Slashdot Mirror

← Back to Stories (view on slashdot.org)

Telco Networks Open to Attack?

Posted by michael on from the this-is-nine-one...two dept.

Cally writes: "This post to NANOG summarises Dave Henderson's paper (.ppt: HTML in Google cache, grep for 'Now Really Public') from the Internetwork Interoperability Test Coordination Committee, about the state of security in the public switched (telephone) network: wide open and "very fragile with a tremendous number of vulnerabilities". Apparently, there's $12b in fraud per year, growing interest from blackhat groups, and more, better, intruder tools. We often hear talk of "information warfare attacks that could result in the draining of bank reserves and the cutting off of power sources" from budget-and-PR hungry, but clue-light, politicians and wonks these days. When an experienced engineer uses such language, it's more worrying." We've also had submissions of this AP article speculating about viruses hitting mobile phones.

9 of 118 comments (clear)

  1. Another link for the source document by pauldy · · Score: 2, Informative

    http://www.atis.org/pub/iitc/ntc/ntc24.doc

    This seems to contain the same information in what I found was a tad easier to read although it is in word format so it may not be for everyone.

  2. Re:Speculating about viruses hitting mobile phones by trentfoley · · Score: 2, Informative

    The article url is http://www.cnn.com/2002/TECH/03/08/cebit.preview/i ndex.html. I don't know what happened to the html in my first post. No, I did not mean "first post"!

  3. I work for a VoIP Telephony Company... by phunhippy · · Score: 5, Informative


    I helped build one of the world's largest VoIP companies & i know a few things about the telephony networks as a result. And from what i read in the article is mostly wrong.. You can't just interconnect with out a carrier knowing who you are, Even with ss7. You need to have work orders generated, physical connections involved.. even in VoIP you need set up CICs and point codes, testing of the connection..

    Also if anything the decentralization of the telephone networks have made absolutely stronger as a reliable means of transport in times of failure now. It works on the same principle in effect as the internet. Where you can reach a destination via many differnt hops.

    For example.. in the old days if you wanted to call London, your call went across AT&T and that was that. Now with 5-10 serious International carriers if even 3 or 4 of the carriers have a facility outage for whatever reason(rare as it is) they can re-route calls to alternate carries where as before they would not be able to do that.

    What he seems to fail to mention is that with in 10-15 years traditional telephone networks will be thing of the past and phone service will be regulated to just being another service provided through one of a number of broadband pipes(fiber to your house, g3,g4,gwhatever wireless networks that come next) and the whole concept of a telco will change to the point where companies will server merely as giant switching operation and "enhanced services" with almost zero physical infrastructure, which will also result in the fast drop of telephone pricing as the infrastructure costs dramatically.

    Some 7am blurred tired thoughts.. hope that was coherent enough.

  4. There's a lot more to that story... by Arker · · Score: 3, Informative

    This guy has been following that story since it first hit, and if you follow all the links in that article you'll find out a lot more than might be good for your sanity.


    It's not one Israeli company, but two, Amdocs Ltd. and Comverse Infosys. Between the two of them they don't just handle all the billing but also play crucial roles in law enforcement wiretaps. The amount of damage some random joe can do with a good exploit is really pretty minor compared to the damage that can result when crucial infrastructure is under control of a foreign government - even if it's a government which is usually an ally.

    --
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-
    Friends don't let friends enable ecmascript.
  5. Wanna bet? The vulnerability is synchronization. by Myself · · Score: 5, Informative

    The entire infrastructure is carried on SONET equipment. (That's Synchronous Optical Network, and if you didn't know that, you should read up on it, it's neat stuff.) Being synchronous, this stuff royally shits if there's something wrong with the timing.

    Way back when T-carrier was first deployed, Bell realized this and set up a nationwide synchronization distribution. I think the master clock was in Kansas City. Anyway, the sync signal was distributed over wireline circuits to every central office in the country. Maybe Canada too?

    However, most interoffice links are fiber now, the same SONET rings that depend on such precise synchronization. Ring-timing is awkward, and without very careful planning, sync loops can form. (Long story, look it up. The short version is that when a SONET system loses sync, it doesn't carry traffic.)

    The modern concept is called BITS, or Building Integrated Timing Supply. Each office has a sync signal source, driven by an LPR (local primary reference) oscillator, which is in turn frequency-locked to a reference signal derived from GPS satellite signals.

    Yes, that's right, the whole telephone network will fall apart if the Global Positioning System stops transmitting. Depending on the stratum class of the LPR, it might be able to "hold over" for a couple days, maintaining an accurate timing signal in the absence of an upstream reference. They will eventually drift, and most offices only have stratum-3 units anyway.

    The network is so poorly planned in the first place, most transport engineers haven't got a clue about ring timing and such. They just hook each terminal to the BITS clock and hope it works, which it does, until something happens to the BITS clock. If all the BITSes in the network started drifting from one another, the system would slowly fail over a few days, as timing slips exceeded the tolerances of the various systems.

