Re: Irancell Database
Giovanna Qiu
Just a couple of weeks ago Iranian hackers had exposed a critical security flaw on Telegram app allowing anyone to send anonymous messages to any user but the bot incident seems something unrelated.
Sources also claim that details offered by the bot were actually old (stolen from MTN Irancell database 3 years ago), and was initially being sold off to advertisers. Nevertheless, the availability of such personal data in the public domain is a huge blow to Iranian users as it can allow cyber criminals to conduct other attacks or scams including bank fraud and identity theft leading to personal damage for the users themselves.
An Internet bot, also known as web robot, WWW robot or simply bot, is a software application that runs automated tasks (scripts) over the Internet. Typically, bots perform tasks that are both simple and structurally repetitive, at a much higher rate than would be possible for a human alone. The largest use of bots is in web spidering (web crawler), in which an automated script fetches, analyzes and files information from web servers at many times the speed of a human.
Hackread.com is among the registered trademarks of Gray Dot Media Group Ltd. Company registration number 12903776 in regulation with the United Kingdom Companies House. The registered address is 85 Great Portland Street, London, England, W1W 7LT The display of third-party trademarks and trade names on the site do not necessarily indicate any affiliation or endorsement of Hackread.com. If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant.
Over the past week, Iran experienced severe mobile network outages, in addition to increased levels of internet censorship. In this report, we share OONI network measurement findings from Iran on the blocking of WhatsApp, Instagram, Linkedin, Skype, Google Play Store, Apple App Store, and encrypted DNS (DNS over HTTPS). We also share IODA and Cloudflare Radar data on mobile network outages over the last few days.
In addition to the above blocks (and many other long-term blocks), Iran experienced multiple severe outages affecting mobile networks over the past week, which are visible in the IODA, Cloudflare Radar and Kentik datasets.
Since 2012, OONI has developed free and open source software (called OONI Probe) which is designed to measure various forms of internet censorship, including the blocking of websites and apps. Every month, OONI Probe is regularly run by volunteers in around 170 countries (including Iran), and network measurements collected by OONI Probe users are automatically published as open data in real-time.
Anomalous measurements may be indicative of blocking, but false positives can occur. We therefore consider that the likelihood of blocking is greater if the overall volume of anomalous WhatsApp measurements is high in comparison to the overall WhatsApp measurement count (compared on an ASN level within the same date range). We further disaggregate based on the reasons that caused the anomaly (e.g. TCP connection failures towards a set of WhatsApp endpoints) and if they are consistent, they provide a stronger signal of potential blocking.
The above steps are automatically performed from both the local network of the user, and from a control vantage point. If the results from both networks are the same, the tested URL is annotated as accessible. If the results differ, the tested URL is annotated as anomalous, and the type of anomaly is further characterized depending on the reason that caused the failure (for example, if the TCP connection fails, the measurement is annotated as a TCP/IP anomaly).
Each Web Connectivity measurement provides further network information (such as information pertaining to TLS handshakes) that helps with evaluating whether an anomalous measurement presents signs of blocking (or is a false positive). Based on our heuristics, we are able to automatically confirm the blocking of websites if a block page is served, or if DNS resolution returns an IP known to be associated with censorship (and such fingerprints have been added to our database).
Over the past years, Iranian ISPs have blocked websites by serving block pages and by returning IPs associated with censorship (which, for example, used to host block pages). By adding such fingerprints to our database, we have been able to automatically confirm the blocking of numerous websites in Iran. Moreover, the overall OONI measurement coverage in Iran is relatively high (in comparison to many other countries), increasing our confidence in our findings.
As of 20th September 2022 (amid protests following the death of Mahsa Amini), Iran intensified the blocking of encrypted DNS (DoH) services. We previously (in 2020) reported on the blocking of encrypted DNS (DoT) services in Iran, but at the time, we found that they were blocked during the TLS handshake by means of destination-endpoint or SNI based filtering. Now, Iranian ISPs appear to implement the block by means of DNS as well.
