Lone Packet Crashes Telco Networks

mask.of.sanity writes "A penetration tester has shown that GSM communications systems can be taken down with a handful of malformed packets. The weakness was in the lack of security around the Home Location Register server clusters which store GSM subscriber details as part of the global SS7 network. A single packet, sent from within any network including femtocells, took down one of the clusters for two minutes."

The RF portion of the standards is well designed

[exabrial]

The RF portion of the standards is well designed (take LTE with orthogonal multiplexing for example). However, the systems and switching part is waaay to complex. Telco providers are buried under mountains of technical debt... Even the systems part of LTE is complex: the American implementations from Sprint and Verizon are not be compatible because they cherry picked what parts they felt like implementing.

Re:Hardly surprising...

[Gerald]

The barrier for GSM is getting lower every day [osmocom.org] so it wouldn't surprise me if bugs like this start showing up more often.

Sometimes you don't even need a malformed packet

[Anonymous Coward]

When I was testing a broadband access server at my first job, I've seen a case ping with explicitly specified packet size of 0 caused a divByZeroException on the receiving end. I couldn't resist reporting this bug in person to see the reaction on the developper's face. It was priceless. =)
Someone else had also found a TFTP packet of death, when broadcasted all boxes under test crashed.
Now when you factor in maliciously malformed packets, it doesn't surprise me these things happen at all.

Re:Hardly surprising...

[camperdave]

Security is a presentation layer issue. SMTP, HTTP and TCP are not session layer protocols, and have no business worrying about security.

Re:Hardly surprising...

[camperdave]

You need a few thousand dollars (this may have come down slightly) of specialised equipment to do the attack.

Specialized equipment? You can probably do it with a cheap Android cell phone and some warez.

Remember the Ping-O-Death

[xmas2003]

Us old farts will remember something similar called the Ping-O-Death! ;-) [wikipedia.org]

Re:Hardly surprising...

[queazocotal]

In essentially all android and other phones, the 'modem' runs on a seperate processor, running its own OS, signed.
'owning' the base android phone does nothing.
You need to separately crack the modem. (unlocking is not cracking).
The modem in most phones is basically a hayes-compatible modem, with a wierd interface soldered onto the board.
The only interfaces the android side has to it is 'AT' commands.
It can't inject raw packets, or ...