    If such a thing were to happen, don't bet on the ability to patch things up quickly. Recordkeeping is horrible, and even if it weren't, it would be a daunting task to spontaneously set up a new sync distribution network independent of GPS.

    I've heard on good authority that you wouldn't even need to take out the satellites themselves. A couple properly placed nuclear detinations could screw up the somethingsphere such that GPS signal propagation would suffer. Any physicists care to clarify?

  6. Switches, Packets, and Script Kiddies, Oh My! by pagley · · Score: 3, Informative

    Wow, "Myself", that's probably the most intelligent response I've read so far! And for what it's worth, I totally agree, and people need to make an effort to understand the difference between a "data switch" and a "voice switch"!

    Simple fact - 99.9% of basic wired telco infrastructure is completely IP "unaware". In other words, no IP address, doesn't have a clue what TCP/IP is, nor does it care. Granted, the new wireless technologies are more/heavily IP based, but that's a different matter - wireless services always have been, and likely always will be many orders of magnitude more vulnerable to abuse/attack purely because of the uncontrolled nature of the transmission medium (without wires, hence wireless). But I digress...

    Of the equipment that does have an IP address, 99.9% of it is privately addresses or firewalled or simply not physically or logically connected to another network.

    The only way to "DoS" a switch is to use up the DS0's on it's switching backplane (or whatever, the terminology varies). Even on a tiny switch (5ESS VCDX, etc), this can be multiple hundreds of simultaneous calls.

    Then what happens you ask? Simple really, no dial tone to the customer. Your phone doesn't explode, melt down, or otherwise. Nor does the switch "crash". Would it be easily detectable? Without doubt. Would the phone company know where it was coming from or what was causing it? Sure they would.

    And, to add to this, most people don't have the slightest clue that dedicated nailed-up circuits (such as PtP T1's) never see a switch. That data is split/multiplexed out of the fiber and handled independantly of switched data. It can't be "jumped" onto another circuit, or have some "magic packet" sent to it to allow it to then connect itself to another circuit or timeslot. Hence the term "nailed-up". Even frame relay is external to the switched voice network for the most part.

    What is quite possibly vulnerable is the internal IP (ie computer) network of a particular phone company, or possibly dialup administration modems connected to craft interfaces on various bits of telco gear. But cracking a single telco or exchange and using it as the source of a massive nationwide DoS attack on other carriers isn't going to happen anytime soon.

    What's far more likely is a very low-tech attack on the physical infrastructure. Even with redundant facility (logical, physical, and route), there always comes a point in a network that a single "failure point" can bite you. It only depends on how fine-grained your idea of "single point" is.

    As far as DoS'ing a "router", how exactly is that different than what happens to routers now? Happens all the time now, so what else is new? :)

  7. Re:Wanna bet? The vulnerability is synchronization by PureFiction · · Score: 3, Informative

    You are vastly over simplyfying the concept of a timing source.

    A true reference clock takes a number of inputs, GPS being a less desired form. Almost all of the major carriers also include an atomic clock as part of their reference.

    The militiary pioneered the design of insane consistency when it comes to reference clock signals, with entire 1000+ page documetns describing the various levels of reliability and consistency and the proper combination of all sorts of timing sources from GPS to atomic clocks.

    The phone networks will not go down if GPS does.

  8. I work for a Telco by Anonymous Coward · · Score: 1, Informative

    I'm a Sr. Technical Manager with a BIG phone company. While I agree that the protocols involved in telephony(SS7 and IP) are insecure, it is VERY difficult to get into our infrastructure. All signaling rides on our own pipe and it is in NO WAY attached, F/W or gateway onto the internet. SS7 is used for call setup and services. It only exists between Co to CO. There is no way an outsider could tap it. IP is ONLY used for provisioning and maintenance. Even if you get in onto the Central Office IP network, you could do Nothing. SS7 is a very flat and complex protocol. Script Kiddies would pull out every strand of their hair before they figure out SS7 and its various operations. We have a very extensive surveillance system from Agilent called AcceSS7. Let's put it this way, if you are doing toll fraud or anything you should not be doing, We'll see it.
    What bothers me is the future of telephony. Our switches (5ESS, DMS-100, ESWD) are approaching end of life and will eventually(5 years) be replaced by soft switches, media gateways, gateway controllers and likes of VoIP, RTP, SIP, H.323, etc. The signaling will be not only within the CO but also to the end station. This will be a security architecture nightmare......Just my $.02

  9. I work for a Telco by jloukinas · · Score: 1, Informative

    I work for a Telco and our security is terrible. The only time something gets replaced is when you can no longer get parts. Most of the hardware switched stuff like actual line circuits are in good shape but someone could cause lots of bad things to happen having access to billing and switching servers. The stuff that actual send commands to those switches telling them what to do!