In 2020 we reported that DNS over TLS (DoT) was blocked in Iran, following the testing of 31 well-known DoT endpoints on four distinct mobile and fixed-line networks in Iran (Iracell, MCI, TCI, Shatel). At the time, we found that 57% of the tested endpoints were blocked on at least one ISP, and that most blocking was implemented by interfering with the TLS handshake. As part of an expanded study on encrypted DNS blocking (in Iran, China, and Kazakhstan), we found that 50% of tested DoT endpoints were blocked in Iran, while 92% of tested DoH endpoints worked.
In recent months, OONI measurements from the testing of multiple DoH endpoints on several networks in Iran showed signs of TLS based interference. But as of 20th September 2022, we observe a noticeable change in the blocking of domain-based DoH endpoints, as we view both TLS level interference and DNS based tampering.
In other words, we observe a noticeable change in how the blocking of encrypted DNS is implemented in Iran (from 20th September 2022 onwards). Previously, we primarily observed TLS level interference, whereas now, most (tested) ISPs implement DNS based blocking of DoH endpoints as well. We also observe that this block has been expanded to more DoH endpoints, in comparison to previous months.
The availability of some measurements collected using an experimental version of Web Connectivity containing several data quality improvements allows us to further characterize the blocking techniques being employed by the censors. To illustrate that, we focus on doh.dns.apple.com measurements collected on 24th September 2022. The following table classifies these measurements by the number of times we observed specific results for different ASNs:
Each row of the table describes the number of times (indicated as count) in which we observed a given result for an ASN. The #dns column indicates whether we detected DNS blocking. The #tcpip column indicates whether we detected TCP/IP blocking. The #tls column indicates whether we detected blocking during the TLS handshake. The #success column indicates whether at least one of the available IP addresses was reachable (this experimental version of Web Connectivity tries all the available IP addresses and also uses IP addresses obtained from the test helper to detect all the possible forms of censorship that may be applied to a given input URL).
We can therefore conclude from the above table that doh.dns.apple.com was always censored by means of DNS and, in most cases, there was also TCP or TLS based blocking. However, it also indicates how, in a few cases, the censor failed to censor all the available IP addresses for the domain. These results thus allow us to reject the hypothesis that TLS based blocking solely depends on the SNI field. This can be further explored by inspecting some of these measurements, such as #1, #2, and #3.
OONI data suggests that ISPs in Iran started blocking access to WhatsApp on 21st September 2022. This is visible through the following chart, which aggregates OONI measurement coverage from the testing of WhatsApp on multiple networks in Iran over the past month.
As is evident through the above chart, most WhatsApp measurements started to present a large volume of anomalies from 21st September 2022 onwards, indicating WhatsApp blocking. Beyond the WhatsApp mobile app, we also observe increased blocking of WhatsApp Web (web.whatsapp.com) in Iran from 21st September 2022 onwards.
The above chart shows that in recent months, WhatsApp Web was already blocked on at least MCI (AS197207), but accessible on other tested networks in Iran. As of 21st September 2022, we observe a spike in anomalous measurements, as other ISPs started to block access to web.whatsapp.com as well.
WhatsApp blocking is further suggested by looking at Web Connectivity measurements pertaining to the testing of WhatsApp endpoints during the same date range in Iran, as illustrated through the following chart.
We observe a similar blocking pattern: WhatsApp endpoint measurements were mostly successful until 20th September 2022, but started to present a high ratio of anomalies on the next day. In some of those measurements, we were also able to automatically confirm the blocking of WhatsApp endpoints.
Many ISPs in Iran also started blocking Instagram on 21st September 2022. The following chart, which aggregates OONI measurement coverage from the testing of www.instagram.com on multiple networks in Iran, clearly shows a surge in anomalous measurements in recent days.
From the above chart, we can see that www.instagram.com was already blocked on a few networks in recent months, but accessible on most tested networks in Iran. But as of 21st September 2022, most measurements started to present anomalies (along with a few cases where blocking was automatically confirmed), and the data shows that Instagram was blocked on most tested networks in Iran. The same pattern is also observed when looking at measurements from the testing of other Instagram domains, shared through the chart below.
b1e95dc632