Telco Networks Open to Attack?

Cally writes: "This post to NANOG summarises Dave Henderson's paper (.ppt: HTML in Google cache, grep for 'Now Really Public') from the Internetwork Interoperability Test Coordination Committee, about the state of security in the public switched (telephone) network: wide open and "very fragile with a tremendous number of vulnerabilities". Apparently, there's $12b in fraud per year, growing interest from blackhat groups, and more, better, intruder tools. We often hear talk of "information warfare attacks that could result in the draining of bank reserves and the cutting off of power sources" from budget-and-PR hungry, but clue-light, politicians and wonks these days. When an experienced engineer uses such language, it's more worrying." We've also had submissions of this AP article speculating about viruses hitting mobile phones.

SS7's oversimplified security

[npendleton]

With poorly implemented user rights and security. User have the right to be billed, and administrator have the rights to change anything, and there is (almost) nothing in between.

Any LAN administrator oversees a more balanced aproach, e.g., preventing most user with rights to clear the print que, from deleting all printer software, or deleting anything else. Until SS7's security is better implemented, abuse will be rampant.

-Nathaniel

Disintegration of the Bell System

[Detritus]

This appears to be just another indication that the formerly monolithic telecommunications system in the USA is continuing its slow collapse into anarchy. The system has been jettisoning its research, engineering and operations expertise for decades. The former Bell companies are following the example of American rail and steel companies, milk the system for cash and let the infrastructure rot in place.

there's not a vulnerability

[tuj]

At the local level, your phone is switched by your neighboorhood central office, which is basically a small building filled with relays (or nowdays, digital switching equipment). The most striking thing about CO's is the battery room. They have racks upon racks of batteries that are constantly charged, and can provide power to run the CO at full load for roughly 12 hours. CO's also have 2 diesel generators to recharge the batteries and enough fuel onsite to run the generators continuously for 2+ days.

Think about it: how often has your phone went out? And when it has, how often was your neighboor's phone out also? Remember, the phone system keeps working even when the power is out.

The physical infrastructure is the most important layer. Everything else can be fixed relatively quickly in the event of an attack (DOS). Its trival to sever a carrier from your network, but its a major undertaking to replace physical infrastructure. As long as that is redundant, and relatively secure, your phones aren't going to stop working any time soon.

Bellsouth for Example

[RageMachine]

Lets take Bellsouth for an example.

Somone overseas wants to knock our %99.9 of our communication. Lets say.. Russia, or Pakistan. All they would have to do is either cut the phiber backbones, or D.D.o.S the HELL out of the switches, or routers that ran the voice, or IP circutes. It isn't that complicated, provided you have the bandwidth. If one Bell company, like Bellsouth was affected, then ALL the states under that region would fall under this attack, and every phone would be out.

The amount of bandwidth you would need would almost be ludacris, probably up around in the GB range if you had enough machines taken over. Bellsouth's main backbone is slightly over 12gigabits from what I understand. (I heard this somewhere).

It would not take much of a blow to knock out SWBell, or Bell$outh. Remember the M$ attack? The one where the guy aimed his tools at their routers? That was a full blown good, thought out, and planned attack. Lets apply the same to the Bells. More people would be affected. If all 4 baby Hells were brought to their knees, then maybe our senators would think twice before giving these idiots total control, and pass more laws in favor of joe user/admin/ISP. Why would they reconsider? Because they couln't call Hollywood and ask for their paycheck, so THEN they would get pissed.

Why you're clueless.

[Myself]

Point 1: When a telco person says "switch", it means something totally different than what a data person means when they say "switch". This is a persistent annoyance.

You can't simply packet an ESS out of existence, because it doesn't know what a packet is. It's not connected to the internet. There are SS7 signaling links and X.25 control links, and maybe a few IP control links if you're lucky. None of them are connected to the internet. Your phone line is payload, not control.

Exactly how do you propose to access the switch in order to DoS it? There are switch dialins, but most are pretty secure, and good luck finding them. You're planning to do a lot of wardialing first?

Point 2: Telcos lie about bandwidth. When someone says they have a 10 Gigabit backbone, it means they own a couple OC192 circuits. Most of the channels in those circuits are probably not filled.

That's like saying I can move a thousand shipping containers a day, because there's a large river between me and my destination, and seaports at each end. Nevermind that I don't own any ships!

An OC192 circuit, for instance, can carry four OC48 signals, or 16 OC12 signals, or a mix thereof. Anything that adds up to 192 STS-1 payload envelopes, or equivalent concatenated payloads. You get the idea. Chances are, they're carrying one or two OC48s on the thing, and the rest is for future expansion. Each of those OC48s in turn is probably only 70% full.

