I'd be keen to hear about it. | | |
| ▲ | upofadown 3 hours ago | parent | next [-] | | Jmp.chat is the same sort of the same thing as Google voice and is allegedly based in Canada. It has the bonus feature of using standard XMPP clients. | |
| ▲ | dlenski 9 hours ago | parent | prev [-] | | VoIP.ms works great in both the US and Canada. (I believe it started here in Canada.) Also, many Canadian financial institutions (including the CRA, Wealthsimple, and BMO) work fine with US phone numbers for 2FA… including Google Voice, in my personal experience. https://www.reddit.com/r/Googlevoice/comments/1c571kw |
| |
| ▲ | rsync 11 hours ago | parent | prev | next [-] | | 2FA mule. https://kozubik.com/items/2famule/ | |
| ▲ | inigyou 5 hours ago | parent | prev [-] | | [dead] |
|
|
| ▲ | bryancoxwell 15 hours ago | parent | prev [-] |
| Not sure what IMSI rotation has to do with baseband vulnerabilities? |
| |
| ▲ | dlenski 9 hours ago | parent [-] | | It stymies attempts to track mobile devices over multi-day periods using their IMSIs. Trackability is definitely a vulnerability. | | |
|
