Lone Packet Crashes Telco Networks 57
mask.of.sanity writes "A penetration tester has shown that GSM communications systems can be taken down with a handful of malformed packets. The weakness was in the lack of security around the Home Location Register server clusters which store GSM subscriber details as part of the global SS7 network. A single packet, sent from within any network including femtocells, took down one of the clusters for two minutes."
The RF portion of the standards is well designed (Score:5, Interesting)
Re:Hardly surprising... (Score:5, Interesting)
The barrier for GSM is getting lower every day [osmocom.org] so it wouldn't surprise me if bugs like this start showing up more often.
Sometimes you don't even need a malformed packet (Score:4, Interesting)
When I was testing a broadband access server at my first job, I've seen a case ping with explicitly specified packet size of 0 caused a divByZeroException on the receiving end. I couldn't resist reporting this bug in person to see the reaction on the developper's face. It was priceless. =)
Someone else had also found a TFTP packet of death, when broadcasted all boxes under test crashed.
Now when you factor in maliciously malformed packets, it doesn't surprise me these things happen at all.
Re:Hardly surprising... (Score:5, Interesting)
Re:Hardly surprising... (Score:3, Interesting)
You need a few thousand dollars (this may have come down slightly) of specialised equipment to do the attack.
Specialized equipment? You can probably do it with a cheap Android cell phone and some warez.
Remember the Ping-O-Death (Score:4, Interesting)
Re:Hardly surprising... (Score:5, Interesting)
In essentially all android and other phones, the 'modem' runs on a seperate processor, running its own OS, signed. ...
'owning' the base android phone does nothing.
You need to separately crack the modem. (unlocking is not cracking).
The modem in most phones is basically a hayes-compatible modem, with a wierd interface soldered onto the board.
The only interfaces the android side has to it is 'AT' commands.
It can't inject raw packets, or