Re:Wanna bet? The vulnerability is synchronization

[Orangedog_on_crack]

You are correct about the vulnerability due to telecom's dependance on the GPS system. If the GPS network over the US were to go down, it would cause a lot of problems, but it would not crash the entire phone system nationwide. Many central offices, at least the larger ones, have a cesium clock for timing purposes(I'm an engineer at one of the big 4 telecoms and I'm very familiar with our BITS standards). These can go weeks without a slip but eventually they will start to lose sync. Sites that have only stratum 3 back ups are few and far between. Almost all sites that rely on GPS timing have at least a stratum 1 backup. From what I know of my company's and the others SOP's, the industry operates on the belief that if the GPS network goes, we expect it to be back up before the cesium clocks would begin to slip. Stratum 1 can go for a few days, so it would be my estimate that we would encounter problems with the phone networks, major disruptions would be avoided if GPS can be restored within a week. I believe that this theory follows the line of thaught that if the GPS network is down for longet than that, something nearly catostrophic would have to have happened...something so bad that having the phones screwd up would be the least of the country's problems. If something were to happen that takes out GPS sats, it would almost certainly take out a lot of other satellites. Now THAT would really screw us. If you remember what happened in the summer of 1998 what just one communication satellite went down, then you know what I mean. Almost all ATM and credit card transactions, as well as a lot of pagers (mine included) came to a screatching halt. Take out GPS and a dozen other satellites and things get really scary.

Re:Time for some change

[sphealey]

This statement clearly demonstrates the ignorance of meggito, the poster. I have dealt with telephone since the days of hand cranked ringer codes and the upgrade to operator placed calls. Technology took off like a skyrocket with the end of the ATT monopoly, and attempts by Ma Bell to stall progress suffered ignominious defeat in all three branches of the federal government. Plain Old Telephone Service might have suffered (I don"t think so), but technology has zoomed

Well, perhaps. From the viewpoint of Joe and Jane user, or Small Business Inc., how exactly have things "improved"? In 1970 you received somewhat overpriced telephone service from an arrogant and unresponsive bureaucracy - but that service was 100% reliable, of very high quality, and was managed by an organization that did actually spend some of its excess loot thinking about things like long-term planning, stability, disaster preperation, the future, etc.

Today, we can choose from a bewildering array of "services", most of which we don't need, that appear to have a lower unit price but which after fees, surcharges, fees on fees, fees on surcharges, and opportunity costs of fighting through your bill (we have a full-time person doing that now) generally turn out to be more expensive than they were in 1970. And we receive these services from organizations which are not only just as arrogant as the Bell companies of 1970, but which often don't even bother to answer their phones and which can't find a person to fix your problem even when they do bother to answer. And which also tend to disappear overnight, taking your wonderful "services" with them.

And, of course, the old Bell companies are still there (dealt with Verizon lately?), as arrogant and as profitable as ever.

Now what was that "progress" you mentioned?

sPh

Re:Switches, Packets, and Script Kiddies, Oh My!

Agreed 100%. I'm a former telco engineer now in the ISP world. It's funny to see how many Slashdot groupies and script kiddies think the telco infrastructure is going to crumble tommorrow to IP. I agree completely that the old one trunk, one call paradigm has a limited lifespan, but the IP world is built on a very weak foundation. ISPs and the IP networking world in general have a lot to learn about building mission-critical systems, testing, and offering services that actually work. (Case in point, how many telco switches crashed on 9/11 versus websites and ISP infrastructure ?)

As for the SS7 security posts, SS7 is no more venerable than BGP, and it operates on basically the same priniciple as trusting your neighbor.

The IP world is basically one big cluster f*ck that somehow works. The telcos are big, clumsy, and slow to implement new technology, but they're that way for a reason. God help us when your telephone service depends on cron jobs and BIND.

Re:Time to start worrying...

[Fissure_FS2]

"When an experienced engineer uses such language, it's more worrying"

Am I the only one who thought "they're using Visual Basic" when I saw that quote?

Re:It's only gonna get worse

[BrookHarty]

Security is never a concern for developers, but it better be for the operations group. Anyone can put in a node, but someone feed and water it while its in production. We have teams that do this on a daily basis, more proactive then reactive, if you just sit by and wait for alarms, you can expect an alarm "You've been hacked..."

BTW, I have to make sure my patches are upto date, and do regular security audits. But im doing 2G/3G data, which is a little different from voice. Thou in the 3G voice/data world, its has more inter-dependices than 2g.

12B?!

[_ph1ux_]

I dont buy that. 12 billion in fraud? no.

Maybe I would feel a little more compasionate for these companies were it not for the *many* times they have ripped me off, over charged me, pretended to offer a special deal that they would only uphold if you called them up and complained about not getting what you were promised.

I say screw the phone co's and all other companies that have similar slimy practices. Good for those that have ripped them off for 12B. VOIP anyone... there are still companies out there that, even though have shitty executives, (www.quicknet.net) are offering voip services at affordable rates.